fix problem returning the tw of timestamps

stratosphereips · May 8, 2024 · bc06b48 · bc06b48
1 parent f8557bc
commit bc06b48
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 8 deletions.
diff --git a/database/sqlite_db.py b/database/sqlite_db.py
@@ -107,6 +107,12 @@ def init_tables(self):
                              f"VALUES ('{tool}', 0)")
 
 
+    def init_discarded_flows_table(self):
+        # init the count of discarded_flows
+        self.execute(f"INSERT INTO discarded_flows (tool, count) "
+                     f"VALUES ('slips', 0)")
+        self.execute(f"INSERT INTO discarded_flows (tool, count) "
+                     f"VALUES ('suricata', 0)")
 
     def store_performance_errors_flow_by_flow(self, tool, metrics: dict):
         """
@@ -437,12 +443,15 @@ def get_timewindows_limit(self) -> Tuple[str, str]:
     def get_timewindow_of_ts(self, ts: float) -> int:
         """
         returns the timewindow in which the given timestamp belongs to
+        DISCLAIMER
+        if the given ts ==the start of a tw, it will belong to this tw
+        if the given ts == the end of a tw, it will belong to the next tw
         :param ts: float unix timestamp
         :param tool: options are slips, suricata, or ground_truth
         :return: the timewindow number
         """
         # todo should be moved to twid handler
-        condition = f"{ts} >= start_time AND {ts} <= end_time "
+        condition = f"{ts} >= start_time AND {ts} < end_time "
         results: list = self.select(self.tables.TIMEWINDOW_DETAILS,
                                     'timewindow',
                                     condition=condition)

diff --git a/parsers/ground_truth.py b/parsers/ground_truth.py
@@ -53,7 +53,7 @@ def init(self,
         elif ground_truth_type == 'file':
             self.gt_zeek_file  = ground_truth
 
-        # check th etype of the given zeek file/dir with
+        # check the type of the given zeek file/dir with
         # ground truth labels. 'tab-separated' or 'json'?
         self.zeek_file_type: str = self.check_type()
         self.read_config()

diff --git a/parsers/slips.py b/parsers/slips.py
@@ -111,13 +111,14 @@ def parse_alerts_table(self):
         and marking them as malicious in this tools' db
         """
         for alert in self.iterate('alerts'):
-            # what we're doing here is marking tw 1 and 2 as malicious if a slips alert exists in parts of both
-            #                      1:30                           2:30
-            #                      │          slips alert          │
-            #                      ├───────────────────────────────┤
+            # what we're doing here is marking tw 1 and 2 as malicious if a
+            # slips alert exists in parts of both
+            #                1:30                  2:30
+            #                 │      slips alert     │
+            #                 ├──────────────────────┤
             # 1:00                                 2:00                                  3:00
-            # ├────────────────────────────────────┼─────────────────────────────────────┤
-            # │             tw 1                   │            tw 2                     │
+            # ├───────────────────────────┼────────────────────────────┤
+            # │             tw 1                 tw 2                  │
 
             for ts in (alert['tw_start'], alert['tw_end']):
                 self.mark_tw_as_malicious(ts , alert['ip_alerted'])