[Dshield] Tracking and Reporting Probes

Clint Byrum cbyrum at erp.com
Fri Mar 29 19:48:36 GMT 2002

On Thu, 2002-03-28 at 22:55, Bill McCarty wrote:
> I run Snort and have configured it with rules that detect traffic directed 
> to my LaBrea phantom hosts. Since Snort's alerts go to syslog and since 
> Snort syslog entries go to DShield, my LaBrea activity is being reported. I 
> report about 100 connection events per hour, many of which are tarpitted 
> CodeReds.

I guess this raises another question. Does DShield want snort alerts
reported? I fooled around and created a dshield reporter for my snort
logs that are stored in MySQL/pgsql. What I found though, was that this
info was not as easy to classify as "attack going here to here" and
would have reported *my* IP addresses as the source of attacks. Are you
filtering exclusively for just a few types of snort alerts?


Clint Byrum

More information about the list mailing list