community-id-spec
community-id-spec copied to clipboard
corelight
An open standard for hashing network flows into identifiers, a.k.a "Community IDs".
At https://tools.ietf.org/html/rfc8335 an additional request-reply pair is documented. ICMP field Type: Extended Echo Request. The value for ICMPv4 is 42. The value for ICMPv6 is 160 ICMP field Type: Extended...
If there was a 4 tuple hash, then I could share these hashes with other people and tools, between different networks, and use them in very much the same way....
We've built community ID support into [VAST](https://github.com/tenzir/vast) to allow for pivoting between ingested PCAPs, Suricata, Zeek, and NetFlow/IPFIX. Our C++ implementation of community ID computation is available [here](https://github.com/tenzir/vast/blob/master/libvast/vast/community_id.hpp). We have...
A few folks have suggested that one could share the ID as an anonymous/pseudonymous substitute for the flow tuple, to avoid revealing the actual flow. (In analogy to sharing a...
DJ Gregor suggested one could simply append the flow's timestamp to the end of the ID when wanting to filter out clashing, unrelated flows. Doing so would allow you to...
The standard rendering of the ID (eg `1:ZEYOYMeyZNQC9DAdgsBZCtiTKqw=`) is not only not very nice to look at, but can break standard string handling in SIEM pipelines and other tools (so...
Hey, While doing some research on various data we have, we've seen across two separate applications which saw the same flow, they each had their own interpretation of src/dst ordering....
A given network flow's 5-tuple will differ depending on whether it's perceived internally, externally, before or after a NAT, etc. Can the Community ID accommodate this? The short answer is...
The Community ID could include features beyond the flow tuple, such as the presence of particular file transfers in the flow. This could aid in disambiguation of flows with otherwise...
Implemented the algorithm and tested the resulting ids comparing against this repo's python script and also against wireshark's community id analysis tool. My implementation's results seemed to always match wireshark's...
