Good evening! Congratulations!
I have a question regarding labeling alerts according to the time of vulnerability. I think that using timestamp and start, the flow timestamp itself, their difference (start - timestamp) would be a reasonable argument to understand the beginning of the alert record and the effectiveness in the data flow (packets and bytes in both directions). Considering the characteristics of these attributes (timestamp and start) in the log, could it happen that the value (in seconds) would be negative? Can this happen? Any other suggestions regarding criteria for labeling vulnerability? besides the SID reference? How could I relate this to category and severity?