[Dshield] gzip'ed logs
rlynch4 at mindspring.com
Sun Aug 12 18:04:39 GMT 2001
Given the size of my log files -- ~5M per hour, I'd like to submit
them gzip'ed... which pulls it down to ~250K.
Is this okay?...
[venting follows -- ignore freely]
I'm getting like 30,000 TCP packets PER HOUR mostly on ports 137 &
138. Mostly broadcast to a.b.c.255 IPs.
Some of these IPs have had the same damn DHCP (gethostbyaddr checked
regularly, never changes -- neither has my IP) since day one and are
still spewing, so the ISP is clearly not working real hard at
tracking down the victims. The ISP's attitude is that my bandwidth
isn't suffering enough for it to be an attack.
Got gzip'ed logrotate'd archived logs going back to June 23rd-ish
when I plugged in the cable-modem and firewall.
Inserting them into a database now to make search/sort for patterns easier.
Weekly contact with the ISP has been fruitless.
It's getting to the point where every IP should have an email of the
machine's nominal owner to complain to, if you ask me.
Sorry, but I'm not on-list, and really can't add it to the volume of
PHP-General and a dozen small lists, so please cc: me with any
If you're in Chicago, Cable -> AT&T Broadband -> Epoch are to be
avoided if you want firewall logs that make sense.
WARNING richard at zend.com email address is an endangered species
Use ceo at l-i-e.com instead
More information about the list