search

CybOXProject / schemas

CybOX Schemas and Schema Development
42 stars 17 forks source link

Add Quasi-Structured Ability to Capture Abstract Layer 7 Protocol Traffic to Network Connection Object #113

Open ikiril01 opened 10 years ago

ikiril01 commented 10 years ago

Currently we support detailed capture of HTTP and DNS traffic in the Network Connection Object, but no others. It may be useful to add a generic MessageType under Layer7_Connections that captures some snippet of the traffic, the type of Message sent, and the Protocol being used.

ikiril01 commented 10 years ago

We could also add a generic ProtocolType, ProtocolMessageType, and ProtocolSessionType:

ProtocolType: Server_Name (String; the name of the server that is being interacted with) Version (String; the version of the protocol)

ProtocolMessageType: Message_Type (String; a subdivision of Protocol Message based on protocol layer) Sequence_Number (NonNegativeInteger; an ordinal number identifying the relative location of a Protocol Message within a Protocol Session.)

ProtocolSessionType: Message_Count (PositiveInteger; the total number of Protocol Messages within the protocol session.) Access_Point (String; the address of an abstract device, such as a program, function, or protocol, that implements the services for a particular Network Protocol layer on a single device during a Protocol Session.) *Access_Point_Type (String; A subdivision of Protocol Session Access Point based on whether the address denotes a process or a physical device.)

bworrell commented 9 years ago

Related to #37

bworrell commented 9 years ago

Add a Generic_Connection extension point to Layer7ConnectionType alongside HTTP_Session and DNS_Query

ikiril01 commented 9 years ago

The question that this really boils down to is: should CybOX support such an intermediate representation of network traffic (i.e. for supporting protocols that don't have existing objects or potentially new protocols down the road), or should it instead have discrete objects associated with each particular protocol (as in #37)?

athiasjerome commented 9 years ago

recommend to investigate PCAP format

ikiril01 commented 9 years ago

@athiasjerome that's probably worthwhile, agreed. Also, as far as additional context, this was suggested by a community member as a possible alternative for characterizing basic aspects of layer 7 traffic without needing to construct the full CybOX Object for each protocol (as in #37). This would be useful for capturing Observables related to such traffic, including that which may be generated by malware (i.e. in MAEC), and accordingly indicators that be associated with it (i.e. in STIX).

LOE: Medium