[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] STIX timestamps and ISO 8601:2000
On 24.11.2015 02:36:50, Terry MacDonald wrote: > > I think that we have to put this whole discussion in perspective. > Most organizations have difficulty in discovering they have a > breach within days and weeks, not within a second. So going with > B) iii) and having the precision within 1 second realistically is > good enough in my opinion. It is far more likely that all the > clocks on the network are not synchronized, and all the tools are > reporting different and unrelated times and that they are way > more than a second out of alignment with each other. The zeroed > out millisecond timestamp doesn’t impact us much when we have > real-world problems such as that. > I agree with Terry however... On 23.11.2015 20:51:09, Wunder, John A. wrote: > > This is not to say that we need a precision field, just that if we > do it should be explicit rather than implicit. > ...I also agree with John. On the one hand, I can't count the number of times I've seen investigations get thrown under the bus due to clock-sync issues. On the other hand, recent history has shown that historical assumptions made about datetime can come back to bite us with a vengeance. So I think we should just use the standard explicitly. The producer can use the level of precision they support and intend to communicate, the consumer can easily recognize the level of precision coming from the producer, and handle it appropriately. Doing this in the manner illustrated below imposes less burden on the consumer than handling an optional 'precision' field while accomplishing the same goal. <snip> #!/usr/bin/env python import re nanoseconds = '2015-11-24T09:42:54.003259294Z' microseconds = '2015-11-24T09:42:54.003259Z' milliseconds = '2015-11-24T09:42:54.003Z' seconds = '2015-11-24T09:42:54Z' minutes = '2015-11-24T09:42Z' # You get the idea... timestamps = [nanoseconds, microseconds, milliseconds, seconds, minutes] nano_re = re.compile(r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{9}Z') micro_re = re.compile(r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{6}Z') milli_re = re.compile(r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z') sec_re = re.compile(r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z') min_re = re.compile(r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}Z') for ts in timestamps: if nano_re.match(ts): print('Found nanosecond time...') elif micro_re.match(ts): print('Found microsecond time...') elif milli_re.match(ts): print('Found millisecond time...') elif sec_re.match(ts): print('Found second time...') elif min_re.match(ts): print('Found minute time...') </snip There! Entirely explicit, uses RFC 3339 as intended, and there's one clear way of doing things without resorting to optional fields. -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 Soltra | An FS-ISAC & DTCC Company www.soltra.com -- "It is always something." --RFC 1925
Attachment:
signature.asc
Description: PGP signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]