Sharefulness - 4 tuple

[jonz-secops]

If there was a 4 tuple hash, then I could share these hashes with other people and tools, between different networks, and use them in very much the same way. Dropping the source address would mean that hash x can be applied against traffic in any network inside and outside of a particular organization. it would put the community in community ID.

[neu5ron]

I think a 4tuple would be great too! But I think dropping source address is only taking into consideration outbound traffic - would say a 4 tuple for both with src and one with dst

[skrap3e]

4 tuple would be very useful. Drop either SRC or DST. Different use cases but equally valuable.

[ckreibich]

Thumbs up to "put the community in community ID" :)

The theme here seems to be dropping some part of the tuple — not clear that it's necessarily a specific address. The immediate workaround that comes to mind for this would be using null-values, like 0.0.0.0, for the parts you don't care about. There seem to be two deficiencies if one does this: (1) whatever part you omit would also need to be omitted by the other orgs/peers you're exchanging the IDs with, (2) there's no "matching" of such partial IDs with full-tuple IDs since the hashes will come out differently. Would this address your use case, anyway?

Fwiw, there seems to be a whole class of applications where standardized textual rendering would be useful, i.e., simply some form of "saddr:daddr:proto:sport:dport". Pattern-matching this would obviously be feasible, and various representations (in JSON, etc) would be easy to come by. Thoughts on this are also welcome.