By Christian Kreibich, Senior Engineer at Corelight
Nearly a year has passed since the introduction of the Community ID flow hashing standard, so I’d like recap the goals of the project, share an update on what has happened since, and lay out the next steps.
We’ve recently updated the ID’s main document to become more normative, including a pseudo code implementation. At the moment, the ID is perhaps easiest to explore via our recently released communityid Python module: it installs via pip and significantly reduces the barrier to entry, particularly in data-processing / SIEM environments. It ships with a command-line tool that reports the ID for a given flow tuple, as follows:
$ community-id tcp 10.0.0.1 192.168.0.1 1234 80
1:K4ienR4L7rjxkkNvuZGIZwbbphY=
Going forward, our goals are threefold:
Gather feedback and experience reports. The ID provides version support, and the community has raised several interesting ideas for future revisions. The first version is, quite literally, the simplest approach we could think of. We’re particularly curious to hear about operational use of the ID, its proneness to hash collisions, practical concerns, or creative applications. If you have any feedback, please open tickets!
Provide as many off-the-shelf implementations of the ID as possible. We recently released the communityid Python module that installs via pip and significantly reduces the barrier to entry, particularly in data-processing / SIEM environments. Several of the existing implementations look like they will be relatively straightforward to make reusable. A C library would obviously be a great way to unify and simplify existing implementations, and enable others. If you are interested in working on these, please get in touch!
Add support to more network monitoring applications. Most immediately, we’re looking to support Wireshark, with others to follow. Whether you’re considering an implementation, are actively working on one, or have a tool that you would like to see support the ID, shout!
Please feel free to explore the ID at https://github.com/corelight/community-id-spec. We look forward to your feedback.