time search type indicator

Carter Bullard carter at qosient.com
Thu Jun 24 12:01:59 EDT 2010


Gentle people,
I'm finishing the time searching features for the MySQL tools and would like some
opinions on an old topic.

In all the ra* tools, we support a time filter.  Pretty flexible option.  An obscure feature,
which I don't think a lot of people use, is the "time comparison indicator", which allows
you to specify how you want the time comparison done.  The current support as
described in the man page:

  timeComparisonInd: i | n | c    (default = i)
    i  intersects match records that were active during this time period
    n  includes   match records that start before and end after the period
    c  contained  match records that start and end during the period

Most may not realize that uses of the 'n' and 'c' options really help in forensics analysis,
and service dependency determinations.  "what flows were initiated and terminated while
this flow existed"  helps in dependency analysis, and "what flows include this time
range" (ie they span the time range) helps when looking for command and control flows
that could be influencing  this specific transaction, just as a simple example.  So when
you're looking at 'ftp-data' flows, its nice to be able to find the control 'ftp' flow that should
also exist.

I'm now implementing these for the MySQL time queries, and there are a few additional
modes that we could support.  I'm thinking about adding negation of the comparison test.

I'd like to know if the group would support additional modes, and if there are suggestions on
how to best specify on the command line.   I don't suggest using '!' for negation, I was thinking
of prepending with an 'x', so that the actual format is:

  timeComparisonInd: [x][i | n | c]   (default = i)
    x  negation option
    i  intersects match records that were active during this time period
    n  includes   match records that start before and end after the period
    c  contained  match records that start and end during the period

This will give us most of the set operations I can think of.  But there are a few more, I'm sure that
I'm not thinking of.   Thoughts?  

Hope all is most excellent,

Carter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100624/2d01cdf6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100624/2d01cdf6/attachment.bin>


More information about the argus mailing list