STIX Wiki
STIX Wiki

Overview

IntroductionGetting StartedWalkthrough

Reference

Domain Objects
Relationship Objects
Cyber-observable Objects
ArtifactAutonomous System (AS)DirectoryDomain NameEmail AddressEmail MessageFileIPv4 AddressIPv6 AddressMAC AddressMutexNetwork TrafficProcessSoftwareURLUser AccountWindows™ Registry Key ObjectX.509 Certificate
Meta Objects
Bundle Object
Cyber-observable Objects

Network Traffic

The Network Traffic object represents arbitrary network traffic that originates from a source and is addressed to a destination. The network traffic MAY or MAY NOT constitute a valid unicast, multicast, or broadcast network connection. This MAY also include traffic that is not established, such as a SYN flood.

To allow for use cases where a source or destination address may be sensitive and not suitable for sharing, such as addresses that are internal to an organization’s network, the source and destination properties (src_ref and dst_ref, respectively) are defined as optional in the properties table below. However, a Network Traffic object MUST contain the protocols property and at least one of the src_ref or dst_ref properties and SHOULD contain the src_port and dst_port properties.

  • TODO: Add examples

Properties

Required Common Properties
typeidprotocols
Optional Common Properties
spec_versionobject_marking_refsgranular_markingsdefangedextensions
Not Applicable
created_by_refrevokedlabelsconfidencelangexternal_references
Network Traffic Specific
extensionsstartendsrc_refdst_refsrc_portdst_portprotocolssrc_byte_countdst_byte_countsrc_packetsdst_packetsipfixsrc_payload_refdst_payload_refencapsulates_refsencapsulated_by_ref
PropertyTypeDescription
typeoptional
stringThe value of this property MUST be `network-traffic`.
extensionsoptional
The Network Traffic Object defines the following extensions. In addition to these, producers MAY create their own. Extensions: http-ext, tcp-ext, icmp-ext, socket-ext
startoptional
stringSpecifies the date/time the network traffic was initiated, if known.
endoptional
stringSpecifies the date/time the network traffic ended, if known.
src_refoptional
stringSpecifies the source of the network traffic, as a reference to an Observable Object.
dst_refoptional
stringSpecifies the destination of the network traffic, as a reference to an Observable Object.
src_portoptional
integerSpecifies the source port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535.
dst_portoptional
integerSpecifies the destination port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535.
protocolsrequired
list of stringSpecifies the protocols observed in the network traffic, along with their corresponding state.
src_byte_countoptional
integerSpecifies the number of bytes sent from the source to the destination.
dst_byte_countoptional
integerSpecifies the number of bytes sent from the destination to the source.
src_packetsoptional
integerSpecifies the number of packets sent from the source to the destination.
dst_packetsoptional
integerSpecifies the number of packets sent destination to the source.
ipfixoptional
Specifies any IP Flow Information Export (IPFIX) data for the traffic.
src_payload_refoptional
stringSpecifies the bytes sent from the source to the destination.
dst_payload_refoptional
stringSpecifies the bytes sent from the source to the destination.
encapsulates_refsoptional
list of stringLinks to other network-traffic objects encapsulated by a network-traffic.
encapsulated_by_refoptional
stringLinks to another network-traffic object which encapsulates this object.

Mutex

Previous Page

Process

Next Page

On this page

Properties