[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-cybox] Network Connection Object
I think the current object has grown too large and covers too many not-entirely-compatible use cases. I support a Network Flow object, but feel it should be trimmed down to the information typically available in netflow-style output. As it is, the combinations of which properties should (or should not) be used together are not sufficiently specified IMO. I also support further breaking up the Network Connection object, but that's perhaps another issue. Greg > -----Original Message----- > From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org] > On Behalf Of Jordan, Bret > Sent: Friday, September 02, 2016 1:48 PM > To: Kirillov, Ivan A. <ikirillov@mitre.org> > Cc: Allan Thomson <athomson@lookingglasscyber.com>; OASIS CTI TC CybOX > SC list <cti-cybox@lists.oasis-open.org> > Subject: Re: [cti-cybox] Network Connection Object > > What do others think.... We have a tie, 2 for it as a network connection, 2 for > it as a flow. > > Thanks, > > Bret > > > > Bret Jordan CISSP > Director of Security Architecture and Standards | Office of the CTO Blue Coat > Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 > 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that > can not be unscrambled is an egg." > > > On Sep 2, 2016, at 12:46, Jordan, Bret <bret.jordan@bluecoat.com > <mailto:bret.jordan@bluecoat.com> > wrote: > > I disagree. I think a network connection is the very basic concept of a > device making a connection. But all of the fields and properties and > extensions are really part of the details of a network flow. A network flow is > more than the basic 7-tuple net flow stuff. Netflow, SFlow, JFlow are just > representations of a subset of a full network flow, basically just the statistical > information. > > > > > > Thanks, > > Bret > > > > Bret Jordan CISSP > Director of Security Architecture and Standards | Office of the CTO > Blue Coat Systems > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 > 0050 > "Without cryptography vihv vivc ce xhrnrw, however, the only thing > that can not be unscrambled is an egg." > > > On Sep 2, 2016, at 12:36, Kirillov, Ivan A. <ikirillov@mitre.org > <mailto:ikirillov@mitre.org> > wrote: > > I’m not really a fan of “Network Flow”. Our current Network > Connection Object includes extensions such as HTTP and Network Socket > that go far beyond simple network flow. When I hear “network flow”, I think > of the basic 7-tuple netflow representation, and my concern is that users will > think the same when seeing the name of this Object, which is misleading. > > Regards, > Ivan > > From: <cti-cybox@lists.oasis-open.org <mailto:cti- > cybox@lists.oasis-open.org> > on behalf of Allan Thomson > <athomson@lookingglasscyber.com > <mailto:athomson@lookingglasscyber.com> > > Date: Friday, September 2, 2016 at 11:34 AM > To: Bret Jordan <bret.jordan@bluecoat.com > <mailto:bret.jordan@bluecoat.com> >, OASIS CTI TC CybOX SC list <cti- > cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> > > Subject: Re: [cti-cybox] Network Connection Object > > I like that suggestion. > > Allan > > From: OASIS list <cti-cybox@lists.oasis-open.org <mailto:cti- > cybox@lists.oasis-open.org> > on behalf of "Jordan, Bret" > <bret.jordan@bluecoat.com <mailto:bret.jordan@bluecoat.com> > > Date: Friday, September 2, 2016 at 9:58 AM > To: OASIS list <cti-cybox@lists.oasis-open.org <mailto:cti- > cybox@lists.oasis-open.org> > > Subject: [cti-cybox] Network Connection Object > > I would like to propose that we rename the Network > Connection object to Network Flow object. Then if needed, created a > specialized Network Connection State object to handle some of the use > cases John-Mark was talking about, namely devices that may want to emit > events in CybOX when a connection is opened or closed. > > As it stands right now, the current Network Connection > object is really describing a Network Flow. Making this name change might > really help remove some of the ambiguity associated with it. > > > > Thanks, > > Bret > > > > Bret Jordan CISSP > Director of Security Architecture and Standards | Office of > the CTO > Blue Coat Systems > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE > 7415 0050 > "Without cryptography vihv vivc ce xhrnrw, however, the > only thing that can not be unscrambled is an egg." > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]