Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X509 folder move, table improvement, update for v1.4.0 #104

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

X509 folder move, table improvement, update for v1.4.0 #104

wants to merge 11 commits into from

Conversation

JW-Corelight
Copy link
Contributor

Move x509 folder under version folder and reorg README table structure for consistency with other logs.

@JW-Corelight
Move x509 folder under version folder and reorg README table structur…
8e0fb6f 
…e for consistency with other logs.
@JW-Corelight
Move to network_activity for ocsf v1.4
b698535 
dst_endpoint is no longer required in v1.4 and this is now viable

Signed-off-by: JW-Corelight <[email protected]>
@JW-Corelight
Move x509 to v1.4.0 folder for update
1fd212c
@JW-Corelight
Added type=integer clarifications
9f837ee 
Signed-off-by: JW-Corelight <[email protected]>
@JW-Corelight
Refreshed OCSF sample log given updated instructions
ca22df3 
Signed-off-by: JW-Corelight <[email protected]>
@JW-Corelight
Updated types for clarity
fac694b 
Signed-off-by: JW-Corelight <[email protected]>
@JW-Corelight
Added Unmapped table with tls.certificate.(sans[]) discussion
6f5c5ac 
Signed-off-by: JW-Corelight <[email protected]>
@JW-Corelight
Changed to tls.certificate.sans - pr on this was approved
8234976 
Signed-off-by: JW-Corelight <[email protected]>
@JW-Corelight
Merge branch 'ocsf:main' into x509
94a3ace
@mavam
Copy link
Contributor

mavam commented Jan 29, 2025

How did you figure out the TLS extensions to map to?

@JW-Corelight
Copy link
Contributor Author

I think you're talking about the type values i gave the ones with type_id="99".
https://schema.ocsf.io/1.4.0-dev/objects/tls_extension

I gave them the exact name of the field they're coming from, assuming that's how they work.

If I'm misuderstanding this, i'm happy to realign.

@mavam
Copy link
Contributor

mavam commented Jan 29, 2025

My understanding was that the TLS extension names comes from the RFC: https://datatracker.ietf.org/doc/html/rfc8446#page-35. At least that's where the schema links.

@JW-Corelight
Copy link
Contributor Author

After reviewing this again, I think I'm seeing what you're saying here @mavam

The TLS Extensions are used by the TLS protocol while the connection is set up, while the 'other' Zeek fields I'm attempting to fit into there are really just details about the cert itself. They seem to belong in the tls.certificate object instead of tls.tls_extension_list

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zschmerber zschmerber Awaiting requested review from zschmerber zschmerber is a code owner

@Aniak5 Aniak5 Awaiting requested review from Aniak5 Aniak5 is a code owner

@floydtree floydtree Awaiting requested review from floydtree floydtree is a code owner

At least 3 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JW-Corelight @mavam