Network Connection Object Enhancement
ikiril01 opened this issue · 0 comments
As suggested by a community member, we should consider updating the existing Network Connection Object so that it is able to characterize properties common to all network connections, including the following:
- Start time
- End time
- Duration = 13.293994
- Protocol/Service = teredo
- Src Hostname
- Dst Hostname
- Src IP address
- Src port
- Dst IP address
- Dst port
- Tx_bytes = 2359
- Rx_bytes = 11243
- Connection State = SF
- Overall state
- History = Dd
- Tx_pkts = 12
- Rx_pkts = 13
- Tx_ip_bytes = 2695
- Rx_ip_bytes = 11607
- Source_ASN
- Destination ASN
- Source Country Code
- Destination Country Code
Note: Do not specify Layer7_Connections within the Network_Connection object. Instead, use a "Contains" relationship (or extension) to represent encapsulated protocols such as HTTP. With this approach, any network protocol can be added to CybOX without having to update the Network_Connection object to specifically reference each new protocol.
In addition, it would be possible to represent SSL/TLS independently, without being concerned with the duality of its operation at both layer 5 (session) and layer 6 (presentation). An added advantage of this approach is that application protocols defined in CybOX such as HTTP can inherit general network connection properties (IP address and port, etc). In addition, this Network_Connection object can represent both bi-directional and uni-directional connections.
Also, to avoid inconsistency and confusion, the application layer should be represented in one location, preferably as a field in the Network_Connection object (Layer7_Protocol) rather than in the Network_Flow object (SiLKRecordType:Flow_Application).