Feature #535
opennew keywords - time , day
Description
It would be beneficial if we introduce "time" and "day" keywords.
ex:
alert ip any any-> any any (msg:"Time and Day based alert "; content:"login failed"; time:12.23,>,15.30; day:Saturday,Sunday;)
alert if this is between 12:23 and 15:30 on a Sunday or Saturday
the same idea here:
alert ip any any-> any any (msg:"Time and Day based alert "; content:"login failed"; day:Saturday,Sunday;)
alert ip any any-> any any (msg:"Time and Day based alert "; content:"login failed"; time:12.23,>,15.30; )
also very important:
alert ip any any-> any any (msg:"Time and Day based alert "; content:"login failed"; time:12.23,>,15.30,packet; day:Saturday,Sunday;)
where time:12.23,>,15.30,packet; is the time of the packet
and
alert ip any any-> any any (msg:"Time and Day based alert "; content:"login failed"; time:12.23,>,15.30,OS; day:Saturday,Sunday;)
where time:12.23,>,15.30,OS; is the current time of the OS
pros?
cons?
Updated by Eric Leblond over 11 years ago
Just thinking to that: Need to be able to treat the timezone with respect to source or destination IP ...
Updated by Andreas Herz almost 7 years ago
Wouldn't it be enough (since it's a corner case) to just use UTC?
Updated by Victor Julien over 5 years ago
- Assignee changed from OISF Dev to Anonymous
- Effort set to low
- Difficulty set to low
Updated by Shivani Bhardwaj almost 5 years ago
Is this still valid? Can I work on this?