[prev in list] [next in list] [prev in thread] [next in thread] List: snort-users Subject: Re: [Snort-users] Snort rules TTP reference From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists ! snort ! org> Date: 2021-07-19 15:08:46 Message-ID: 4E9EC390-1C09-4BBA-BC5D-F72D4265DFFF () cisco ! com [Download RAW message or body] [Attachment #2 (multipart/alternative)] Garv, Not all of them have been filed out yet. We implemented this process a couple years \ ago, so most of the documentation created since then have the Mitre references, but \ all of the legacy rules are being done on an as-needed basis. -- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group https://www.talosintelligence.com | https://www.snort.org | https://www.clamav.net > On Jul 19, 2021, at 9:52 AM, Garv Sachdeva via Snort-users \ > <snort-users@lists.snort.org> wrote: > Hey Snort team, > > Going by the rule docs on the portal snort.org <http://snort.org/>, not every rule \ > has ascertained Mitre TTP reference, is it that the rest maps to multiple TTPs or \ > none at all? > Thanks > Garv > _______________________________________________ > Snort-users mailing list > Snort-users@lists.snort.org > Go to this URL to change user options or unsubscribe: > https://lists.snort.org/mailman/listinfo/snort-users > > To unsubscribe, send an email to: > snort-users-leave@lists.snort.org > > Please visit http://blog.snort.org to stay current on all the latest Snort news! > > Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette [Attachment #5 (unknown)] <html><head><meta http-equiv="Content-Type" content="text/html; \ charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: \ space; line-break: after-white-space;" class="">Garv,<div class=""><br \ class=""></div><div class="">Not all of them have been filed out yet. We \ implemented this process a couple years ago, so most of the documentation created \ since then have the Mitre references, but all of the legacy rules are being done on \ an as-needed basis.</div><div class=""><br class=""></div><div class=""><div \ class="">-- </div><div class="">Joel Esler</div><div class="">Manager, \ Communities Division</div><div class="">Cisco Talos Intelligence Group</div><div \ class=""><a href="https://www.talosintelligence.com" \ class="">https://www.talosintelligence.com</a> | <a href="https://www.snort.org" \ class="">https://www.snort.org</a> | <a href="https://www.clamav.net" \ class="">https://www.clamav.net</a> </div><div><br class=""><blockquote \ type="cite" class=""><div class="">On Jul 19, 2021, at 9:52 AM, Garv Sachdeva via \ Snort-users <<a href="mailto:snort-users@lists.snort.org" \ class="">snort-users@lists.snort.org</a>> wrote:</div><br \ class="Apple-interchange-newline"><div class=""> <meta http-equiv="Content-Type" \ content="text/html; charset=us-ascii" class=""> <div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: \ after-white-space;" class=""> <div class="" style="background-color: rgb(255, 255, \ 255); orphans: 2; widows: 2;"> Hey Snort team,</div> <div class="" style="background-color: rgb(255, 255, 255); orphans: 2; widows: 2;"> <br class=""> </div> <div class="" style="background-color: rgb(255, 255, 255); orphans: 2; widows: 2;"> Going by the rule docs on the portal <a href="http://snort.org/" \ class="">snort.org</a>, not every rule has ascertained Mitre TTP reference, is it \ that the rest maps to multiple TTPs or none at all?</div> <div class="" \ style="background-color: rgb(255, 255, 255); orphans: 2; widows: 2;"> <br class=""> </div> <div class="" style="background-color: rgb(255, 255, 255); orphans: 2; widows: 2;"> Thanks</div> <div class="" style="background-color: rgb(255, 255, 255); orphans: 2; widows: 2;"> Garv</div> </div> _______________________________________________<br class="">Snort-users mailing \ list<br class=""><a href="mailto:Snort-users@lists.snort.org" \ class="">Snort-users@lists.snort.org</a><br class="">Go to this URL to change user \ options or unsubscribe:<br \ class="">https://lists.snort.org/mailman/listinfo/snort-users<br class=""><br \ class=""><span class="Apple-tab-span" style="white-space:pre"> </span>To unsubscribe, \ send an email to:<br class=""><span class="Apple-tab-span" \ style="white-space:pre"> </span>snort-users-leave@lists.snort.org<br class=""><br \ class="">Please visit http://blog.snort.org to stay current on all the latest Snort \ news!<br class=""><br class="">Please follow these rules: \ https://snort.org/faq/what-is-the-mailing-list-etiquette<br \ class=""></div></blockquote></div><br class=""></div></body></html> ["smime.p7s" (smime.p7s)] 0 *H 010 `He 0 *H 0n0V am 0 *H 0510U Cisco Systems10UCisco Root CA 20480 140404202418Z 290514202542Z0,10U Cisco10UCisco Employee CA0"0 *H 0 ~LS#Vƹe LEgm_7*{Pɿ=/<5︥QNٰS ,,eok_@ PDMLFHc' nCe/}Y],}DR \ Y1BB9'ӁbT,&=Ш(<MLKlq2$aqh?wS~sWt^ \ 4uT_,ewR"w 00 +7 0U6]K \ )CQQ0 +7 \ S u b C A0U0U0 0U#0'n + \ `_{/0CU<0:08 6 \ 42http://www.cisco.com/security/pki/crl/crca2048.crl0P+D0B0@+04http://www.cisco.com/security/pki/certs/crca2048.cer0\U \ U0S0Q + 0C0A+5http://www.cisco.com/security/pki/policies/index.html0 *H >N#F^kۊ4c<&]p$`^슄d.YgM}D#(Dm!T(laeP@*n> qI2KJXL6/ 8]TyʅRVw !N$2⾥q-N7/VhFGEk]P%:)AS~W1*gSuw!:Gi'qzs/}ͦx(eÉw^B \ 1yv:Av AP ) o?"?F0 0 8N0 *H 0,10U Cisco10UCisco Employee CA0 200908204003Z 220908205003Z010UJoel Esler (jesler)10UCisco \ Users10U Employees10 &,dcom10 &,dcisco10 *H jesler@cisco.com0"0 *H 0 XJ\f nbHgh>qTW6);ݿz_,CMOOg+|B_@/ f\_" \ [t/F#UjD[r!\ @ԄbH=p0q@>/.Q8wbweUTB \ }G[/n_uJ@0)+wVY=X6dpu~8$-1ҷo! ڥ"Lk拣Sz Pmw \ z8+ o X0T0U0U0 0z+n0l0<+00http://www.cisco.com/security/pki/certs/ceca.cer0,+0 \ http://pkicvs.cisco.com/pki/ocsp0U#06]K )CQQ0:U3010/ - \ +)http://ciscocerts.cisco.com/file/ceca.crl0U0jesler@cisco.com0U!sr\`e0U%0 +7 +0 *H 0eF)&A{!6y.d~6/삎k^P˵ OBr \ 8Kq7jr}tJh1h,b \ }Ao*X.i"d#bs_RS7W47?nYL_ x^^A$ \ 9A0ʌ%Xɣ&nu-z\L tYUz Jz<zI[V<F \ cmy\8Y^#O1j0f0:0,10U Cisco10UCisco \ Employee CA 8N0 `He 0 *H 1 *H 0 *H 1 210719150846Z0/ *H 1" oF!~auK(|}nMI0I +71<0:0,10U Cisco10UCisco Employee CA 8N0K*H 1< :0,10U Cisco10UCisco Employee CA 8N0 *H Yv0IBB'Pi?J?PGTr8R\4d#7tEj[A-)?Vz(8Hdxlo}Hk: zw:'D<F67rr}3) \ s%;Wć !9l7$5]EX\J;QhT9Ҏ0@n \`pA;fi0TT*p0Y,zIO\z;N/[!<