[Dshield] Database Integrity?

Hank hank at panamahank.com
Sun Mar 11 16:11:07 GMT 2001


I think the lesson learned here is 'if you scan your own system, edit 
your logs before you send them'.  Anyone who expects others, whether 
Dshield or the Federal Government to clean up for them is going to be 
disappointed.  Next time, remove entries where you scanned yourself 
before submitting the logs.

Hank

Dan Crooks wrote:
> Luckily I keep all my submission reports to DShield. I reviewed the 
dates
> in question and discovered that on those dates I had run port scans 
on my
> machine
> using nmap to look for weaknesses in my own system. The log I 
submitted to
> DShield shows the same IP as attacker and attackee!!
> 
> If government agencies are going to use DShield reports to track 
attackers
> there has got to be some way to prevent this kind of mistake. Had 
this
> agency
> decided to seize my equipment based on the information they 
received from
> DShield it would have smeared the whole DShield project. Error 
checking
> must
> be accomplished on reports submitted to DShield BEFORE being 
written to the
> database, otherwise the database is useless.

> If DShield receives reports that contain the same IP for both 
inbound and
> outbound it should NOT add them to the database?


-- Hank, hank at panamahank.com on 03/11/2001




More information about the list mailing list