[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-cybox] Network Connection Object
From: | "Back, Greg" <gback@mitre.org> |
To: | "Jordan, Bret" <bret.jordan@bluecoat.com>, "Kirillov, Ivan A." <ikirillov@mitre.org> |
Cc: | "Allan Thomson" <athomson@lookingglasscyber.com>, "OASIS CTI TC CybOX SC list" <cti-cybox@lists.oasis-open.org> |
Date: | Fri, Sep 2, 2016 4:05 PM |
Subject: | RE: [cti-cybox] Network Connection Object |
I think the current object has grown too large and covers too many not-entirely-compatible use cases. I support a Network Flow object, but feel it should be trimmed down to the information typically available in netflow-style output. As it is, the combinations of which properties should (or should not) be used together are not sufficiently specified IMO. I also support further breaking up the Network Connection object, but that's perhaps another issue.
Greg
> -----Original Message-----
> From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org]
> On Behalf Of Jordan, Bret
> Sent: Friday, September 02, 2016 1:48 PM
> To: Kirillov, Ivan A. <ikirillov@mitre.org>
> Cc: Allan Thomson <athomson@lookingglasscyber.com>; OASIS CTI TC CybOX
> SC list <cti-cybox@lists.oasis-open.org>
> Subject: Re: [cti-cybox] Network Connection Object
>
> What do others think.... We have a tie, 2 for it as a network connection, 2 for
> it as a flow.
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO Blue Coat
> Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415
> 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
> can not be unscrambled is an egg."
>
>
> On Sep 2, 2016, at 12:46, Jordan, Bret <bret.jordan@bluecoat.com
> <mailto:bret.jordan@bluecoat.com> > wrote:
>
> I disagree. I think a network connection is the very basic concept of a
> device making a connection. But all of the fields and properties and
> extensions are really part of the details of a network flow. A network flow is
> more than the basic 7-tuple net flow stuff. Netflow, SFlow, JFlow are just
> representations of a subset of a full network flow, basically just the statistical
> information.
>
>
>
>
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415
> 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing
> that can not be unscrambled is an egg."
>
>
> On Sep 2, 2016, at 12:36, Kirillov, Ivan A. <ikirillov@mitre.org
> <mailto:ikirillov@mitre.org> > wrote:
>
> I’m not really a fan of “Network Flow”. Our current Network
> Connection Object includes extensions such as HTTP and Network Socket
> that go far beyond simple network flow. When I hear “network flow”, I think
> of the basic 7-tuple netflow representation, and my concern is that users will
> think the same when seeing the name of this Object, which is misleading.
>
> Regards,
> Ivan
>
> From: <cti-cybox@lists.oasis-open.org <mailto:cti-
> cybox@lists.oasis-open.org> > on behalf of Allan Thomson
> <athomson@lookingglasscyber.com
> <mailto:athomson@lookingglasscyber.com> >
> Date: Friday, September 2, 2016 at 11:34 AM
> To: Bret Jordan <bret.jordan@bluecoat.com
> <mailto:bret.jordan@bluecoat.com> >, OASIS CTI TC CybOX SC list <cti-
> cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> >
> Subject: Re: [cti-cybox] Network Connection Object
>
> I like that suggestion.
>
> Allan
>
> From: OASIS list <cti-cybox@lists.oasis-open.org <mailto:cti-
> cybox@lists.oasis-open.org> > on behalf of "Jordan, Bret"
> <bret.jordan@bluecoat.com <mailto:bret.jordan@bluecoat.com> >
> Date: Friday, September 2, 2016 at 9:58 AM
> To: OASIS list <cti-cybox@lists.oasis-open.org <mailto:cti-
> cybox@lists.oasis-open.org> >
> Subject: [cti-cybox] Network Connection Object
>
> I would like to propose that we rename the Network
> Connection object to Network Flow object. Then if needed, created a
> specialized Network Connection State object to handle some of the use
> cases John-Mark was talking about, namely devices that may want to emit
> events in CybOX when a connection is opened or closed.
>
> As it stands right now, the current Network Connection
> object is really describing a Network Flow. Making this name change might
> really help remove some of the ambiguity associated with it.
>
>
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of
> the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE
> 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the
> only thing that can not be unscrambled is an egg."
>
>
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]