[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] For review: Network Connection Object
Hi - first, apologies I could not attend this call (it seems I am in perpetual conflict with the cybox working call). We had a good discussion around the Network Connection Object today during the CybOX working call. Here are some of the main open questions/takeaways:
· It was pointed out that having multiple destinations for a network connection doesn’t make sense (IP multicast doesn’t work this way), so we’ve reverted dst_refs to dst_ref to allow only a single destination per network connection. · We discussed which fields should be required for a network connection; there was consensus that dst_ref should be required, and likely src_ref as well. However, it was pointed out that there are cases where you may not want to share data about the source of a network connection (it could be sensitive data), so we haven’t decided yet if we’ll mandate that src_ref is required. · There was some discussion of whether extensions such as HTTP should instead be separate Objects that are associated with a network connection via relationships. The notion is that these are complex structures which could be Objects in their own right and could also be used in a standalone capacity as separate Objects. · We briefly discussed the possibility of a network packet object/extension, and there was consensus that it made sense. It’s not clear if this is something that should be MVP, however. The rest are documented under the “Open Questions” for the Object: https://docs.google.com/document/d/1oPAHN6nitdVF60RuDlajq0VuN6S_p_RP3ZE48yOBBfQ/edit#heading=h.j4fc21y66bxr Regards, Ivan From: <cti-cybox@lists.oasis-open.org> on behalf of Ivan Kirillov <ikirillov@mitre.org> Date: Wednesday, June 15, 2016 at 7:39 AM To: Jason Keirstead <Jason.Keirstead@ca.ibm.com> Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org> Subject: Re: [cti-cybox] For review: Network Connection Object Yeah, I agree – flow payloads are different from packet payloads, so we’d need a separate extension for the latter. Regards, Ivan From: Jason Keirstead <Jason.Keirstead@ca.ibm.com> Date: Wednesday, June 15, 2016 at 6:38 AM To: Ivan Kirillov <ikirillov@mitre.org> Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org> Subject: Re: [cti-cybox] For review: Network Connection Object IMO per-packet payloads would not belong in the "flow" extension, they would go into a "packet" extension (of which one could make a list). A flow is a different concept than a simple collection of packets. The Network Connection Object is finally ready for review: https://docs.google.com/document/d/1oPAHN6nitdVF60RuDlajq0VuN6S_p_RP3ZE48yOBBfQ/edit#heading=h.rgnc3w40xy There are a number of open questions around this Object, including the following:
Regards, Ivan |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]