Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

network_transport should be ip_protocol #76

Open
miwent opened this issue Mar 20, 2023 · 1 comment
Open

network_transport should be ip_protocol #76

miwent opened this issue Mar 20, 2023 · 1 comment
Assignees
Labels
schema Graylog Schema triaged

Comments

@miwent
Copy link
Collaborator

miwent commented Mar 20, 2023

Describe the bug
The term network_transport is not always clear. This field is intended to identify the IP protocol identified in a network message, a more accurate and meaningful field name would be ip_protocol, and the numeric companion field ip_protocol_number.

@miwent miwent added schema Graylog Schema triaged labels Mar 20, 2023
@miwent
Copy link
Collaborator Author

miwent commented Mar 8, 2024

Looking at OCSF, there are four fields related to this in their network connection object:

  • protocol_ver: IP version
  • protocol_ver_id: IP version ID
  • protocol_name: Transport protocol name, udp, ip, etc.
  • protocol_num: IANA assigned protocol number

The parent object for these is connection_info, but we will only align with the OCSF fields and instead keep the parent object network leading to the flattened fields:

  • network_protocol_ver
  • network_protocol_ver_id
  • network_protocol_name
  • network_protocol_num

This will require a lookups to map protocol_ver to protocol_ver_id and the inverse. There is an existing protocol name/num mapping that will support that mapping.

The processing pipelines, lookup data files, event definitions, indexing templates, and content pack files will have to be scanned for instances of the source fields and changes will have to be made to those fields.

@miwent miwent self-assigned this Mar 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
schema Graylog Schema triaged
Projects
None yet
Development

When branches are created from issues, their pull requests are automatically linked.

1 participant