[Dshield] Duplication of Data

David Kennedy CISSP david.kennedy at acm.org
Mon Jul 9 12:00:00 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----

Do DShield, Mynewatchman and Incidents cooperate to reduce the amount
of probe/intrusion reporting that's duplicated among them?  I see
from DS' home page some 24M lines of data, but no clear indication of
# of reporting agents.  MNW reports 600-odd agents.  It's unclear
where Incidents gets data other than from DS and MNW.  With only 600
agents, it would not take a great deal of duplication to skew the
reports.

For example, #5 on the DS top 10 list now is 80/TCP with ~5K
reports/day.  But #4 is FTP which also has had days with only ~5K of
reports.  If 1/3 of MNW's reports are also duplicated on DS, it could
skew the results compiled by Incidents.  If the numbers are still
small now, perhaps now is the best time to address this before the
numbers get too large to scale a fix?

Suggestion:  Just ask reporters not to duplicate their submissions;
put a note on the DS registration and client download pages asking
that the data only be reported to DS.  If you want to get
sophisticated have the clients look in default locations for each
other.  If another client is found either return an error to the user
or include the error in the log submission.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: When was the last time you backed-up your hard drive?

iQCVAwUBO0luffGfiIQsciJtAQHn0QQAsayGV6Y1A7kuXfR13rll7jqqliyllsmc
kjWJZkczrxG20jy/vGCJQbNsqQFeFFyYWJVkIWT5jiAwzq76P21O7BojwZ2k8Xnw
V2dwQLtEn03kxzXV8M+IivEkApdFNqSRl8lIk0NkUA3C6NPuPsCTZmwIyyLTZiJL
dbmVYmGUEkU=
=bVbR
-----END PGP SIGNATURE-----

-- 
Regards,

David Kennedy CISSP
Director of Research Services, TruSecure Corp. http://www.trusecure.com
Protect what you connect.
Look both ways before crossing the Net.




More information about the list mailing list