As suggested by a community member, we should consider updating the existing Network Connection Object so that it is able to characterize properties common to all network connections, including the following:
Start time
End time
Duration = 13.293994
Protocol/Service = teredo
Src Hostname
Dst Hostname
Src IP address
Src port
Dst IP address
Dst port
Tx_bytes = 2359
Rx_bytes = 11243
Connection State = SF
Overall state
History = Dd
Tx_pkts = 12
Rx_pkts = 13
Tx_ip_bytes = 2695
Rx_ip_bytes = 11607
Source_ASN
Destination ASN
Source Country Code
Destination Country Code
Note: Do not specify Layer7_Connections within the Network_Connection object. Instead, use a "Contains" relationship (or extension) to represent encapsulated protocols such as HTTP. With this approach, any network protocol can be added to CybOX without having to update the Network_Connection object to specifically reference each new protocol.
In addition, it would be possible to represent SSL/TLS independently, without being concerned with the duality of its operation at both layer 5 (session) and layer 6 (presentation). An added advantage of this approach is that application protocols defined in CybOX such as HTTP can inherit general network connection properties (IP address and port, etc). In addition, this Network_Connection object can represent both bi-directional and uni-directional connections.
Also, to avoid inconsistency and confusion, the application layer should be represented in one location, preferably as a field in the Network_Connection object (Layer7_Protocol) rather than in the Network_Flow object (SiLKRecordType:Flow_Application).
As suggested by a community member, we should consider updating the existing Network Connection Object so that it is able to characterize properties common to all network connections, including the following:
Note: Do not specify Layer7_Connections within the Network_Connection object. Instead, use a "Contains" relationship (or extension) to represent encapsulated protocols such as HTTP. With this approach, any network protocol can be added to CybOX without having to update the Network_Connection object to specifically reference each new protocol.
In addition, it would be possible to represent SSL/TLS independently, without being concerned with the duality of its operation at both layer 5 (session) and layer 6 (presentation). An added advantage of this approach is that application protocols defined in CybOX such as HTTP can inherit general network connection properties (IP address and port, etc). In addition, this Network_Connection object can represent both bi-directional and uni-directional connections.
Also, to avoid inconsistency and confusion, the application layer should be represented in one location, preferably as a field in the Network_Connection object (Layer7_Protocol) rather than in the Network_Flow object (SiLKRecordType:Flow_Application).