Ok, this may or may not be a tricky one I will try and be succinct in my statement. I have a database (mysql 4.0) with radius log entries for each day, we receive emails about Acceptable Use Abuses and must figure out exactly who was online with a certain IP address when the abuse occurred. As you will see below there are multiple starts and stops for any given IP address so here is the scenario: Problem: Spam Abuse IP of offender: 66.50.xxX.245 Date of offense: 2004-07-05 Time of offense: 16:15 Now if I query the database based on date and ip address, I get the following: Id Date Time Record Type Full Name IP Address ====== ==== ============ ============ ============ ========================= 349 2004-07-05 11:21:08 Start [EMAIL PROTECTED] 66.50.xxX.245 345 2004-07-05 11:21:09 Start [EMAIL PROTECTED] 66.50.xxX.245 413 2004-07-05 11:22:32 Stop [EMAIL PROTECTED] 66.50.xxX.245 118984 2004-07-05 17:22:26 Start [EMAIL PROTECTED] 66.50.xxX.245 149049 2004-07-05 18:36:19 Stop [EMAIL PROTECTED] 66.50.xxX.245 90344 2004-07-05 16:09:40 Start [EMAIL PROTECTED] 66.50.xxX.245 90380 2004-07-05 16:09:40 Start [EMAIL PROTECTED] 66.50.xxX.245 97630 2004-07-05 16:28:20 Stop [EMAIL PROTECTED] 66.50.xxX.245 97671 2004-07-05 16:28:20 Stop [EMAIL PROTECTED] 66.50.xxX.245 97598 2004-07-05 16:28:20 Stop [EMAIL PROTECTED] 66.50.xxX.245 149142 2004-07-05 18:36:33 Start [EMAIL PROTECTED] 66.50.xxX.245 310758 2004-07-05 18:36:33 Start [EMAIL PROTECTED] 66.50.xxX.245 117382 2004-07-05 17:18:34 Start [EMAIL PROTECTED] 66.50.xxX.245 117437 2004-07-05 17:18:34 Start [EMAIL PROTECTED] 66.50.xxX.245 117351 2004-07-05 17:18:34 Start [EMAIL PROTECTED] 66.50.xxX.245 118181 2004-07-05 17:20:34 Stop [EMAIL PROTECTED] 66.50.xxX.245 807 2004-07-05 11:27:55 Start [EMAIL PROTECTED] 66.50.xxX.245 805 2004-07-05 11:27:56 Start [EMAIL PROTECTED] 66.50.xxX.245 158170 2004-07-05 18:56:54 Start [EMAIL PROTECTED] 66.50.xxX.245 161543 2004-07-05 19:04:02 Stop [EMAIL PROTECTED] 66.50.xxX.245 110780 2004-07-05 17:01:56 Start [EMAIL PROTECTED] 66.50.xxX.245 116436 2004-07-05 17:16:09 Stop [EMAIL PROTECTED] 66.50.xxX.245 now of course I changed the usernames and modified the IP for this mailing but that doesn't matter, now, the time field in the Database IS a time data type. What I need to be able to do is find the start before the offense time, and the stop after the offense time so I know that the person with the start and the stop is the one that committed the abuse. I haven't actually put code to bits yet, because I am not exactly sure how to go about creating this logic code. I don't think I can just say if $timefield < time of offense and $timefield > time of offense; return some stuff. So any help on how to start with this would be greatly appreciated. Chris Hood Investigator Verizon Global Security Operations Center Email: <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] Desk: 972.399.5900
Verizon Proprietary NOTICE - This message and any attached files may contain information that is confidential and/or subject of legal privilege intended only for the use by the intended recipient. If you are not the intended recipient or the person responsible for delivering the message to the intended recipient, be advised that you have received this message in error and that any dissemination, copying or use of this message or attachment is strictly forbidden, as is the disclosure of the information therein. If you have received this message in error please notify the sender immediately and delete the message.