[Dshield] Event submission frequency

Greg Broiles gbroiles at netbox.com
Tue Jun 4 17:51:39 GMT 2002


Are there any guidelines for frequency and volume of event notifications to 
Dshield? I note that the log analysis scripts tend to focus on a day-old 
historical view of events - on top of a partially manual process at Dshield 
for processing, that seems to suggest that we may be approaching 48 hours 
(or worse) of latency between initial detection and widespread reporting, 
which is a long time given the speed of automated attacks or the virulence 
of some hostile code.

My inclination is towards more or less immediate reporting of suspicious 
events to minimize unnecessary delay, but that would inappropriate if it's 
likely to substantially increase processing burdens on Dshield or others.

Is it considered rude or harmful to configure one's system so that 
notifications occur immediately?

If so, are mailed logs more or less burdensome than automated HTTP form 
submissions?

(the latter seem preferable to me, as they're a lot closer to a SOAP or 
XML-RPC model which I think would be helpful; but if the code on the other 
side of that CGI program just dumps it into a mail message, it might be 
simpler to just generate the mail on my end.)


--
Greg Broiles -- gbroiles at parrhesia.com -- PGP 0x26E4488c or 0x94245961




More information about the list mailing list