Determine Patterning Language Syntax #422
Description
We need to determine the syntax of the CybOX (?) patterning language that will be replacing the existing patterning structures. As previously discussed, a starting point could be to adopt a YARA-like syntax:
"pattern": {
"type": "twigs",
"base64": "false",
"content_type: "application/json",
"charset": "utf-8",
"properties": [
"$prop1": {
"key":"FileObject:hashes/hash/simple_hash_value",
"operator":"equals",
"value":"c38862b4835729d979e7940d72a48172"
},
"$prop2": {
"key":"FileObject:file_name",
"operator":"contains",
"value":"abcd.dll"
},
"$prop3": {
"key":"WinRegistryKeyObject:key",
"operator":"equals", "value":".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\{19127AD2-394B-70F5-C650-B97867BAA1F7"
},
"$prop4": {
"key":"WinRegistryKeyObject:hive",
"operator":"equals",
"value":"HKEY_USERS"
}
"$prop5": {
"key":"IPv4AddressObject:hive",
"operator":"equals",
"value":"1.2.3.4"
}
],
"condition": "($prop1 AND $prop2) OR ($prop3 AND $prop4) FOLLOWED_BY $prop5 WITHIN 15 MINS"
}