Project

General

Profile

Identify transport protocol

Aim:

Specify the transport protocol used in Service regardless of the applicative protocol.

Though IDMEF has already many fields in order to describe protocols using IANA dictionnaries, it seems that IDMEF dosen't have any field describing directly the transport protocol.

YV: Already over-present : iana_protocol_number, iana_protocol_name, name, port.

SM: I may be wrong, but only the applicative protocol is represented. We cannot diffenrenciate HTTP over UDP from HTTP over TCP (I know this is a bad exemple, since HTPP is always over TCP but I didn't find another one)

GH: DNS could be a better example. I think I remember Hervé mentioning we could specify the port in the format : TCP:53 or UDP:53. This would avoid adding another dedicated field, but we should make sure that the current RFC makes it possible and above all we should write a tutorial on this topic. I personnaly prefer to use a dedicated field (I prefer the more "atomic" and homogeneous fields possible).

YV: TCP and UDP are parts of the IANA protocols. Their natural place is thus iana_protocol_number and iana_protocol_name See http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

Solution 1:

Add a field transport_protocol in Service Class

Impacted Class Proposed Field Type
Service transport_protocol ATP
CUDP
DCCP
FCP
IL
MPTCP
RDP
RUDP
SCTP
SPX
SST
TCP
UDP
UDP Lite
µTP

Pros

Cons

  • This field is not clearly defined. We must pay attention to ambiguity.

Solution 2:

  • Specify the port in the format : TCP:53 or UDP:53

Pros

  • Nothing to change in IDMEF

Cons

  • Attention of backwards compatibility
  • Need to be clearly defined.

Meetings:

30/10/2015 Meeting : This field is not clearly defined. We must pay attention to ambiguity.

YV: These fields already exist. We must clear the ambiguity.

Original comments:

YV: déjà sur-présent, iana_protocol_number, iana_protocol_name, name, port
SM: Je me trompe peut être, mais on peut représenter que le protocol applicatif non ? On peut pas différencier un HTTP over UDP et HTTP over TCP (c'est un mauvais exemple comme c'est forcément TCP, mais j'en avais pas d'autres sous la main ^^)
GH : DNS est un meilleur exemple. Je crois me souvenir qu'Hervé avait évoqué la possibilité de préciser le port sous la forme TCP:53 ou UDP:53. Cela éviterait l'ajout d'un champs dédié mais il faudrait vérifier que la V1 d'IDMEF le permet effectivement et surtout faire un tuto à ce sujet. Je préfère la solution d'un champs dédié (je préfère des champs les plus "atomiques" et homogène possibles).
YV: TCP et UDP font partis des protocols IANA, leur place naturelle est donc iana_protocol_number et iana_protocol_name Voir http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml*

Commentaires HD/YV - Best Practices :

Exemple HTTP over UDP, port 8080 :

iana_protocol_name: http
iana_protocol_number: 80
port: 8080
protocol: UDP

Proposition:
- Clarification des champs nécessaires.
- Enumération pour protocol à débattre