Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X509 folder move, table improvement, update for v1.4.0 #104

Merged
merged 12 commits into from
Mar 26, 2025
Merged

X509 folder move, table improvement, update for v1.4.0 #104

merged 12 commits into from
Mar 26, 2025

Conversation

JW-Corelight
Copy link
Contributor

Move x509 folder under version folder and reorg README table structure for consistency with other logs.

@JW-Corelight
Move x509 folder under version folder and reorg README table structur…
8e0fb6f 
…e for consistency with other logs.
@JW-Corelight
Move to network_activity for ocsf v1.4
b698535 
dst_endpoint is no longer required in v1.4 and this is now viable

Signed-off-by: JW-Corelight <[email protected]>
@JW-Corelight
Move x509 to v1.4.0 folder for update
1fd212c
@JW-Corelight
Added type=integer clarifications
9f837ee 
Signed-off-by: JW-Corelight <[email protected]>
@JW-Corelight
Refreshed OCSF sample log given updated instructions
ca22df3 
Signed-off-by: JW-Corelight <[email protected]>
@JW-Corelight
Updated types for clarity
fac694b 
Signed-off-by: JW-Corelight <[email protected]>
@JW-Corelight
Added Unmapped table with tls.certificate.(sans[]) discussion
6f5c5ac 
Signed-off-by: JW-Corelight <[email protected]>
@JW-Corelight
Changed to tls.certificate.sans - pr on this was approved
8234976 
Signed-off-by: JW-Corelight <[email protected]>
@JW-Corelight
Merge branch 'ocsf:main' into x509
94a3ace
@mavam
Copy link
Contributor

mavam commented Jan 29, 2025

How did you figure out the TLS extensions to map to?

@JW-Corelight
Copy link
Contributor Author

I think you're talking about the type values i gave the ones with type_id="99".
https://schema.ocsf.io/1.4.0-dev/objects/tls_extension

I gave them the exact name of the field they're coming from, assuming that's how they work.

If I'm misuderstanding this, i'm happy to realign.

@mavam
Copy link
Contributor

mavam commented Jan 29, 2025

My understanding was that the TLS extension names comes from the RFC: https://datatracker.ietf.org/doc/html/rfc8446#page-35. At least that's where the schema links.

@JW-Corelight
Copy link
Contributor Author

After reviewing this again, I think I'm seeing what you're saying here @mavam

The TLS Extensions are used by the TLS protocol while the connection is set up, while the 'other' Zeek fields I'm attempting to fit into there are really just details about the cert itself. They seem to belong in the tls.certificate object instead of tls.tls_extension_list

@JW-Corelight JW-Corelight merged commit 666f251 into ocsf:main Mar 26, 2025
@JW-Corelight JW-Corelight deleted the x509 branch March 26, 2025 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Aniak5 Aniak5 Aniak5 approved these changes

@zschmerber zschmerber zschmerber approved these changes

@irakledibm irakledibm irakledibm approved these changes

@floydtree floydtree Awaiting requested review from floydtree floydtree is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@JW-Corelight @mavam @Aniak5 @zschmerber @irakledibm