Skip to content

Proposal: Add Hostname choice to Socket_Address Object to enable specifying Hostnames within Network_Connections

Jump to bottom Edit New page
Ivan Kirillov edited this page Jan 8, 2014 · 8 revisions

Status: Closed
Comment Period Closes: 01/02/2014
Affects Backwards Compatibility: No
Relevant Issue: https://github.com/CybOXProject/schemas/issues/28

Background Information

This proposal concerns the ability to characterize either end of a network connection using a Hostname rather than or in addition to an address. CybOX currently lacks any such capability.

Proposal

Create a new Hostname Object with a Hostname_Value element for capturing the hostname, a Naming_System element for specifying the relevant naming system (DNS, NIS, NetBIOS, etc.), and an is_domain_name attribute for specifying if the hostname in the Hostname_Value field is also a domain name.

Add a new Choice structure to SocketAddressObjectType, move the IP_Address element under this new Choice and add a new Hostname element of HostnameObjectType under this new Choice.

The new HostnameObjectType makes the addition to SocketAddressObjectType well-structured and may be useful in other constructs in addition to providing an ability to specify an atomic Hostname on its own.

The addition of the new Choice and Hostname element to Socket_Address will enable flexibility to specify any network Socket_Address as either an IP_Address/Port pair or a Hostname/Port pair. It will also enable the specification of just an IP_Address, just a Hostname or just a Port. This change to Socket_Address would indirectly enable the specification of either end of a network connection in Network_Connection_Object using either an IP_Address or a Hostname (including Domain names that are also host names).

An example of a simple network connection using the current address capability could look like the following:

<cybox:Observable>
	<cybox:Object>
            <cybox:Properties xsi:type="NetworkConnectionObj:NetworkConnectionObjectType">
                <NetworkConnectionObj:Destination_Socket_Address>
                    <SocketAddressObj:IP_Address category="ipv4-addr">
                        <AddressObj:Address_Value>198.49.123.10</AddressObj:Address_Value>
                    </SocketAddressObj:IP_Address>
                    <SocketAddressObj:Port>
                        <PortObj:Port_Value>80</PortObj:Port_Value>
                    </SocketAddressObj:Port>
                </NetworkConnectionObj:Destination_Socket_Address>
            </cybox:Properties>
        </cybox:Object>
</cybox:Observable>

An example of a simple network connection using just the proposed added hostname capability could look like the following:

<cybox:Observable>
	<cybox:Object id="example:Object-54400c36-5038-478b-bffe-808c40b2f04e">
            <cybox:Properties xsi:type="NetworkConnectionObj:NetworkConnectionObjectType">
                <NetworkConnectionObj:Destination_Socket_Address>
                    <SocketAddressObj:Hostname>
                        <HostnameObj:Hostname_Value>foo.acme.com</HostnameObj:Hostname_Value>
                        <HostnameObj:Naming_System>DNS</HostnameObj:Naming_System>
                    </SocketAddressObj:Hostname>
                    <SocketAddressObj:Port>
                        <PortObj:Port_Value>80</PortObj:Port_Value>
                    </SocketAddressObj:Port>
                </NetworkConnectionObj:Destination_Socket_Address>
            </cybox:Properties>
        </cybox:Object>
</cybox:Observable>

An example of a more detailed network connection specifying a source host using an Hostname and a destination host using an IP address could look like the following:

<cybox:Observable>
	<cybox:Object>
            <cybox:Properties xsi:type="NetworkConnectionObj:NetworkConnectionObjectType">
                <NetworkConnectionObj:Layer3_Protocol datatype="string">IPv4</NetworkConnectionObj:Layer3_Protocol>
                <NetworkConnectionObj:Layer4_Protocol datatype="string">TCP</NetworkConnectionObj:Layer4_Protocol>

                <NetworkConnectionObj:Source_Socket_Address>
                    <SocketAddressObj:Hostname>
                        <HostnameObj:Hostname_Value>jsmithlaptop.acme.com</HostnameObj:Hostname_Value>
			<HostnameObj:Naming_System>DNS</HostnameObj:Naming_System>
                    </SocketAddressObj:Hostname>
                    <SocketAddressObj:Port>
                        <PortObj:Port_Value>5525</PortObj:Port_Value>
                    </SocketAddressObj:Port>
                </NetworkConnectionObj:Source_Socket_Address>

                <NetworkConnectionObj:Destination_Socket_Address>
                    <SocketAddressObj:IP_Address category="ipv4-addr">
                        <AddressObj:Address_Value>198.49.123.10</AddressObj:Address_Value>
                    </SocketAddressObj:IP_Address>
                    <SocketAddressObj:Port>
                        <PortObj:Port_Value>80</PortObj:Port_Value>
                    </SocketAddressObj:Port>
                </NetworkConnectionObj:Destination_Socket_Address>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>

Impact

There is no expected compatibility impact. These changes record additional information beyond what was possible to represent in previous versions of CybOX. Because the fields are optional, both producers and consumers who are not interested in the information contained in this field may ignore it.

Requested Feedback

  1. Is there value in adding a new Hostname Object?
  2. Is the set of fields outlined for the Hostname Object adequate?
  3. Is there value in adding the capability to specify hostnames for either end of a network connection?
  4. Are there any issues with modifying Socket_Address to use a Choice between IP_Address or Hostname?
  5. Are these modifications to Socket_Address adequate for the stated purpose?
Add a custom footer
Add a custom sidebar
Clone this wiki locally