[Dshield] Database Integrity

Johannes B. Ullrich jullrich at euclidian.com
Wed Mar 14 01:33:48 GMT 2001


  We got another report of a 'Top 10' entry that was based on bad firewall
rules. In this case, a DNS server was implicated. The records show packets
from a source port 53 to random target ports being rejected by a number of
'targets'. These records are harder to eliminate than the report we had last
week (source ip = target ip). I don't want to filter records based on source
ports, as a somewhat decent hacker will use well known source ports to avoid
detection. However, I think I will exclude these records from our 'Top 10'
calculation.

  Let me know what you think. And please have a look at your submission. In
that respect: One user reported that he only sees his oldest submissions.
Does anyone else have this problem? I wasn't able to reproduce it so far
(one of the reasons that I haven't responded to this issue yet... sorry).





More information about the list mailing list