“Parameters” introduced in OpenIOC 1.1 allows embedding additional metadata about Indicators into the IOC (in more detail, see Blackhat 2013 presentation by William Gibb). I implemented functions displaying matched content details and scoring results of indicator matching.
For using the new functions, you should define parameters in PyIOCe written by Sean Gillespie. First, select [Modify Parameters] in Terms menu. Then add Context Type and Name/Value as below:
The Context Type should be lower-case because that of indicator items is “volatility”.
Next, double-click any terms and add parameters.
The value of “detail” should be “on”. And you can set any integer value between 0 to 100 for “score” value. Openioc_scan displays an IOC if the evaluation of all IOC terms/logics is true, or the total score of matched terms including “score” parameter is greater than or equal to “SCORE_THRESHOLD” (the default value is 100).
For instance, see the following result.
All indicator terms are combined with “AND” operator, but only 3 terms are matched, so the result without considering “score” parameter becomes False. However, openioc_scan says “IOC matched” because the total score is 100. We can check each score per term like “(score=50;)”. Similarly, we can refer to matched content detail for “detail” parameter by checking INFO logs above the IOC result.
In this way, OpenIOC parameters enable to define more-informational and flexible IOCs. I will implement more functions using parameters in the future.
Download
You can download the script and term/parameter definitions from here