[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [Non-DoD Source] Re: [cti-cybox] Network Connection Object Refactoring
Here are suggested changes to the Network_Connection object refactoring that I have seen: 1) Rather than have Source_Country_Code and Destination_Country_Code as an extension, create a top-level Location Object to capture such information for any object. 2) Rename the Tx_Bytes and Rx_Bytes elements to Source_Bytes and Destination_Bytes. 3) Treat most traits as extensions, including port and ICMP type/code to avoid confusion over what defines a “basic” attribute and to allow flexibility to support any network protocol. 4) Provide examples of Layers 1 and 2 being represented by the refactored Network_Connection object. 5) The refactored Network_Connection object must be able to represent a network connection at any layer, and must be able to support protocols such as TCP/IP which do not strictly follow separation of Layers 3 and 4. Eoghan Casey Chief Scientist Defense Cyber Crime Center (DC3) 410-694-4329 Eoghan.Casey@dc3.mil -----Original Message----- From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org] On Behalf Of Jason Keirstead Sent: Monday, February 15, 2016 6:56 PM To: Kirillov, Ivan A. Cc: cti-cybox@lists.oasis-open.org Subject: [Non-DoD Source] Re: [cti-cybox] Network Connection Object Refactoring There was a substantial amount of feedback on this proposal on Slack a few weeks ago... many of which aren't captured. Can this be re-posted somewhere we can comment directly on it, such as Google Docs? It would greatly help the discussion. I don't really want to re-hash all of my slack chat comments over email (or on the phone)... but I can do that if needed... - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security | www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Inactive hide details for "Kirillov, Ivan A." ---02/15/2016 05:35:27 PM---All, Here is a community contributed proposal around "Kirillov, Ivan A." ---02/15/2016 05:35:27 PM---All, Here is a community contributed proposal around refactoring the Network Connection Object and r From: "Kirillov, Ivan A." <ikirillov@mitre.org> To: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org> Date: 02/15/2016 05:35 PM Subject: [cti-cybox] Network Connection Object Refactoring Sent by: <cti-cybox@lists.oasis-open.org> ________________________________ All, Here is a community contributed proposal around refactoring the Network Connection Object and related Objects: https://github.com/CybOXProject/schemas/wiki/CybOX-3.0:-Network-Connection-Object-Refactoring <https://github.com/CybOXProject/schemas/wiki/CybOX-3.0:-Network-Connection-Object-Refactoring> The main points around this refactoring are: 1. The hierarchy around Network Objects would be replaced with an extension-based approach (as with the File Object) that revolves around the “base” Network Connection Object 1. A base set of properties common to all network connections would be defined 2. Existing layer 7 Objects (HTTP Session and DNS Query) would be become extensions 3. The Network Flow Object would likely be split up into its components (e.g, YAF log, Netflow log, etc.), each of which would be an extension 4. New extensions for common Network Connection properties, e.g., port, state and packet statistics, would be added 2. Connections to destination/source IP addresses would be defined via relationships 3. The existing Socket Address Object would be deprecated, as given the specification of IP addresses via relationships and the new port Network Connection Object extension it will no longer be necessary We plan on discussing this (at least these high-level points) during tomorrow’s working session. Regards, Ivan
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]