Re: [cti-cybox] Network Connection Object

["Kirillov, Ivan A." <ikirillov@mitre.org>]

It’s true that the current Object encompasses both network connections and network flows, but I view a network connection as a superset of network flows. Network flows are metadata about network connections – they do capture the actual traffic that was observed (which our Object does); similarly, I don’t think any malware analyst would refer to malware C2 beaconing (as an example) as a network flow – it’s a network connection that may have an associated flow.

Regards,
Ivan

On 9/2/16, 1:05 PM, "Back, Greg" <gback@mitre.org> wrote:

>I think the current object has grown too large and covers too many not-entirely-compatible use cases. I support a Network Flow object, but feel it should be trimmed down to the information typically available in netflow-style output. As it is, the combinations of which properties should (or should not) be used together are not sufficiently specified IMO. I also support further breaking up the Network Connection object, but that's perhaps another issue.
>
>Greg
>
>> -----Original Message-----
>> From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org]
>> On Behalf Of Jordan, Bret
>> Sent: Friday, September 02, 2016 1:48 PM
>> To: Kirillov, Ivan A. <ikirillov@mitre.org>
>> Cc: Allan Thomson <athomson@lookingglasscyber.com>; OASIS CTI TC CybOX
>> SC list <cti-cybox@lists.oasis-open.org>
>> Subject: Re: [cti-cybox] Network Connection Object
>> 
>> What do others think....   We have a tie, 2 for it as a network connection, 2 for
>> it as a flow.
>> 
>> Thanks,
>> 
>> Bret
>> 
>> 
>> 
>> Bret Jordan CISSP
>> Director of Security Architecture and Standards | Office of the CTO Blue Coat
>> Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415
>> 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
>> can not be unscrambled is an egg."
>> 
>> 
>> 	On Sep 2, 2016, at 12:46, Jordan, Bret <bret.jordan@bluecoat.com
>> <mailto:bret.jordan@bluecoat.com> > wrote:
>> 
>> 	I disagree.  I think a network connection is the very basic concept of a
>> device making a connection.  But all of the fields and properties and
>> extensions are really part of the details of a network flow.  A network flow is
>> more than the basic 7-tuple net flow stuff.   Netflow, SFlow, JFlow are just
>> representations of a subset of a full network flow, basically just the statistical
>> information.
>> 
>> 
>> 
>> 
>> 
>> 	Thanks,
>> 
>> 	Bret
>> 
>> 
>> 
>> 	Bret Jordan CISSP
>> 	Director of Security Architecture and Standards | Office of the CTO
>> 	Blue Coat Systems
>> 	PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415
>> 0050
>> 	"Without cryptography vihv vivc ce xhrnrw, however, the only thing
>> that can not be unscrambled is an egg."
>> 
>> 
>> 		On Sep 2, 2016, at 12:36, Kirillov, Ivan A. <ikirillov@mitre.org
>> <mailto:ikirillov@mitre.org> > wrote:
>> 
>> 		I’m not really a fan of “Network Flow”. Our current Network
>> Connection Object includes extensions such as HTTP and Network Socket
>> that go far beyond simple network flow. When I hear “network flow”, I think
>> of the basic 7-tuple netflow representation, and my concern is that users will
>> think the same when seeing the name of this Object, which is misleading.
>> 
>> 		Regards,
>> 		Ivan
>> 
>> 		From: <cti-cybox@lists.oasis-open.org <mailto:cti-
>> cybox@lists.oasis-open.org> > on behalf of Allan Thomson
>> <athomson@lookingglasscyber.com
>> <mailto:athomson@lookingglasscyber.com> >
>> 		Date: Friday, September 2, 2016 at 11:34 AM
>> 		To: Bret Jordan <bret.jordan@bluecoat.com
>> <mailto:bret.jordan@bluecoat.com> >, OASIS CTI TC CybOX SC list <cti-
>> cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> >
>> 		Subject: Re: [cti-cybox] Network Connection Object
>> 
>> 		I like that suggestion.
>> 
>> 		Allan
>> 
>> 		From: OASIS list <cti-cybox@lists.oasis-open.org <mailto:cti-
>> cybox@lists.oasis-open.org> > on behalf of "Jordan, Bret"
>> <bret.jordan@bluecoat.com <mailto:bret.jordan@bluecoat.com> >
>> 		Date: Friday, September 2, 2016 at 9:58 AM
>> 		To: OASIS list <cti-cybox@lists.oasis-open.org <mailto:cti-
>> cybox@lists.oasis-open.org> >
>> 		Subject: [cti-cybox] Network Connection Object
>> 
>> 		I would like to propose that we rename the Network
>> Connection object to Network Flow object.  Then if needed, created a
>> specialized Network Connection State object to handle some of the use
>> cases John-Mark was talking about, namely devices that may want to emit
>> events in CybOX when a connection is opened or closed.
>> 
>> 		As it stands right now, the current Network Connection
>> object is really describing a Network Flow. Making this name change might
>> really help remove some of the ambiguity associated with it.
>> 
>> 
>> 
>> 		Thanks,
>> 
>> 		Bret
>> 
>> 
>> 
>> 		Bret Jordan CISSP
>> 		Director of Security Architecture and Standards | Office of
>> the CTO
>> 		Blue Coat Systems
>> 		PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE
>> 7415 0050
>> 		"Without cryptography vihv vivc ce xhrnrw, however, the
>> only thing that can not be unscrambled is an egg."
>> 
>> 
>> 
>