Differentiate alert system for static and and in-flight analysis

[eenblam]

In-Flight

The current alert system is designed for this use-case.

Static

A split-apply-combine strategy (or, group-map-reduce) should be implemented for organizing logs. Instead of a timeout between alerts, the time argument to peekapp should instead specify the tolerance time in which a group of logs should be clustered.

1. Split by source, destination, and traffic type
2. Split all by timestamp, based on timeout option. Do not isolate and push the first record as would occur during in-flight analysis.
3. Apply/map step is identity on collection of records
4. Combine/reduce by:
   • Summary record:
     • Earliest and latest record of group
     • Traffic type
     • Source and destination addresses
   • Log list:
     • Rule violated
     • Payload matched, if relevant

Each output could then be passed to a summarizing function accepting the interface.

Note that, while the implementation will need to be slightly different due to the timeout functionality, this method will be more readily testable than the existing in-flight system.

[eenblam]

See this SO post on replaying pcap files at the rate of the original packet transmissions.