Re: [cti-cybox] Network Connection Object

[Allan Thomson <athomson@lookingglasscyber.com>]

Hi Ivan – IPFIX allows far more than basic 7-tuple and as you know CyBox network connection has the ability to contain that information.

 

I think the key point to keep in mind is whether connection implies actually ‘a connection’ when one does not exist.

 

For me, we are arguing a nuanced definition of what information is represented when one system ‘attempts’ to communicate with another. An attempt does not necessarily mean they actually connect. It just means there was a communication in at least one direction.

 

Therefore, for me a flow is more accurate a term than a connection.

 

But it’s a very nuanced argument and I could easily see both are acceptable.

 

allan

 

From: "Kirillov, Ivan" <ikirillov@mitre.org>
Date: Friday, September 2, 2016 at 11:36 AM
To: Allan Thomson <athomson@lookingglasscyber.com>, "Jordan, Bret" <bret.jordan@bluecoat.com>, OASIS list <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] Network Connection Object

 

I’m not really a fan of “Network Flow”. Our current Network Connection Object includes extensions such as HTTP and Network Socket that go far beyond simple network flow. When I hear “network flow”, I think of the basic 7-tuple netflow representation, and my concern is that users will think the same when seeing the name of this Object, which is misleading.

 

Regards,

Ivan

 

From: <cti-cybox@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Friday, September 2, 2016 at 11:34 AM
To: Bret Jordan <bret.jordan@bluecoat.com>, OASIS CTI TC CybOX SC list <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] Network Connection Object

 

I like that suggestion.

 

Allan

 

From: OASIS list <cti-cybox@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com>
Date: Friday, September 2, 2016 at 9:58 AM
To: OASIS list <cti-cybox@lists.oasis-open.org>
Subject: [cti-cybox] Network Connection Object

 

I would like to propose that we rename the Network Connection object to Network Flow object.  Then if needed, created a specialized Network Connection State object to handle some of the use cases John-Mark was talking about, namely devices that may want to emit events in CybOX when a connection is opened or closed.  

 

As it stands right now, the current Network Connection object is really describing a Network Flow. Making this name change might really help remove some of the ambiguity associated with it. 

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."