[Dshield] Tracking and Reporting Probes

Bill McCarty bmccarty at apu.edu
Fri Mar 29 06:55:01 GMT 2002


I run Snort and have configured it with rules that detect traffic directed 
to my LaBrea phantom hosts. Since Snort's alerts go to syslog and since 
Snort syslog entries go to DShield, my LaBrea activity is being reported. I 
report about 100 connection events per hour, many of which are tarpitted 
CodeReds.

It wouldn't be hard to cobble a script that grabs LaBrea entries from 
syslog and formats them for submission to DShield. I urge that folks 
running LaBrea, but not running Snort (or some other NIDS), do so. Those 
who're running a NIDs might find it simpler to configure the NIDs to report 
the LaBrea traffic, as I have. I presume -- correctly, I hope -- that the 
DShield folks could somehow handle the resulting volume of data.

Cheers,

--On Thursday, March 28, 2002 10:24 AM -0800 Clint Byrum <cbyrum at erp.com> 
wrote:

> This makes me wonder. I've seen people asking about log analyzers for
> LaBrea... is there a LaBrea logs -> DShield format program out there?
> Should there be?

---------------------------------------------------
Bill McCarty




More information about the list mailing list