You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Nowadays there is little support for comparing timestamps if they are not presented in epoch time. I had (and lost it) an example where metadata dates came in freetext strings, when I find it I'll share it.
To address this, I propose adding two new functions to the time module, inspired by Python's strftime and strptime where you could transform epoch into date format and vice versa.
All the examples that come to mind now are using the vt module: vt.metadata.exiftool["CreateDate"].
But this feature will probably allow some flexibility in future rules, even in free text matching.
The text was updated successfully, but these errors were encountered:
Nowadays there is little support for comparing timestamps if they are not presented in epoch time. I had (and lost it) an example where metadata dates came in freetext strings, when I find it I'll share it.
To address this, I propose adding two new functions to the time module, inspired by Python's strftime and strptime where you could transform epoch into date format and vice versa.
This way we could do rules like:
import "time"
rule example {
strings:
$time1 = "2024-10-29"
condition:
pe.timestamp <= time.strptime($time1, "%Y-%m-%d")
)
}
All the examples that come to mind now are using the vt module: vt.metadata.exiftool["CreateDate"].
But this feature will probably allow some flexibility in future rules, even in free text matching.
The text was updated successfully, but these errors were encountered: