[Dshield] gzip'ed logs

Richard Lynch rlynch4 at mindspring.com
Sun Aug 12 18:04:39 GMT 2001


Given the size of my log files -- ~5M per hour, I'd like to submit 
them gzip'ed...  which pulls it down to ~250K.

Is this okay?...

[venting follows -- ignore freely]

I'm getting like 30,000 TCP packets PER HOUR mostly on ports 137 & 
138.  Mostly broadcast to a.b.c.255 IPs.

Some of these IPs have had the same damn DHCP (gethostbyaddr checked 
regularly, never changes -- neither has my IP) since day one and are 
still spewing, so the ISP is clearly not working real hard at 
tracking down the victims.  The ISP's attitude is that my bandwidth 
isn't suffering enough for it to be an attack.

Got gzip'ed logrotate'd archived logs going back to June 23rd-ish 
when I plugged in the cable-modem and firewall.

Inserting them into a database now to make search/sort for patterns easier.

Weekly contact with the ISP has been fruitless.

It's getting to the point where every IP should have an email of the 
machine's nominal owner to complain to, if you ask me.

Sorry, but I'm not on-list, and really can't add it to the volume of 
PHP-General and a dozen small lists, so please cc: me with any 
replies.

If you're in Chicago, Cable -> AT&T Broadband -> Epoch are to be 
avoided if you want firewall logs that make sense.
-- 
WARNING richard at zend.com email address is an endangered species
Use ceo at l-i-e.com instead




More information about the list mailing list