Project

General

Profile

Translated addresses and ports

Aim:

Offer a way to identify translated addresses and ports.

Most formats offer a way to specify whether a given address or port is pre or post translation. IDMEF doesn't offer this possibility because the translation process is younger than IDMEF. However, since translation has become a common practice, it appears to be absolutely necessary to include this information in the format.

GH: We could use Address.category

Solution 1:

Add an enumeration translation in Address class

Impacted Class Proposed Field Type
Address Translation no_translation
pre_trabslation
post_translation

Pros

  • Backwards compatibility with existing implementations is maintained.

Cons

Solution 2:

Add some options in the enumeration category of Address class

Impacted Class Proposed Field Type
Address category ipv4-addr-post-nat
ipv4-addr-pre-nat
ipv6-addr-post-nat
ipv6-addr-pre-nat

Pros

Cons

  • Adds options which type overlap (an ipv4-addr-pre-nat is an ipv4-addr)

Meetings:

30/10/2015 Meeting: This information is necessary. In order to avoid adding too much fields, we could use the category field from the class address and update the related dictionnary.

Commentaires HD/HV:
- A débattre.