[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] Snort rules TTP reference
From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists ! snort ! org>
Date: 2021-07-19 15:08:46
Message-ID: 4E9EC390-1C09-4BBA-BC5D-F72D4265DFFF () cisco ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Garv,
Not all of them have been filed out yet. We implemented this process a couple years \
ago, so most of the documentation created since then have the Mitre references, but \
all of the legacy rules are being done on an as-needed basis.
--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | https://www.clamav.net
> On Jul 19, 2021, at 9:52 AM, Garv Sachdeva via Snort-users \
> <snort-users@lists.snort.org> wrote:
> Hey Snort team,
>
> Going by the rule docs on the portal snort.org <http://snort.org/>, not every rule \
> has ascertained Mitre TTP reference, is it that the rest maps to multiple TTPs or \
> none at all?
> Thanks
> Garv
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> To unsubscribe, send an email to:
> snort-users-leave@lists.snort.org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html; \
charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: \
space; line-break: after-white-space;" class="">Garv,<div class=""><br \
class=""></div><div class="">Not all of them have been filed out yet. We \
implemented this process a couple years ago, so most of the documentation created \
since then have the Mitre references, but all of the legacy rules are being done on \
an as-needed basis.</div><div class=""><br class=""></div><div class=""><div \
class="">-- </div><div class="">Joel Esler</div><div class="">Manager, \
Communities Division</div><div class="">Cisco Talos Intelligence Group</div><div \
class=""><a href="https://www.talosintelligence.com" \
class="">https://www.talosintelligence.com</a> | <a href="https://www.snort.org" \
class="">https://www.snort.org</a> | <a href="https://www.clamav.net" \
class="">https://www.clamav.net</a> </div><div><br class=""><blockquote \
type="cite" class=""><div class="">On Jul 19, 2021, at 9:52 AM, Garv Sachdeva via \
Snort-users <<a href="mailto:snort-users@lists.snort.org" \
class="">snort-users@lists.snort.org</a>> wrote:</div><br \
class="Apple-interchange-newline"><div class=""> <meta http-equiv="Content-Type" \
content="text/html; charset=us-ascii" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: \
after-white-space;" class=""> <div class="" style="background-color: rgb(255, 255, \
255); orphans: 2; widows: 2;"> Hey Snort team,</div>
<div class="" style="background-color: rgb(255, 255, 255); orphans: 2; widows: 2;">
<br class="">
</div>
<div class="" style="background-color: rgb(255, 255, 255); orphans: 2; widows: 2;">
Going by the rule docs on the portal <a href="http://snort.org/" \
class="">snort.org</a>, not every rule has ascertained Mitre TTP reference, is it \
that the rest maps to multiple TTPs or none at all?</div> <div class="" \
style="background-color: rgb(255, 255, 255); orphans: 2; widows: 2;"> <br class="">
</div>
<div class="" style="background-color: rgb(255, 255, 255); orphans: 2; widows: 2;">
Thanks</div>
<div class="" style="background-color: rgb(255, 255, 255); orphans: 2; widows: 2;">
Garv</div>
</div>
_______________________________________________<br class="">Snort-users mailing \
list<br class=""><a href="mailto:Snort-users@lists.snort.org" \
class="">Snort-users@lists.snort.org</a><br class="">Go to this URL to change user \
options or unsubscribe:<br \
class="">https://lists.snort.org/mailman/listinfo/snort-users<br class=""><br \
class=""><span class="Apple-tab-span" style="white-space:pre"> </span>To unsubscribe, \
send an email to:<br class=""><span class="Apple-tab-span" \
style="white-space:pre"> </span>snort-users-leave@lists.snort.org<br class=""><br \
class="">Please visit http://blog.snort.org to stay current on all the latest Snort \
news!<br class=""><br class="">Please follow these rules: \
https://snort.org/faq/what-is-the-mailing-list-etiquette<br \
class=""></div></blockquote></div><br class=""></div></body></html>
["smime.p7s" (smime.p7s)]
0� *H
��� 0���1�0
� `H�e������0� *H
����� �0�n0�V �����
a�m������0
� *H
�����051�0���U�
�
Cisco Systems1�0���U����Cisco Root CA 20480��
140404202418Z�
290514202542Z0,1�0���U�
��Cisco1�0���U����Cisco Employee CA0�"0
� *H
���������0�
����~�LS�#Vƹe
�LEg���m_7*{�Pɿ=/<��5︥QNٰS ,,e�ok_@
PD�MLF�H�c'��n�Ce�/}Y]�,}DR \
�Y�1BB9'ӁbT,&=�Ш�(�<MLK�l�q2$a�qh?wS~�s�Wt^ \
4���uT_,��ewR"w������0�0�� +����7�������0���U������6]K \
)CQ�Q0�� +����7����� \
�S�u�b�C�A0���U�������0���U������0������0���U�#��0��'��n� �+ \
`_{/0C��U���<0:08 6 \
42http://www.cisco.com/security/pki/crl/crca2048.crl0P��+��������D0B0@��+�����0�4http://www.cisco.com/security/pki/certs/crca2048.cer0\��U� \
�U0S0Q� +���� ����0C0A��+��������5http://www.cisco.com/security/pki/policies/index.html0
� *H
���������>N#�F�^kۊ�4�c�<&]p$`^슄d.�Y�g��M}D#(�Dm!T(laeP�@*n�>��q�I2KJX�L6/
8]TyʅRVw
�!N$2�⾥q-N7/VhFGEk]P%:)AS~W1*gSuw!:Gi'qzs/}ͦx(eÉw^B� \
�1yv:Av AP� )� o��?"?F0� 0� �����
���8N0
� *H
�����0,1�0���U�
��Cisco1�0���U����Cisco Employee CA0��
200908204003Z�
220908205003Z01�0���U����Joel Esler (jesler)1�0���U����Cisco \
Users1�0���U��� Employees1�0�� &,d����com1�0��
&,d����cisco1�0�� *H
� ���jesler@cisco.com0�"0
� *H
���������0�
����X��J\f nb�Hgh>qTW6�);ݿz�_,CM�O�Og+|�B_@/ f\�_" \
[t/F#UjD[r!�\�@��ԄbH=��p0q�@>/.Q8wbw��e��UT�B \
}G[/n_uJ@0)+wVY=X6d��pu~8$-1ҷ�o�! ڥ"Lk拣�Sz�P��mw \
z8+ o������X0�T0���U���������0���U������0�0z��+��������n0l0<��+�����0�0http://www.cisco.com/security/pki/certs/ceca.cer0,��+�����0� \
http://pkicvs.cisco.com/pki/ocsp0���U�#��0��6]K )CQ�Q0:��U���3010/ - \
+)http://ciscocerts.cisco.com/file/ceca.crl0���U����0��jesler@cisco.com0���U������!�sr\`e0���U�%��0��
+����7
����+�������0
� *H
���������0eF)&A{!6y�.d~�6/삎k^�P˵ �OB�r \
8Kq7�j�r}t��Jh�1h,b \
}�Ao*X.i"d#�bs_R��S7��W4�7?nYL_� x^^A�$� \
9A0ʌ%X�ɣ&�nu-z\L��� tY�Uz��Jz<zI[V��<F \
�c�my\�8Y^#O�1�j0�f���0:0,1�0���U� ��Cisco1�0���U����Cisco \
Employee CA� ���8N0
� `H�e������ ��0�� *H
� �1�� *H
���0�� *H
� �1��
210719150846Z0/� *H
� �1"� oF!~�auK(|}n�MI0I� +����7��1<0:0,1�0���U�
��Cisco1�0���U����Cisco Employee CA�
���8N0K��*H
� ���1< :0,1�0���U�
��Cisco1�0���U����Cisco Employee CA�
���8N0
� *H
��������Yv�0IBB'P�i?�J?PGTr8R�\4d#7t�Ej�[A-)?Vz�(8Hdxlo}�H�k:�
�z�w:'D<F67�rr}3) \
s�%;Wć��!9l7$5�]��EX\J;Qh�T9Ҏ0@n \`p�A��;�f�i�0��T�T*p�0Y�,zI��O\���z�;N/�[!��<������
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave@lists.snort.org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
--===============3786201694012299783==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic