A question.... a network connection is a communication relationship between an initiator and a recipient. The initiator service opens
a network connection and is given a source port sends traffic from an IP address to the recipient. The recipient service has separately created a listening port bound to one or more IP addresses on the listening device. The network connection is a connection
between those two items at a particular time.
My question is… shouldn’t we represent a network connection as an initiator endpoint object and a recipient endpoint object and a connection
object showing the communication between them as a connection between the IP/port combinations at either end?
In other words:
Initiating Service resides at 172.16.12.34 on TCP Port 24356,
Recipient Service resides at 10.16.1.44 on TCP Port 80,
Network connection is communication at a particular time between these two services.
This is slightly different to the proposal
https://docs.google.com/document/d/1k5cZiiOgo4WjXN2GLRZ0-1vO8wstKnPZLbjwlb23Hkg/edit#, as it would treat the endpoints as separate things, and would relate the two entities together independently
"objects": [
{
"id": "object--1",
"type": "NetworkConnection",
"service": "tcp",
"start_time": "Jan 4, 2015 10:00",
"end_time": "Jan 4, 2015 10:15",
"extended-properties": {
"state": {
"connection_state": "sf",
"overall_state": "established"
},
"packet": {
"initiator_packets": 14356,
"recipient_packets": 14326
"initiator_bytes": 35779,
"recipient_bytes": 935750,
}
}
},
{
"id": "object--2",
"type": "NetworkedService",
"extended-properties": {
"ipv4": {
"address": "172.16.12.34"
}
"tcp": {
"port": "24356"
}
},
{
"id": "object--3",
"type": " NetworkedService",
"extended-properties": {
"ipv4": {
"address": "10.16.1.44"
},
"tcp": {
"port": "80"
}
}
}
],
"relationships": [
{
"id": "relationship--1",
"type": "relationship",
"from": "object--1",
"to": "object--2",
"relationship_value": "initiated_connection_from"
},
{
"id": "relationship--2",
"type": "relationship",
"from": "object--1",
"to": "object--3",
"relationship_value": "received_connection_on"
}
]
}
Comments?
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 |
terry@soltra.com
From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org]
On Behalf Of Kirillov, Ivan A.
Sent: Tuesday, 16 February 2016 11:09 AM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: cti-cybox@lists.oasis-open.org
Subject: Re: [cti-cybox] Network Connection Object Refactoring
Sure, here it is: https://docs.google.com/document/d/1k5cZiiOgo4WjXN2GLRZ0-1vO8wstKnPZLbjwlb23Hkg/edit?usp=sharing
Please add any comments there; I know I definitely missed some as you had mentioned. Oh, and pardon any formatting issues - this was a direct copy of the rendered
markdown.
Regards,
Ivan
From:
Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Monday, February 15, 2016 at 4:55 PM
To: Ivan Kirillov <ikirillov@mitre.org>
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] Network Connection Object Refactoring
There was a substantial amount of feedback on this proposal on Slack a few weeks ago... many of which aren't captured.
Can this be re-posted somewhere we can comment directly on it, such as Google Docs? It would greatly help the discussion.
I don't really want to re-hash all of my slack chat comments over email (or on the phone)... but I can do that if needed...
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security |
www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
"Kirillov,
Ivan A." ---02/15/2016 05:35:27 PM---All, Here is a community contributed proposal around refactoring the Network Connection Object and r
From:
"Kirillov, Ivan A." <ikirillov@mitre.org>
To:
"cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Date:
02/15/2016 05:35 PM
Subject:
[cti-cybox] Network Connection Object Refactoring
Sent by:
<cti-cybox@lists.oasis-open.org>
All,
Here is a community contributed proposal around refactoring the Network Connection Object and related Objects:
https://github.com/CybOXProject/schemas/wiki/CybOX-3.0:-Network-Connection-Object-Refactoring
The main points around this refactoring are:
-
The hierarchy around Network Objects would be replaced with an extension-based approach (as with the File Object) that revolves around the “base” Network Connection Object
-
A base set of properties common to all network connections would be defined
-
Existing layer 7 Objects (HTTP Session and DNS Query) would be become extensions
-
The Network Flow Object would likely be split up into its components (e.g, YAF log, Netflow log, etc.), each of which would be an extension
-
New extensions for common Network Connection properties, e.g., port, state and packet statistics, would be added
-
Connections to destination/source IP addresses would be defined via relationships
-
The existing Socket Address Object would be deprecated, as given the specification of IP addresses via relationships and the new port Network Connection Object extension it will no longer be necessary
We plan on discussing this (at least these high-level points) during tomorrow’s working session.
Regards,
Ivan