[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-cybox] Network Connection Object Refactoring
Hi!, I agree with Terry, the interlinking of the relationship below seems to remove the point that the two IP addresses and ports are linked at a specific time.
The design below would call for the creation of three objects and then have to build the relationships between them. Is there any reason why you couldn’t have a “transport” object of some type which could capture the src ip, src port and dest ip and dest
port into the one object and then link that transport object to a broader network object via a relationship ? You could then add all of your session information like packet count and bytes transferred to that object ? The two network service objects just seem to be dangling there and potentially within a CTI would be listed as two specific observables which doesn’t convey
much meaning by itself. Regards, Dean From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org]
On Behalf Of Terry MacDonald A question.... a network connection is a communication relationship between an initiator and a recipient. The initiator
service opens a network connection and is given a source port sends traffic from an IP address to the recipient. The recipient service has separately created a listening port bound to one or more IP addresses on the listening device. The network connection
is a connection between those two items at a particular time. My question is… shouldn’t we represent a network connection as an initiator endpoint object and a recipient endpoint
object and a connection object showing the communication between them as a connection between the IP/port combinations at either end? In other words: Initiating Service resides at 172.16.12.34 on TCP Port 24356, Recipient Service resides at 10.16.1.44 on TCP Port 80, Network connection is communication at a particular time between these two services. This is slightly different to the proposal
https://docs.google.com/document/d/1k5cZiiOgo4WjXN2GLRZ0-1vO8wstKnPZLbjwlb23Hkg/edit#, as it would treat the endpoints as separate things, and would relate the two entities together independently "objects": [ { "id": "object--1", "type": "NetworkConnection", "service": "tcp", "start_time": "Jan 4, 2015 10:00", "end_time": "Jan 4, 2015 10:15", "extended-properties": { "state": { "connection_state": "sf", "overall_state": "established" }, "packet": { "initiator_packets": 14356, "recipient_packets": 14326 "initiator_bytes": 35779, "recipient_bytes": 935750, } } }, { "id": "object--2", "type": "NetworkedService", "extended-properties": { "ipv4": { "address": "172.16.12.34" } "tcp": { "port": "24356" } }, { "id": "object--3", "type": " NetworkedService", "extended-properties": { "ipv4": { "address": "10.16.1.44" }, "tcp": { "port": "80" } }
} ], "relationships": [ { "id": "relationship--1", "type": "relationship", "from": "object--1", "to": "object--2", "relationship_value": "initiated_connection_from" }, { "id": "relationship--2", "type": "relationship", "from": "object--1", "to": "object--3", "relationship_value": "received_connection_on" } ] } Comments? Terry MacDonald Senior STIX Subject Matter Expert SOLTRA | An FS-ISAC and DTCC Company +61 (407) 203 206 |
terry@soltra.com From:
cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org]
On Behalf Of Kirillov, Ivan A. Sure, here it is: https://docs.google.com/document/d/1k5cZiiOgo4WjXN2GLRZ0-1vO8wstKnPZLbjwlb23Hkg/edit?usp=sharing Please add any comments there; I know I definitely missed some as you had mentioned. Oh, and pardon any formatting issues - this was a direct copy
of the rendered markdown. Regards, Ivan From:
Jason Keirstead <Jason.Keirstead@ca.ibm.com> There was a substantial amount of feedback on this proposal on Slack a few weeks ago... many of which aren't captured.
We plan on discussing this (at least these high-level points) during tomorrow’s working session.
This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]