[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] Network Connection Object TCP Extension
On 30.08.2016 22:44:27, Jordan, Bret wrote: > Do we really want to rebuild or capture the entire IP/TCP header in > CybOX? Does that really make sense when there are other solutions > that arguably do this much better? I think CybOX should capture the > high level things that are important that meet the 80-90% use case > and leave those other nitty-gritty things for another solution. > Exactly! This "completionist" approach was one of the biggest failings of previous versions of CybOX. > > I could see this network connection just having a hex encoded > libpcap or libpcap-ng data blob if you really wanted to to capture > the packet, datagram, or frame headers. > Precisely why we've relied so heavily on the artifact object to provide an effective escape hatch for characterizing really weird things that don't fit neatly into the defined set of object fields. For sure we're missing some important things! We don't know what we don't know. So we'll add additional fields to the spec in future revisions as the community presents the relevant use cases instead of trying to cram everything in with the kitchen sink today. ^_^ -- Cheers, Trey ++--------------------------------------------------------------------------++ Kingfisher Operations, sprl gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E 62C8 6C1D ++--------------------------------------------------------------------------++ -- "One size never fits all." --RFC 1925
Attachment:
signature.asc
Description: Digital signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]