Feature #535: new keywords - time , day - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #535

open

new keywords - time , day

Added by Peter Manev about 12 years ago. Updated over 5 years ago.

Status:

New

Priority:

Normal

Assignee:

Community Ticket

Target version:

TBD

Effort:

low

Difficulty:

low

Label:

Description

It would be beneficial if we introduce "time" and "day" keywords.

ex:

alert ip any any-> any any (msg:"Time and Day based alert "; content:"login failed"; time:12.23,>,15.30; day:Saturday,Sunday;)
alert if this is between 12:23 and 15:30 on a Sunday or Saturday

the same idea here:
alert ip any any-> any any (msg:"Time and Day based alert "; content:"login failed"; day:Saturday,Sunday;)
alert ip any any-> any any (msg:"Time and Day based alert "; content:"login failed"; time:12.23,>,15.30; )

also very important:
alert ip any any-> any any (msg:"Time and Day based alert "; content:"login failed"; time:12.23,>,15.30,packet; day:Saturday,Sunday;)
where time:12.23,>,15.30,packet; is the time of the packet

and
alert ip any any-> any any (msg:"Time and Day based alert "; content:"login failed"; time:12.23,>,15.30,OS; day:Saturday,Sunday;)
where time:12.23,>,15.30,OS; is the current time of the OS

pros?
cons?

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #535

new keywords - time , day

Updated by Eric Leblond about 12 years ago

Updated by Victor Julien about 12 years ago

Updated by Andreas Herz almost 9 years ago

Updated by Andreas Herz over 7 years ago

Updated by Victor Julien over 6 years ago

Updated by Andreas Herz over 5 years ago

Updated by Shivani Bhardwaj over 5 years ago