Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Network packet schema #1240

Open
mosajjal opened this issue Nov 2, 2024 · 2 comments
Open

Network packet schema #1240

mosajjal opened this issue Nov 2, 2024 · 2 comments

Comments

@mosajjal
Copy link

mosajjal commented Nov 2, 2024

Hi,

there are some tools offering a JSON or otherwise parsed representation of network packet data (tshark for example). is there any appetite to come up with a standard schema for network packets in OCSF?

I can see it being very useful to store TLS handshake information, RDP sessions and other high-value connection information (just like DNS which is available in OCSF today)
@pagbabian-splunk
Copy link
Contributor

Interesting idea - given packet data could be quite varied, do you have any thoughts on what an packet object might entail?

@mosajjal
Copy link
Author

mosajjal commented Nov 5, 2024
edited
Loading

Thanks for the reply. I manage gopacket, and in there there are quite a few layer 7 connections that are getting parsed. SIP, TLS, SSH, etc. that we can take a look at for start.

OCSF already has "network connection" metadata as a field so I don't see the point of adding lower level packet info beyond that. I'm mostly interested in adding the higher level protocols such as TLS Handshake, SSH client/server connections etc.

@mosajjal mosajjal mentioned this issue Nov 9, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mosajjal @pagbabian-splunk