It depends on who you ask and what tools they use... I see a Network Flow as having a series of network connection states. A lot of tools used to capture and perform analytics on this type of traffic all refer to this as a network flow.
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
It’s true that the current Object encompasses both network connections and network flows, but I view a network connection as a superset of network flows. Network flows are metadata about network connections – they do capture the actual traffic that was observed (which our Object does); similarly, I don’t think any malware analyst would refer to malware C2 beaconing (as an example) as a network flow – it’s a network connection that may have an associated flow. Regards, Ivan On 9/2/16, 1:05 PM, "Back, Greg" < gback@mitre.org> wrote: I think the current object has grown too large and covers too many not-entirely-compatible use cases. I support a Network Flow object, but feel it should be trimmed down to the information typically available in netflow-style output. As it is, the combinations of which properties should (or should not) be used together are not sufficiently specified IMO. I also support further breaking up the Network Connection object, but that's perhaps another issue.
Greg
-----Original Message-----
From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org]
On Behalf Of Jordan, Bret
Sent: Friday, September 02, 2016 1:48 PM
To: Kirillov, Ivan A. <ikirillov@mitre.org>
Cc: Allan Thomson <athomson@lookingglasscyber.com>; OASIS CTI TC CybOX
SC list <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] Network Connection Object
What do others think.... We have a tie, 2 for it as a network connection, 2 for
it as a flow.
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO Blue Coat
Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415
0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
can not be unscrambled is an egg."
On Sep 2, 2016, at 12:46, Jordan, Bret <bret.jordan@bluecoat.com
<mailto:bret.jordan@bluecoat.com> > wrote:
I disagree. I think a network connection is the very basic concept of a
device making a connection. But all of the fields and properties and
extensions are really part of the details of a network flow. A network flow is
more than the basic 7-tuple net flow stuff. Netflow, SFlow, JFlow are just
representations of a subset of a full network flow, basically just the statistical
information.
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415
0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing
that can not be unscrambled is an egg."
On Sep 2, 2016, at 12:36, Kirillov, Ivan A. <ikirillov@mitre.org
<mailto:ikirillov@mitre.org> > wrote:
I’m not really a fan of “Network Flow”. Our current Network
Connection Object includes extensions such as HTTP and Network Socket
that go far beyond simple network flow. When I hear “network flow”, I think
of the basic 7-tuple netflow representation, and my concern is that users will
think the same when seeing the name of this Object, which is misleading.
Regards,
Ivan
From: <cti-cybox@lists.oasis-open.org <mailto:cti-
cybox@lists.oasis-open.org> > on behalf of Allan Thomson
<athomson@lookingglasscyber.com
<mailto:athomson@lookingglasscyber.com> >
Date: Friday, September 2, 2016 at 11:34 AM
To: Bret Jordan <bret.jordan@bluecoat.com
<mailto:bret.jordan@bluecoat.com> >, OASIS CTI TC CybOX SC list <cti-
cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> >
Subject: Re: [cti-cybox] Network Connection Object
I like that suggestion.
Allan
From: OASIS list <cti-cybox@lists.oasis-open.org <mailto:cti-
cybox@lists.oasis-open.org> > on behalf of "Jordan, Bret"
<bret.jordan@bluecoat.com <mailto:bret.jordan@bluecoat.com> >
Date: Friday, September 2, 2016 at 9:58 AM
To: OASIS list <cti-cybox@lists.oasis-open.org <mailto:cti-
cybox@lists.oasis-open.org> >
Subject: [cti-cybox] Network Connection Object
I would like to propose that we rename the Network
Connection object to Network Flow object. Then if needed, created a
specialized Network Connection State object to handle some of the use
cases John-Mark was talking about, namely devices that may want to emit
events in CybOX when a connection is opened or closed.
As it stands right now, the current Network Connection
object is really describing a Network Flow. Making this name change might
really help remove some of the ambiguity associated with it.
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of
the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE
7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the
only thing that can not be unscrambled is an egg."
|