pagbabian-splunk
commented
3 weeks ago Interesting idea - given packet data could be quite varied, do you have any thoughts on what an packet object might entail?
Open mosajjal opened 3 weeks ago
pagbabian-splunk
commented
3 weeks ago Interesting idea - given packet data could be quite varied, do you have any thoughts on what an packet object might entail?
mosajjal
commented
3 weeks ago Thanks for the reply. I manage gopacket, and in there there are quite a few layer 7 connections that are getting parsed. SIP, TLS, SSH, etc. that we can take a look at for start.
OCSF already has "network connection" metadata as a field so I don't see the point of adding lower level packet info beyond that. I'm mostly interested in adding the higher level protocols such as TLS Handshake, SSH client/server connections etc.
Hi,
there are some tools offering a JSON or otherwise parsed representation of network packet data (tshark for example). is there any appetite to come up with a standard schema for network packets in OCSF?
I can see it being very useful to store TLS handshake information, RDP sessions and other high-value connection information (just like DNS which is available in OCSF today)