Feature #535
opennew keywords - time , day
Description
It would be beneficial if we introduce "time" and "day" keywords.
ex:
alert ip any any-> any any (msg:"Time and Day based alert "; content:"login failed"; time:12.23,>,15.30; day:Saturday,Sunday;)
alert if this is between 12:23 and 15:30 on a Sunday or Saturday
the same idea here:
alert ip any any-> any any (msg:"Time and Day based alert "; content:"login failed"; day:Saturday,Sunday;)
alert ip any any-> any any (msg:"Time and Day based alert "; content:"login failed"; time:12.23,>,15.30; )
also very important:
alert ip any any-> any any (msg:"Time and Day based alert "; content:"login failed"; time:12.23,>,15.30,packet; day:Saturday,Sunday;)
where time:12.23,>,15.30,packet; is the time of the packet
and
alert ip any any-> any any (msg:"Time and Day based alert "; content:"login failed"; time:12.23,>,15.30,OS; day:Saturday,Sunday;)
where time:12.23,>,15.30,OS; is the current time of the OS
pros?
cons?
EL Updated by Eric Leblond over 13 years ago
Just thinking to that: Need to be able to treat the timezone with respect to source or destination IP ...
VJ Updated by Victor Julien over 13 years ago
- Target version set to TBD
AH Updated by Andreas Herz over 10 years ago
- Assignee set to OISF Dev
AH Updated by Andreas Herz almost 9 years ago
Wouldn't it be enough (since it's a corner case) to just use UTC?
VJ Updated by Victor Julien almost 8 years ago
- Assignee changed from OISF Dev to Anonymous
- Effort set to low
- Difficulty set to low
AH Updated by Andreas Herz about 7 years ago
- Assignee set to Community Ticket
SB Updated by Shivani Bhardwaj almost 7 years ago
Is this still valid? Can I work on this?