[Dshield] Re: Dshield digest, Vol 1 #325 - 4 msgs

Johannes B. Ullrich jullrich at euclidian.com
Thu Nov 8 20:16:56 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



> I have noticed some port scans from IPs not previously seen.
> Is there an IP Table where I can quickly identify the origin of an IP
> while off-line?

Depends on how large of a database you would like to keep offline
for that purpose. For dshield, I keep basic whois data cached in a
table. It currently has about 190k rows and takes up about 11 MByte.
(each row is a range of IPs, not a single IP).

It covers more than 75% of IP space.

The problem is that in some countries, IP address space is assigned in 
very small ranges. Therefore, the number of records gets quite large.




- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE76ug6VOIizK5pIDMRAmJSAKDh7V3b2asoXYh6HgfwpYAkchXOsQCgkH7b
FKJyYmzsrGydu7ZB7CLyAXY=
=FylW
-----END PGP SIGNATURE-----




More information about the list mailing list