<div>Hi,</div><div><br></div><div class="protonmail_signature_block"><div class="protonmail_signature_block-user">Thank you Sebastian to raise this to ML.<br></div><div class="protonmail_signature_block-user"><br></div><div class="protonmail_signature_block-user">My perspective:<br></div><div class="protonmail_signature_block-user">100% agree with your suggestion. This case is the same as a stream feed like AnubisNetworks. AnubisNetworks sends a event to the stream per each bot (infected machine) connection to C&C and the timestamp is the connection time. If we assume that netlab306 bot sees (like you mention) a future timestamp as timestamp.now(), we just need to handle that events like we do with AnubisNetworks parser.<br></div><div class="protonmail_signature_block-user"><br></div><div class="protonmail_signature_block-user">TL;DR: 100% agree, lets fix it!<br></div><div class="protonmail_signature_block-user"><br></div><div class="protonmail_signature_block-user">Cheers</div><div class="protonmail_signature_block-user"><br></div><div class="protonmail_signature_block-proton protonmail_signature_block-empty"><br></div></div><div><br></div><blockquote type="cite" class="protonmail_quote"><div>-------- Original Message --------<br></div><div>Subject: Re: [Intelmq-dev] handling of time frames<br></div><div>Local Time: August 14, 2017 2:23 PM<br></div><div>UTC Time: August 14, 2017 1:23 PM<br></div><div>From: wagner@cert.at<br></div><div>To: intelmq-dev@lists.cert.at <intelmq-dev@lists.cert.at><br></div><div><br></div><div> <br></div><p>I appreciate your comments on this topic. This problem is still
unresolved.<br></p><div><br></div><div class="moz-cite-prefix">On 06/19/2017 02:13 PM, Sebastian
Wagner wrote:<br></div><blockquote type="cite"><p>Any thoughts on this?<br></p><div><br></div><div class="moz-cite-prefix">On 04/21/2017 03:42 PM, Sebastian
Wagner wrote:<br></div><blockquote type="cite"><pre wrap="">Dear list,
in pull request #944 (netlab 360 enh [0]) by navtej an issue came up
which can't be solved trivially:
The feed Netlab 360 DGA[1] - which is already included in intelmq -
provides a validity time frame for each domain. Most of those (~90%) end
in 2030 while the start date is the current day at 00:00.
So both start and end time are artificial. And the source claims the
event is valid in the future, which is a very odd. And does it actually
make sense to forward this kind of information?
Also, we can't really handle this time information using the current
harmonization.
One idea would be to set time.source to time.observation if the
time.source is in the future. So time.source <= time.observation does
always apply.
What do you think?
Sebastian
[0]: <a class="moz-txt-link-freetext" href="https://github.com/certtools/intelmq/pull/944">https://github.com/certtools/intelmq/pull/944</a>
[1]: <a class="moz-txt-link-freetext" href="http://data.netlab.360.com/feeds/dga/dga.txt">http://data.netlab.360.com/feeds/dga/dga.txt</a> - attention, quite
big! The domains at the beginning have a very near end date.
<br></pre><div><br></div><div><br></div><pre wrap="">_______________________________________________
Intelmq-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Intelmq-dev@lists.cert.at">Intelmq-dev@lists.cert.at</a>
<a class="moz-txt-link-freetext" href="http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev">http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev</a>
<br></pre></blockquote><div><br></div><pre class="moz-signature" cols="72">--
// Sebastian Wagner <a class="moz-txt-link-rfc2396E" href="mailto:wagner@cert.at"><wagner@cert.at></a> - T: +43 1 5056416 7201
// CERT Austria - <a class="moz-txt-link-freetext" href="https://www.cert.at/">https://www.cert.at/</a>
// Eine Initiative der nic.at GmbH - <a class="moz-txt-link-freetext" href="https://www.nic.at/">https://www.nic.at/</a>
// Firmenbuchnummer 172568b, LG Salzburg<br></pre><div><br></div><div><br></div><pre wrap="">_______________________________________________
Intelmq-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Intelmq-dev@lists.cert.at">Intelmq-dev@lists.cert.at</a>
<a class="moz-txt-link-freetext" href="http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev">http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev</a>
<br></pre></blockquote><div><br></div><pre class="moz-signature" cols="72">--
// Sebastian Wagner <a class="moz-txt-link-rfc2396E" href="mailto:wagner@cert.at"><wagner@cert.at></a> - T: +43 1 5056416 7201
// CERT Austria - <a class="moz-txt-link-freetext" href="https://www.cert.at/">https://www.cert.at/</a>
// Eine Initiative der nic.at GmbH - <a class="moz-txt-link-freetext" href="https://www.nic.at/">https://www.nic.at/</a>
// Firmenbuchnummer 172568b, LG Salzburg<br></pre></blockquote><div><br></div>