OTRF / OSSEM

Open Source Security Events Metadata (OSSEM)

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Issue on page /cdm/entities/destination_nat.html

alizadeh-mahdi opened this issue · comments

Hi Team,

Why some fields are missing in the yml files?

For example, consider "destination_nat" entity. Here you can find multiple fields:
https://ossemproject.com/cdm/entities/destination_nat.html

However, in the yml file, I just find one field (i.e., original_value):
https://github.com/OTRF/OSSEM-CDM/blob/14c48b27c107abe5a76fbd1bcb16e8bf78882172/schemas/entities/destination_nat.yml

Should not they match together?

Hey @alizadeh-mahdi ! Thank you for providing feedback on the current standardization efforts of the OSSEM project.

One of the main concepts that we are testing and using for the creation of documentations for each entity is the concept of an extension. This is explain in a little bit more details in here:

https://github.com/OTRF/OSSEM-CDM/blob/master/schemas/entities/ip.yml

Therefore, entities such as IPs extend entities such as destionation_nat and others as shown in here:

https://github.com/OTRF/OSSEM-CDM/blob/master/schemas/entities/ip.yml

Finally, this is the script that we use to handle those extensions.

https://github.com/OTRF/OSSEM-CDM/blob/master/tools/ossemCDM.py#L56

This allow us to define some of those attributes once and not duplicate them all over the CDM. What do you think? We would love the feedback of the community. Thank you again!

@Cyb3rWard0g Thanks for the quick explanations. Now it is clear for me why we do not see those fields in destionation_nat yml file and it makes sense. I think it is a good idea to not include duplicate fields there.