[Study] How coslty would it be to store start / end times with ports in view

[p-l-]

It may be interesting in a view result to know when a certain port has been seen open. For now, start and end times are only stored at the host level.

Storing start and stop times for each port would be handy, but may also be expensive (it might be an option). Also, should we set those time values for the first and last time we saw the port open? Or with the same service, product and version identified? Should we also store a timestamp for scripts elements?

This may be discussed here.

[duncrow]

Personally, I'd love to see start/stop time at port levels, including service and product information. The more information the better :)

At the moment, I run various nmap scans periodically which I import in IVRE and addionally store the output of -oX and -oG on disk with its respective date, so I can search for changes over time. If I could see sort of a "timeline of changes" in IVRE,, I'd really love that feature.

[p-l-]

Thanks @duncrow, that's helpful for me to know others may be interested in that!

[itnsec]

Very usefull feature, that i would use in incidents analysis ... (since when this port was exposed)
An history view of a specific IP on the WebUI would be enough for me. For now, i use the CLI for that.

[p-l-]

Very usefull feature, that i would use in incidents analysis ... (since when this port was exposed) An history view of a specific IP on the WebUI would be enough for me. For now, i use the CLI for that.

Interesting. Actually this could be done without changing the view: we could create a /history.html endpoint, for one IP address. I like the idea!

[itnsec]

I like the idea too ! 👍