Skip to content

Latest commit

 

History

History
98 lines (91 loc) · 3.03 KB

01.ipv4_cidr.md

File metadata and controls

98 lines (91 loc) · 3.03 KB
Raw

IPv4 CIDR Block Example

An IPv4 CIDR with associated COA with an explicit copy of the indicator value to block in the same bundle.

The OpenC2 object does not specify destination IP, source and dest ports or application and its assumed that means to OpenC2 those values are ‘any’. The where and direction are also guesses at the correct OpenC2 syntax.

(Note to OpenC2 - we should address STIX uncertainty on what in OpenC2 by making sure we have those targets/specifiers/options they need and then telling them where to find them).

{
  "type": "bundle",
  "id": "bundle--5d0092c5-5f74-4287-9642-33f4c354e56d",
  "spec_version": "2.1",
  "objects": [
    {
      "type": "identity",
      "name": "ACME Corp, Inc.",
      "identity_class": "organization",
      "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
    },
    {
      "type": "indicator",
      "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created": "2016-04-06T20:03:48.000Z",
      "modified": "2016-04-06T20:03:48.000Z",
      "labels": [
        "Malicious CIDR C2 Hosting Network"
      ],
      "name": "Bad IP CIDR-198",
      "description": "This indicator should be blocked due to known malicious activity",
      "pattern": "[ ipv4-addr:value: '198.51.100.0/24' ]",
      "valid_from": "2016-01-01T00:00:00Z"
    },
    {
      "type": "course-of-action",
      "id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created": "2016-04-06T20:03:48.000Z",
      "modified": "2016-04-06T20:03:48.000Z",
      "name": "COA-Block CIDR-198",
      "description": "Block outbound or inbound traffic to & from known bad CIDR",
      "action-steps": [
         {
           "type": "openc2",
           "name" : "1",
           "object": {
              "action": "deny",
              "target" : {
                "network_traffic": { 
                  "src_ip": "198.51.100.0/24",
                 },
              }
              "target-options": {
                 "where": "perimeter",
                 "direction": "inbound-interfaces"
              }
           }
        },
        {
           "type": "openc2",
           "name" : "2",
           "object": {
              "action": "deny",
              "target" : {
                "network_traffic": { 
                  "dst_ip": "198.51.100.0/24",
                 },
              }
              "target-options" {
                 "where": "perimeter",
                 "direction": "outbound-interfaces"
              }
           }
        }
      ]
    },
    {
      "type": "relationship",
      "id": "relationship--b61fc7f5-db9d-46e0-9724-46b4e7ca496f",
      "created": "2016-04-06T20:03:48.000Z",
      "modified": "2016-04-06T20:03:48.000Z",
      "relationship_type": "mitigates",
      "source_ref": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "target_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f"
    }
  ]
}