Skip to main content

General Documents

Decode STIX package Intel to Snort Detection Rules using Generative AI

Abstract

Download PDF

Category: Data Enrichment and Threat Intelligence

Cyware Products Used:

  • Intel Exchange

  • Collaborate

  • Orchestrate

Third-party Integrations Used:

  • OpenAI: Generative AI to decode STIX packages and convert them to Snort detection rules.

  • Snort: Snort is an open-source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks.

Problem Statement

The need for Intrusion Prevention System (IPS) in an enterprise network has always been a requirement due to the increasing sophistication and frequency of cyber attacks. IPS tools monitor network traffic for potential threats and automatically take action to block them by alerting the security team, terminating risky connections, removing malicious content, or triggering other security devices. Hence, the IPS tool is a vital security component for preventing some of the most advanced attacks with its essential features and capabilities.

Solution

Cyware offers an automated solution by combining the Intel Exchange with the IPS tool. The solution uses a Orchestrate playbook that automatically imports STIX intel packages and converts them to Snort rules. This allows security teams to proactively detect threats that target your organization’s network and automatically take action to block them by configuring SNORT rules on the IPS tool.

Decode_STIX_package_Intel_to_Snort.svg

How do we solve this problem?

  1. Retrieve STIX Packages: The playbook starts by retrieving the malicious STIX packages that are marked by analysts for Snort detection. Intel Exchange analysts can directly run a rule from the threat data details page of the malicious indicator to update the Snort detection tool.

  2. Onboard the STIX Data as Event: The Intel Exchange rule creates a STIX package and sends it to the Orchestrate for further processing.

  3. Decode STIX to SNORT: The playbook uses the data sent from Intel Exchange and creates a Snort detection rule. The playbook uses the OpenAI connector app in Orchestrate to perform the conversion.

  4. Notify Security Teams: The Snort detection rule created by the playbook is formatted and onboarded to Collaborate as a draft alert. Analysts can review the draft alert and publish it to the required members of the organization. Members can now just copy and update their intrusion detection rules along with the suggested response actions.

  5. Send Email: The playbook also sends an email of the Snort rule to configured recipients. A sample email looks as shown below.

    Snort_sample_email.png
Benefits

AI Written Snort Rules

You can use AI-generated Snort rules for simple and complex cases and keep the rules updated using the proposed automated solution. This helps security teams to identify network threats or other risks that could lead to vulnerabilities being exploited.

Real-time network traffic monitoring

By combining a threat intelligence platform and detection technologies such as Snort, security teams can monitor network traffic for any malicious activity and proactively block such threats from entering the network.

Reduced MTTD and MTTR

The solution helps organizations to reduce both Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) by validating and remediating security threats within minutes.