This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org. Network_Connection_Object 2.0 04/08/2013 The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. Copyright (c) 2012-2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included. The Network_Connection object is intended to represent a single network connection. The NetworkConnectionObjectType is intended as a way of characterizing local or remote (i.e. Internet) network connections. The Creation_Time field specifies the date/time the network connection was created. The Layer3_Protocol field specifies the particular network (layer 3 in the OSI model) layer protocol used in the connection. The Layer4_Protocol field specifies the particular transport (layer 4 in the OSI model) layer protocol used in the connection. The Layer7_Protocol field specifies the particular application (layer 7 in the OSI model) layer protocol used in the connection. The Source_Socket_Address field specifies the source socket address, consisting of an IP Address and port number, used in the connection. The Source_TCP_State field specifies the current state of the TCP network connection at the source, if applicable. The Destination_Socket_Address field specifies the destination socket address, consisting of an IP Address and port number, used in the connection. The Destination_TCP_State field specifies the current state of the TCP network connection at the destination, if applicable. The Layer7_Connections field allows for the characterization of any application (layer 7 in the OSI model) layer connections observed as part of the network connection. The tls_used field specifies whether or not Transport Layer Security (TLS) is used in the network connection. The Layer7ConnectionsType specifies the different types of application (layer 7 in the OSI model) connections that may be initiated as part of the network connection. The HTTP Session field specifies a single HTTP session initiated between source and destination IP addresses/ports, and includes 1-n HTTP Request/Response pairs. The DNS_Query field specifies a single DNS query/answer pair initiated between source and destination IP addresses/ports. Layer3ProtocolType specifies Layer 3 protocol types, via a union of the Layer3ProtocolEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications. This attribute is optional and specifies the expected type for the value of the specified property. Layer4ProtocolType specifies Layer 4 protocol types, via a union of the Layer4ProtocolEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications. This attribute is optional and specifies the expected type for the value of the specified property. Layer7ProtocolType specifies Layer 7 protocol types, via a union of the Layer7ProtocolEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications. This attribute is optional and specifies the expected type for the value of the specified property. The ConnectionStateEnum type is an enumeration of TCP connection states. Indicates an unknown TCP connection state. Indicates the closed TCP connection state--i.e. no connection state at all. Indicates the listening TCP connection state. Indicates the SYN sent TCP connection state--i.e. wait for a matching connection request after having sent a connection request. Indicates the SYN received TCP connection state--i.e. waiting for a confirming connection request acknowledgment after having both received and sent a connection request. Indicates the established TCP connection state--i.e. an open connection in which data received can be delivered to the user. Indicates the FIN-WAIT-1 TCP connection state--i.e. waiting for a connection termination request from the remote TCP, or an acknowledgment of the connection termination request previously sent. Indicates the FIN-WAIT-2 TCP connection state--i.e. waiting for a connection termination request from the remote TCP. Indicates the CLOSE-WAIT TCP connection state--i.e. waiting for a connection termination request from the local user. Indicates the CLOSING TCP connection state--i.e. waiting for a connection termination request acknowledgment from the remote TCP. Indicates the LAST-ACK connection state--i.e. waiting for an acknowledgment of the connection termination request previously sent to the remote TCP (which includes an acknowledgment of its connection termination request). Indicates the TIME-WAIT connection state--i.e. waiting for for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request. Indicates the DELETE-TCB connection state--i.e. the Transmission Control Block (TCB) is being deleted. Layer3ProtocolEnum is a non-exhaustive enumeration of Layer 3 (network) layer protocols. Specifies the Internet Protocol, version 4. Specifies the Internet Protocol, version 6. Specifies the Internet Control Message Protocol. Specifies the Internet Group Management Protocol. Specifies the Interior Gateway Routing Protocol. Specifies the Connectionless Networking Protocol. Specifies the Exterior Gateway Protocol. Specifies the Enhanced Interior Gateway Routing Protocol. Specifies the Internet Protocol Security suite. Specifies the Internetwork Packet Exchange protocol Specifies the Routed Split Multi-Link Trunking protocol. Specifies the Signalling Connection Control Part protocol. Layer4ProtocolEnum is a non-exhaustive enumeration of Layer 4 (transport) layer protocols. Specifies the Transmission Control Protocol. Specifies the User Datagram Protocol. Specifies the Authentication Header protocol. Specifies the Encapsulating Security Payload protocol. Specifies the Generic Routing Encapsulation protocol. Specifies the Internet Link protocol. Specifies the Stream Control Transmission Protocol. Specifies the Siemens Sinec H1 protocol. Specifies the Sequenced Packet Exchange protocol. Specifies the Datagram Congestion Control Protocol. Layer7ProtocolEnum is a non-exhaustive enumeration of Layer 7 (application) layer protocols. Specifies the Hypertext Transfer Protocol. Specifies the Hypertext Transfer Protocol Secure. Specifies the File Transfer Protocol. Specifies the Simple Mail Transfer Protocol. Specifies the Internet Relay Chat protocol. Specifies the Identification Protocol, IDENT. Specifies the Domain Name System protocol. Specifies the Telnet protocol. Specifies the Post Office Protocol, version 3. Specifies the Internet Message Access Protocol. Specifies the Secure Shell protocol. Specifies the Microsoft Server Message Block protocol. Specifies the Advance Direct Connect protocol. Specifies the Apple Filing Protocol. Specifies the Building Automation and Control Network protocol. Specifies the BitTorrent protocol. Specifies the Bootstrap Protocol. Specifies the Diameter protocol. Specifies the Digital Imaging and Communications in Medicine protocol. Specifies the Dictionary protocol. Specifies the Digital Storage Media Command and Control protocol. Specifies the Distributed Social Networking Protocol. Specifies the Dynamic Host Configuration Protocol. Specifies the EDonkey2000 protocol. Specifies the Finger protocol. Specifies the Gnutella protocol. Specifies the Gopher protocol. Specifies the ISDN User Part protocol. Specifies the Lightweight Directory Access Protocol. Specifies the Multipurpose Internet Mail Extensions protocol. Specifies the Microsoft Notification Protocol. Specifies the Mobile Application Part protocol. Specifies the Network Basic Input/Output System protocol. Specifies the Network News Transfer Protocol. Specifies the Network Time Protocol. Specifies the National Transportation Communications for Intelligent Transportation System Protocol. Specifies the Remote Authentication Dial In User Service protocol. Specifies the Remote Desktop Protocol. Specifies the rlogin protocol. Specifies the rsync otocol. Specifies the Real-time Transport Protocol. Specifies the Real-time Transport Streaming Protocol. Specifies the Siebel Internet Session Network API protocol. Specifies the Session Initiation Protocol. Specifies the Simple Network Management Protocol. Specifies the Session Traversal Utilities for NAT protocol. Specifies the Telephonse User Part protocol. Specifies the Transaction Capabilities Application Part protocol. Specifies the Trivial File Transfer Protocol. Specifies the Web Distributed Authoring and Versioning protocol. Specifies the Extensible Messaging and Presence Protocol.