OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-cybox message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [cti-cybox] Network Connection Object

The terminology of network "flow" is used beyond just Netflow/IPFIX and the 7 tuple. 

Many products monitor and report on Layer 7 network flows, and describe them in that terminology.



--
Sent from my mobile device, please excuse any typos.

Back, Greg --- RE: [cti-cybox] Network Connection Object ---

From:"Back, Greg" <gback@mitre.org>
To:"Jordan, Bret" <bret.jordan@bluecoat.com>, "Kirillov, Ivan A." <ikirillov@mitre.org>
Cc:"Allan Thomson" <athomson@lookingglasscyber.com>, "OASIS CTI TC CybOX SC list" <cti-cybox@lists.oasis-open.org>
Date:Fri, Sep 2, 2016 4:05 PM
Subject:RE: [cti-cybox] Network Connection Object

I think the current object has grown too large and covers too many not-entirely-compatible use cases. I support a Network Flow object, but feel it should be trimmed down to the information typically available in netflow-style output. As it is, the combinations of which properties should (or should not) be used together are not sufficiently specified IMO. I also support further breaking up the Network Connection object, but that's perhaps another issue.

Greg

> -----Original Message-----
> From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org]
> On Behalf Of Jordan, Bret
> Sent: Friday, September 02, 2016 1:48 PM
> To: Kirillov, Ivan A. <ikirillov@mitre.org>
> Cc: Allan Thomson <athomson@lookingglasscyber.com>; OASIS CTI TC CybOX
> SC list <cti-cybox@lists.oasis-open.org>
> Subject: Re: [cti-cybox] Network Connection Object
> 
> What do others think....   We have a tie, 2 for it as a network connection, 2 for
> it as a flow.
> 
> Thanks,
> 
> Bret
> 
> 
> 
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO Blue Coat
> Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415
> 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
> can not be unscrambled is an egg."
> 
> 
>     On Sep 2, 2016, at 12:46, Jordan, Bret <bret.jordan@bluecoat.com
> <mailto:bret.jordan@bluecoat.com> > wrote:
> 
>     I disagree.  I think a network connection is the very basic concept of a
> device making a connection.  But all of the fields and properties and
> extensions are really part of the details of a network flow.  A network flow is
> more than the basic 7-tuple net flow stuff.   Netflow, SFlow, JFlow are just
> representations of a subset of a full network flow, basically just the statistical
> information.
> 
> 
> 
> 
> 
>     Thanks,
> 
>     Bret
> 
> 
> 
>     Bret Jordan CISSP
>     Director of Security Architecture and Standards | Office of the CTO
>     Blue Coat Systems
>     PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415
> 0050
>     "Without cryptography vihv vivc ce xhrnrw, however, the only thing
> that can not be unscrambled is an egg."
> 
> 
>         On Sep 2, 2016, at 12:36, Kirillov, Ivan A. <ikirillov@mitre.org
> <mailto:ikirillov@mitre.org> > wrote:
> 
>         I’m not really a fan of “Network Flow”. Our current Network
> Connection Object includes extensions such as HTTP and Network Socket
> that go far beyond simple network flow. When I hear “network flow”, I think
> of the basic 7-tuple netflow representation, and my concern is that users will
> think the same when seeing the name of this Object, which is misleading.
> 
>         Regards,
>         Ivan
> 
>         From: <cti-cybox@lists.oasis-open.org <mailto:cti-
> cybox@lists.oasis-open.org> > on behalf of Allan Thomson
> <athomson@lookingglasscyber.com
> <mailto:athomson@lookingglasscyber.com> >
>         Date: Friday, September 2, 2016 at 11:34 AM
>         To: Bret Jordan <bret.jordan@bluecoat.com
> <mailto:bret.jordan@bluecoat.com> >, OASIS CTI TC CybOX SC list <cti-
> cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> >
>         Subject: Re: [cti-cybox] Network Connection Object
> 
>         I like that suggestion.
> 
>         Allan
> 
>         From: OASIS list <cti-cybox@lists.oasis-open.org <mailto:cti-
> cybox@lists.oasis-open.org> > on behalf of "Jordan, Bret"
> <bret.jordan@bluecoat.com <mailto:bret.jordan@bluecoat.com> >
>         Date: Friday, September 2, 2016 at 9:58 AM
>         To: OASIS list <cti-cybox@lists.oasis-open.org <mailto:cti-
> cybox@lists.oasis-open.org> >
>         Subject: [cti-cybox] Network Connection Object
> 
>         I would like to propose that we rename the Network
> Connection object to Network Flow object.  Then if needed, created a
> specialized Network Connection State object to handle some of the use
> cases John-Mark was talking about, namely devices that may want to emit
> events in CybOX when a connection is opened or closed.
> 
>         As it stands right now, the current Network Connection
> object is really describing a Network Flow. Making this name change might
> really help remove some of the ambiguity associated with it.
> 
> 
> 
>         Thanks,
> 
>         Bret
> 
> 
> 
>         Bret Jordan CISSP
>         Director of Security Architecture and Standards | Office of
> the CTO
>         Blue Coat Systems
>         PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE
> 7415 0050
>         "Without cryptography vihv vivc ce xhrnrw, however, the
> only thing that can not be unscrambled is an egg."
> 
> 
>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]