Any thoughts on this?


On 04/21/2017 03:42 PM, Sebastian Wagner wrote:
Dear list,

in pull request #944 (netlab 360 enh [0]) by navtej an issue came up
which can't be solved trivially:

The feed Netlab 360 DGA[1] - which is already included in intelmq -
provides a validity time frame for each domain. Most of those (~90%) end
in 2030 while the start date is the current day at 00:00.
So both start and end time are artificial. And the source claims the
event is valid in the future, which is a very odd. And does it actually
make sense to forward this kind of information?
Also, we can't really handle this time information using the current
harmonization.

One idea would be to set time.source to time.observation if the
time.source is in the future. So time.source <= time.observation does
always apply.

What do you think?

Sebastian

[0]: https://github.com/certtools/intelmq/pull/944
[1]: http://data.netlab.360.com/feeds/dga/dga.txt - attention, quite
big! The domains at the beginning have a very near end date.




_______________________________________________
Intelmq-dev mailing list
Intelmq-dev@lists.cert.at
http://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev


-- 
// Sebastian Wagner <wagner@cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg