From 1f1937e7b051cbab2a0c913c3fe70356bffab3cb Mon Sep 17 00:00:00 2001
From: alya <alyaggomaa@gmail.com>
Date: Thu, 23 May 2024 14:35:18 +0300
Subject: [PATCH] add the graph from parse_alerts_table() to the readme

---
 README.md        | 10 +++++++++-
 parsers/slips.py |  1 -
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 9dbc9b4..01f4d82 100644
--- a/README.md
+++ b/README.md
@@ -149,7 +149,15 @@ are discarded. The number of discarded flows is written in the cli at the end of
 * the flows read by suricata, slips and the gt don't have to be the same, meaning that, the final flows count don't have to match because each tool reads the pcap differently
 
 * timewindow numbers may be negative if a flow is found with a flow timestamp < timestamp of the first flow seen
-
+* if a slips alert exists in parts of 2 timewindows
+* what we're doing here is marking bith timewindows as malicious 
+
+                1:30                   2:30
+                 │      slips alert     │
+                 ├──────────────────────┤
+ 1:00                       2:00                         3:00
+ ├───────────────────────────┼────────────────────────────┤
+ │             tw 1                 tw 2                  │
 
 ---
 
diff --git a/parsers/slips.py b/parsers/slips.py
index b317741..4bfc858 100644
--- a/parsers/slips.py
+++ b/parsers/slips.py
@@ -125,7 +125,6 @@ def parse_alerts_table(self):
             # 1:00                       2:00                         3:00
             # ├───────────────────────────┼────────────────────────────┤
             # │             tw 1                 tw 2                  │
-            # for ts in (, alert['tw_end']):
             self.mark_tw_as_malicious(alert['tw_start'], alert['ip_alerted'])
             # the goal of this is the following:
             # if slips has an alert from 1:00 to 2:00 then we shouldnt mark