[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] Network Connection Object
It’s true that the current Object encompasses both network connections and network flows, but I view a network connection as a superset of network flows. Network flows are metadata about network connections – they do capture the actual traffic that was observed (which our Object does); similarly, I don’t think any malware analyst would refer to malware C2 beaconing (as an example) as a network flow – it’s a network connection that may have an associated flow. Regards, Ivan On 9/2/16, 1:05 PM, "Back, Greg" <gback@mitre.org> wrote: >I think the current object has grown too large and covers too many not-entirely-compatible use cases. I support a Network Flow object, but feel it should be trimmed down to the information typically available in netflow-style output. As it is, the combinations of which properties should (or should not) be used together are not sufficiently specified IMO. I also support further breaking up the Network Connection object, but that's perhaps another issue. > >Greg > >> -----Original Message----- >> From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org] >> On Behalf Of Jordan, Bret >> Sent: Friday, September 02, 2016 1:48 PM >> To: Kirillov, Ivan A. <ikirillov@mitre.org> >> Cc: Allan Thomson <athomson@lookingglasscyber.com>; OASIS CTI TC CybOX >> SC list <cti-cybox@lists.oasis-open.org> >> Subject: Re: [cti-cybox] Network Connection Object >> >> What do others think.... We have a tie, 2 for it as a network connection, 2 for >> it as a flow. >> >> Thanks, >> >> Bret >> >> >> >> Bret Jordan CISSP >> Director of Security Architecture and Standards | Office of the CTO Blue Coat >> Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 >> 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that >> can not be unscrambled is an egg." >> >> >> On Sep 2, 2016, at 12:46, Jordan, Bret <bret.jordan@bluecoat.com >> <mailto:bret.jordan@bluecoat.com> > wrote: >> >> I disagree. I think a network connection is the very basic concept of a >> device making a connection. But all of the fields and properties and >> extensions are really part of the details of a network flow. A network flow is >> more than the basic 7-tuple net flow stuff. Netflow, SFlow, JFlow are just >> representations of a subset of a full network flow, basically just the statistical >> information. >> >> >> >> >> >> Thanks, >> >> Bret >> >> >> >> Bret Jordan CISSP >> Director of Security Architecture and Standards | Office of the CTO >> Blue Coat Systems >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 >> 0050 >> "Without cryptography vihv vivc ce xhrnrw, however, the only thing >> that can not be unscrambled is an egg." >> >> >> On Sep 2, 2016, at 12:36, Kirillov, Ivan A. <ikirillov@mitre.org >> <mailto:ikirillov@mitre.org> > wrote: >> >> I’m not really a fan of “Network Flow”. Our current Network >> Connection Object includes extensions such as HTTP and Network Socket >> that go far beyond simple network flow. When I hear “network flow”, I think >> of the basic 7-tuple netflow representation, and my concern is that users will >> think the same when seeing the name of this Object, which is misleading. >> >> Regards, >> Ivan >> >> From: <cti-cybox@lists.oasis-open.org <mailto:cti- >> cybox@lists.oasis-open.org> > on behalf of Allan Thomson >> <athomson@lookingglasscyber.com >> <mailto:athomson@lookingglasscyber.com> > >> Date: Friday, September 2, 2016 at 11:34 AM >> To: Bret Jordan <bret.jordan@bluecoat.com >> <mailto:bret.jordan@bluecoat.com> >, OASIS CTI TC CybOX SC list <cti- >> cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> > >> Subject: Re: [cti-cybox] Network Connection Object >> >> I like that suggestion. >> >> Allan >> >> From: OASIS list <cti-cybox@lists.oasis-open.org <mailto:cti- >> cybox@lists.oasis-open.org> > on behalf of "Jordan, Bret" >> <bret.jordan@bluecoat.com <mailto:bret.jordan@bluecoat.com> > >> Date: Friday, September 2, 2016 at 9:58 AM >> To: OASIS list <cti-cybox@lists.oasis-open.org <mailto:cti- >> cybox@lists.oasis-open.org> > >> Subject: [cti-cybox] Network Connection Object >> >> I would like to propose that we rename the Network >> Connection object to Network Flow object. Then if needed, created a >> specialized Network Connection State object to handle some of the use >> cases John-Mark was talking about, namely devices that may want to emit >> events in CybOX when a connection is opened or closed. >> >> As it stands right now, the current Network Connection >> object is really describing a Network Flow. Making this name change might >> really help remove some of the ambiguity associated with it. >> >> >> >> Thanks, >> >> Bret >> >> >> >> Bret Jordan CISSP >> Director of Security Architecture and Standards | Office of >> the CTO >> Blue Coat Systems >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE >> 7415 0050 >> "Without cryptography vihv vivc ce xhrnrw, however, the >> only thing that can not be unscrambled is an egg." >> >> >> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]