Add history and missing_bytes attributes to network class (#1316)

#### Related Issue: 
#1314 
#### Description of changes:

- Add `flag_history` to `network_connection` object
- Add `bytes_missed` to `network_traffic` object
<img width="1330" alt="image"
src="https://github.com/user-attachments/assets/5487fe73-4690-4548-b13f-7feac9827ae2"
/>

<img width="1481" alt="image"
src="https://github.com/user-attachments/assets/8a9cb8d7-ca4c-42e7-a18a-fdc8b826561a"
/>

---------

Signed-off-by: Ania Kacewicz <[email protected]>
Signed-off-by: Ania Kacewicz <[email protected]>
Signed-off-by: Rajas <[email protected]>
Co-authored-by: Ania Kacewicz <[email protected]>
Co-authored-by: Rajas <[email protected]>

CHANGELOG.md

@@ -85,6 +85,7 @@ Thankyou! -->
     1. Added `ancestry` as a list of `process_entity`. #1317
     1. Added `internal_name` as a `string_t`. #1322
     1. Added `cc_mailboxes`, `from_mailbox`, `to_mailboxes`, `delivered_to_list`  and `reply_to_mailboxes`. #1307
+    1. Added `flag_history` and `bytes_missed` attributes. #1316
 
 * #### Objects
     1. Added `environment_variable` object. #1172, #1288
@@ -189,6 +190,8 @@ Thankyou! -->
     1. Added `internal_name` to the `file` object. #1322
     1. Added `cc_mailboxes`, `from_mailbox`, `to_mailboxes`, `delivered_to_list`  and `reply_to_mailboxes` to `email` object. #1307
     1. Added `sans` array to `certificate` object. #1325
+    1. Added `flag_history` attribute to the `network_connection_info` object. #1316
+    1. Added `bytes_missed` attribute to the `network_traffic` object. #1316
 
 ### Bugfixes
 1. Added sibling definition to `confidence_id` in dictionary, accurately associating `confidence` as its sibling. #1180

dictionary.json

@@ -486,6 +486,11 @@
       "description": "The number of bytes sent from the destination to the source.",
       "type": "long_t"
     },
+    "bytes_missed": {
+      "caption": "Bytes Missed",
+      "description": "Indicates the number of bytes missed, which is representative of packet loss.",
+      "type": "long_t"
+    },
     "bytes_out": {
       "caption": "Bytes Out",
       "description": "The number of bytes sent from the source to the destination.",
@@ -2294,6 +2299,17 @@
       "description": "The software package version in which a reported vulnerability was patched/fixed.",
       "type": "string_t"
     },
+    "flag_history": {
+      "caption": "Connection Flag History",
+      "description": "The Connection Flag History summarizes events in a network connection. For example flags <code> ShAD </code> representing SYN, SYN/ACK, ACK and Data exchange.",
+      "references": [
+        {
+          "description": "Zeek History",
+          "url": "https://docs.zeek.org/en/master/scripts/base/protocols/conn/main.zeek.html#detailed-interface:~:text=Records%20the%20state%20history%20of%20connections%20as%20a%20string%20of%20letters.%20The%20meaning%20of%20those%20letters%20is"
+        }
+      ],
+      "type": "string_t"
+    },
     "flag_ids": {
       "caption": "Communication Flag IDs",
       "description": "The list of normalized identifiers of the communication flag IDs. See specific usage.",
@@ -2313,7 +2329,7 @@
     },
     "flags": {
       "caption": "Flags",
-      "description": "The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source.",
+      "description": "The list of communication flags, normalized to the captions of the flag_ids values. See specific usage.",
       "type": "string_t",
       "is_array": true
     },
@@ -2546,8 +2562,16 @@
       "sibling": "impact",
       "type": "integer_t",
       "source": "impact value; impact level",
-      "references": [{"description": "NIST SP 800-172 from FIPS 199", "url": "https://doi.org/10.6028/NIST.FIPS.199"}, 
-                     {"description": "NIST Computer Security Resource Center", "url": "https://doi.org/10.6028/NIST.FIPS.199"}],
+      "references": [
+        {
+          "description": "NIST SP 800-172 from FIPS 199",
+          "url": "https://doi.org/10.6028/NIST.FIPS.199"
+        },
+        {
+          "description": "NIST Computer Security Resource Center",
+          "url": "https://doi.org/10.6028/NIST.FIPS.199"
+        }
+      ],
       "enum": {
         "0": {
           "caption": "Unknown",

objects/network_connection_info.json

@@ -20,6 +20,9 @@
     "direction_id": {
       "requirement": "required"
     },
+    "flag_history": {
+      "requirement": "optional"
+    },
     "protocol_name": {
       "caption": "Protocol Name",
       "description": "The IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). For example: <code>tcp</code> or <code>udp</code>.",

objects/network_traffic.json

@@ -11,16 +11,10 @@
     "bytes_in": {
       "requirement": "optional"
     },
-    "bytes_out": {
+    "bytes_missed": {
       "requirement": "optional"
     },
-    "packets": {
-      "requirement": "recommended"
-    },
-    "packets_in": {
-      "requirement": "optional"
-    },
-    "packets_out": {
+    "bytes_out": {
       "requirement": "optional"
     },
     "chunks": {
@@ -34,6 +28,15 @@
     "chunks_out": {
       "description": "The number of chunks sent from the source to the destination.",
       "requirement": "optional"
+    },
+    "packets": {
+      "requirement": "recommended"
+    },
+    "packets_in": {
+      "requirement": "optional"
+    },
+    "packets_out": {
+      "requirement": "optional"
     }
   }
 }

objects/request.json

@@ -12,6 +12,7 @@
       "requirement": "optional"
     },
     "flags": {
+      "description": "The communication flags that are associated with the api request.",
       "requirement": "optional"
     },
     "uid": {

objects/response.json

@@ -21,6 +21,7 @@
       "requirement": "recommended"
     },
     "flags": {
+      "description": "The communication flags that are associated with the api response.",
       "requirement": "optional"
     },
     "message": {