Re: [cti-cybox] Network Flow

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

And down the rabbit hole we go....

The reason we added the flow elements to the network connection object was specifically to eliminate the ambiguity that existed in Cybox 2.X. The problem with 2.X is there was "more than one way to do things". It was totally unclear when one should use a network connection and when one should use a flow - what is the boundary? Even larger - if I write a pattern against network flows, should it match against network connections? And vice-versa?

No, can we please stick to one way to model a network connection... after all the only real difference between a connection and a flow are the flags on it, and the number of packets traversing it.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Trey Darley ---09/19/2016 06:13:54 AM---On 15.09.2016 15:24:48, Kirillov, Ivan A. wrote: > I’m not sure that we had consensus either way – t

From: Trey Darley <trey@kingfisherops.com>
To: "Kirillov, Ivan A." <ikirillov@mitre.org>
Cc: "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Date: 09/19/2016 06:13 AM
Subject: Re: [cti-cybox] Network Flow
Sent by: <cti-cybox@lists.oasis-open.org>

---

On 15.09.2016 15:24:48, Kirillov, Ivan A. wrote:
> I’m not sure that we had consensus either way – the last discussion
> seemed to spiral off into separate threads about use cases and
> network traffic modeling in general. All good discussions but I’m
> not sure where we really stand on the network flow vs. network
> connection issue.
> 

All -

CybOX 2.1 had distinct Network Connection [0] and Network Flow [1]
objects. If you refer to their respective XSDs, you'll see that they
were *quite* different.

Refactoring the Network Connection object has long been in scope for
CybOX 3.0. At some point in the refactoring process, lightweight flow
elements were added to the Network Connection at the request of some
committee members.

While these flow elements address a useful subset of the use cases
targeted by the original CybOX 2.1 Network Flow object, they hardly
constitute a comprehensive replacement.

Rather than rename the Network Connection to Network Flow, I suggest
that we remove the flow elements from the current Network Connection
and aim for a properly scoped Network Flow object in CybOX 3.1.

[0]: http://cybox.mitre.org/XMLSchema/objects/Network_Connection/2.1/Network_Connection_Object.xsd
[1]: http://cybox.mitre.org/XMLSchema/objects/Network_Flow/2.1/Network_Flow_Object.xsd

-- 
Cheers,
Trey
++--------------------------------------------------------------------------++
Kingfisher Operations, sprl
gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4  5B9B B30D DD6E 62C8 6C1D
++--------------------------------------------------------------------------++
--
"There is absolutely no inevitability, so long as there is a
willingness to contemplate what is happening." --Alfred North
Whitehead
[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]