cti-cybox message

Subject: RE: [cti-cybox] Network Connection Object

From: "Back, Greg" <gback@mitre.org>
To: "Jordan, Bret" <bret.jordan@bluecoat.com>, "Kirillov, Ivan A." <ikirillov@mitre.org>
Date: Fri, 2 Sep 2016 19:05:07 +0000

I think the current object has grown too large and covers too many not-entirely-compatible use cases. I support a Network Flow object, but feel it should be trimmed down to the information typically available in netflow-style output. As it is, the combinations of which properties should (or should not) be used together are not sufficiently specified IMO. I also support further breaking up the Network Connection object, but that's perhaps another issue.

Greg

> -----Original Message-----
> From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org]
> On Behalf Of Jordan, Bret
> Sent: Friday, September 02, 2016 1:48 PM
> To: Kirillov, Ivan A. <ikirillov@mitre.org>
> Cc: Allan Thomson <athomson@lookingglasscyber.com>; OASIS CTI TC CybOX
> SC list <cti-cybox@lists.oasis-open.org>
> Subject: Re: [cti-cybox] Network Connection Object
> 
> What do others think....   We have a tie, 2 for it as a network connection, 2 for
> it as a flow.
> 
> Thanks,
> 
> Bret
> 
> 
> 
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO Blue Coat
> Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415
> 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
> can not be unscrambled is an egg."
> 
> 
> 	On Sep 2, 2016, at 12:46, Jordan, Bret <bret.jordan@bluecoat.com
> <mailto:bret.jordan@bluecoat.com> > wrote:
> 
> 	I disagree.  I think a network connection is the very basic concept of a
> device making a connection.  But all of the fields and properties and
> extensions are really part of the details of a network flow.  A network flow is
> more than the basic 7-tuple net flow stuff.   Netflow, SFlow, JFlow are just
> representations of a subset of a full network flow, basically just the statistical
> information.
> 
> 
> 
> 
> 
> 	Thanks,
> 
> 	Bret
> 
> 
> 
> 	Bret Jordan CISSP
> 	Director of Security Architecture and Standards | Office of the CTO
> 	Blue Coat Systems
> 	PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415
> 0050
> 	"Without cryptography vihv vivc ce xhrnrw, however, the only thing
> that can not be unscrambled is an egg."
> 
> 
> 		On Sep 2, 2016, at 12:36, Kirillov, Ivan A. <ikirillov@mitre.org
> <mailto:ikirillov@mitre.org> > wrote:
> 
> 		I’m not really a fan of “Network Flow”. Our current Network
> Connection Object includes extensions such as HTTP and Network Socket
> that go far beyond simple network flow. When I hear “network flow”, I think
> of the basic 7-tuple netflow representation, and my concern is that users will
> think the same when seeing the name of this Object, which is misleading.
> 
> 		Regards,
> 		Ivan
> 
> 		From: <cti-cybox@lists.oasis-open.org <mailto:cti-
> cybox@lists.oasis-open.org> > on behalf of Allan Thomson
> <athomson@lookingglasscyber.com
> <mailto:athomson@lookingglasscyber.com> >
> 		Date: Friday, September 2, 2016 at 11:34 AM
> 		To: Bret Jordan <bret.jordan@bluecoat.com
> <mailto:bret.jordan@bluecoat.com> >, OASIS CTI TC CybOX SC list <cti-
> cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> >
> 		Subject: Re: [cti-cybox] Network Connection Object
> 
> 		I like that suggestion.
> 
> 		Allan
> 
> 		From: OASIS list <cti-cybox@lists.oasis-open.org <mailto:cti-
> cybox@lists.oasis-open.org> > on behalf of "Jordan, Bret"
> <bret.jordan@bluecoat.com <mailto:bret.jordan@bluecoat.com> >
> 		Date: Friday, September 2, 2016 at 9:58 AM
> 		To: OASIS list <cti-cybox@lists.oasis-open.org <mailto:cti-
> cybox@lists.oasis-open.org> >
> 		Subject: [cti-cybox] Network Connection Object
> 
> 		I would like to propose that we rename the Network
> Connection object to Network Flow object.  Then if needed, created a
> specialized Network Connection State object to handle some of the use
> cases John-Mark was talking about, namely devices that may want to emit
> events in CybOX when a connection is opened or closed.
> 
> 		As it stands right now, the current Network Connection
> object is really describing a Network Flow. Making this name change might
> really help remove some of the ambiguity associated with it.
> 
> 
> 
> 		Thanks,
> 
> 		Bret
> 
> 
> 
> 		Bret Jordan CISSP
> 		Director of Security Architecture and Standards | Office of
> the CTO
> 		Blue Coat Systems
> 		PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE
> 7415 0050
> 		"Without cryptography vihv vivc ce xhrnrw, however, the
> only thing that can not be unscrambled is an egg."
> 
> 
>

Follow-Ups:
- RE: [cti-cybox] Network Connection Object
  - From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- Re: [cti-cybox] Network Connection Object
  - From: "Kirillov, Ivan A." <ikirillov@mitre.org>
- Re: [cti-cybox] Network Connection Object
  - From: "Jordan, Bret" <bret.jordan@bluecoat.com>

References:
- Re: [cti-cybox] Network Connection Object
  - From: Allan Thomson <athomson@lookingglasscyber.com>
- Re: [cti-cybox] Network Connection Object
  - From: "Kirillov, Ivan A." <ikirillov@mitre.org>
- Re: [cti-cybox] Network Connection Object
  - From: "Jordan, Bret" <bret.jordan@bluecoat.com>
- Re: [cti-cybox] Network Connection Object
  - From: "Jordan, Bret" <bret.jordan@bluecoat.com>