[Dshield] Event submission frequency
gbroiles at netbox.com
Tue Jun 4 17:51:39 GMT 2002
Are there any guidelines for frequency and volume of event notifications to
Dshield? I note that the log analysis scripts tend to focus on a day-old
historical view of events - on top of a partially manual process at Dshield
for processing, that seems to suggest that we may be approaching 48 hours
(or worse) of latency between initial detection and widespread reporting,
which is a long time given the speed of automated attacks or the virulence
of some hostile code.
My inclination is towards more or less immediate reporting of suspicious
events to minimize unnecessary delay, but that would inappropriate if it's
likely to substantially increase processing burdens on Dshield or others.
Is it considered rude or harmful to configure one's system so that
notifications occur immediately?
If so, are mailed logs more or less burdensome than automated HTTP form
(the latter seem preferable to me, as they're a lot closer to a SOAP or
XML-RPC model which I think would be helpful; but if the code on the other
side of that CGI program just dumps it into a mail message, it might be
simpler to just generate the mail on my end.)
Greg Broiles -- gbroiles at parrhesia.com -- PGP 0x26E4488c or 0x94245961
More information about the list