[Intelmq-dev] handling of time frames

Tomás Lima synchroack at protonmail.ch
Thu Dec 14 11:32:53 CET 2017 

Hi,

Thank you Sebastian to raise this to ML.

My perspective:
100% agree with your suggestion. This case is the same as a stream feed like AnubisNetworks. AnubisNetworks sends a event to the stream per each bot (infected machine) connection to C&C and the timestamp is the connection time. If we assume that netlab306 bot sees (like you mention) a future timestamp as timestamp.now(), we just need to handle that events like we do with AnubisNetworks parser.

TL;DR: 100% agree, lets fix it!

Cheers

> -------- Original Message --------
> Subject: Re: [Intelmq-dev] handling of time frames
> Local Time: August 14, 2017 2:23 PM
> UTC Time: August 14, 2017 1:23 PM
> From: wagner at cert.at
> To: intelmq-dev at lists.cert.at <intelmq-dev at lists.cert.at>
>
> I appreciate your comments on this topic. This problem is still unresolved.
>
> On 06/19/2017 02:13 PM, Sebastian Wagner wrote:
>
>> Any thoughts on this?
>>
>> On 04/21/2017 03:42 PM, Sebastian Wagner wrote:
>>
>>> Dear list,
>>>
>>> in pull request #944 (netlab 360 enh [0]) by navtej an issue came up
>>> which can't be solved trivially:
>>>
>>> The feed Netlab 360 DGA[1] - which is already included in intelmq -
>>> provides a validity time frame for each domain. Most of those (~90%) end
>>> in 2030 while the start date is the current day at 00:00.
>>> So both start and end time are artificial. And the source claims the
>>> event is valid in the future, which is a very odd. And does it actually
>>> make sense to forward this kind of information?
>>> Also, we can't really handle this time information using the current
>>> harmonization.
>>>
>>> One idea would be to set time.source to time.observation if the
>>> time.source is in the future. So time.source <= time.observation does
>>> always apply.
>>>
>>> What do you think?
>>>
>>> Sebastian
>>>
>>> [0]:
>>> https://github.com/certtools/intelmq/pull/944
>>> [1]:
>>> http://data.netlab.360.com/feeds/dga/dga.txt
>>> - attention, quite
>>> big! The domains at the beginning have a very near end date.
>>>
>>> _______________________________________________
>>> Intelmq-dev mailing list
>>> Intelmq-dev at lists.cert.at
>>>
>>> http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
>>
>> --
>> // Sebastian Wagner
>> [<wagner at cert.at>](mailto:wagner at cert.at)
>> - T: +43 1 5056416 7201
>> // CERT Austria -
>> https://www.cert.at/
>> // Eine Initiative der nic.at GmbH -
>> https://www.nic.at/
>> // Firmenbuchnummer 172568b, LG Salzburg
>>
>> _______________________________________________
>> Intelmq-dev mailing list
>> Intelmq-dev at lists.cert.at
>>
>> http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
>
> --
> // Sebastian Wagner
> [<wagner at cert.at>](mailto:wagner at cert.at)
> - T: +43 1 5056416 7201
> // CERT Austria -
> https://www.cert.at/
> // Eine Initiative der nic.at GmbH -
> https://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20171214/fbebda3f/attachment.html>

More information about the Intelmq-dev mailing list