[Dshield] Duplicate log entries?

Bogdan Stancescu mgv at fx.ro
Sun Nov 17 23:17:12 GMT 2002


  Hello all!

I'm new to the dshield concept in particular, and new to security in 
general (also reached for help on this list for setting up my dshield 
account a few days ago).

Here's my latest problem: I use dshield.py for parsing my shorewall 
(iptables based) firewall - and I think I'm sending duplicate log 
entries, but I'm not sure. Please take a look at the log entries below - 
they're the latest my machine sent to dshield. As far as I can 
understand from them, it appears to me that the first four, for 
instance, should be listed as one single entry - the fourth, that is. I 
think the first three are duplicates of the fourth, and I'm afraid 
dshield.py is erroneously sending... humm, I don't think math has any 
specific term for that (first thought of "factorial", but that's a 
product, not a sum). But you can see what I mean.

Here are the respective entries in my /var/log/messages for the first 
four dshield log entries below:
Nov 17 19:23:03 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=62.47.161.110 DST=217.156
.116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=2067 DF PROTO=TCP SPT=1261 
DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 17 19:23:06 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=62.47.161.110 DST=217.156
.116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=29715 DF PROTO=TCP 
SPT=1261 DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 17 19:23:12 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=62.47.161.110 DST=217.156
.116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=52499 DF PROTO=TCP 
SPT=1261 DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 17 19:23:24 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=62.47.161.110 DST=217.156
.116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=50197 DF PROTO=TCP 
SPT=1261 DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0

So, the question is obvious: is what I'm sending correct or not?

Bogdan

2002-11-17 19:23:03 +02:00	59254230	1	62.47.161.110	1261	217.156.116.130	3042	TCP	S
2002-11-17 19:23:06 +02:00	59254230	2	62.47.161.110	1261	217.156.116.130	3042	TCP	S
2002-11-17 19:23:12 +02:00	59254230	3	62.47.161.110	1261	217.156.116.130	3042	TCP	S
2002-11-17 19:23:24 +02:00	59254230	4	62.47.161.110	1261	217.156.116.130	3042	TCP	S
2002-11-17 19:24:12 +02:00	59254230	1	62.147.50.251	1210	217.156.116.130	3042	TCP	S
2002-11-17 19:24:15 +02:00	59254230	2	62.147.50.251	1210	217.156.116.130	3042	TCP	S
2002-11-17 19:24:21 +02:00	59254230	3	62.147.50.251	1210	217.156.116.130	3042	TCP	S
2002-11-17 19:30:58 +02:00	59254230	1	151.24.192.12	4129	217.156.116.130	3042	TCP	S
2002-11-17 19:31:01 +02:00	59254230	2	151.24.192.12	4129	217.156.116.130	3042	TCP	S
2002-11-17 19:31:07 +02:00	59254230	3	151.24.192.12	4129	217.156.116.130	3042	TCP	S
2002-11-17 19:31:19 +02:00	59254230	4	151.24.192.12	4129	217.156.116.130	3042	TCP	S
2002-11-17 19:49:54 +02:00	59254230	1	151.24.198.199	1140	217.156.116.130	3042	TCP	S
2002-11-17 19:49:57 +02:00	59254230	2	151.24.198.199	1140	217.156.116.130	3042	TCP	S
2002-11-17 19:50:03 +02:00	59254230	3	151.24.198.199	1140	217.156.116.130	3042	TCP	S
2002-11-17 19:50:15 +02:00	59254230	4	151.24.198.199	1140	217.156.116.130	3042	TCP	S
2002-11-17 19:56:00 +02:00	59254230	1	62.147.50.251	1643	217.156.116.130	3042	TCP	S
2002-11-17 19:56:03 +02:00	59254230	2	62.147.50.251	1643	217.156.116.130	3042	TCP	S
2002-11-17 19:56:09 +02:00	59254230	3	62.147.50.251	1643	217.156.116.130	3042	TCP	S
2002-11-17 20:12:30 +02:00	59254230	1	62.57.65.1	2336	217.156.116.130	1214	UDP	
2002-11-17 20:12:33 +02:00	59254230	2	62.57.65.1	2336	217.156.116.130	1214	UDP	
2002-11-17 20:32:24 +02:00	59254230	1	61.221.88.125	60268	217.156.116.130	21	TCP	S
2002-11-17 20:40:39 +02:00	59254230	1	217.233.139.49	1847	217.156.116.130	3042	TCP	S
2002-11-17 20:40:42 +02:00	59254230	2	217.233.139.49	1847	217.156.116.130	3042	TCP	S
2002-11-17 20:40:48 +02:00	59254230	3	217.233.139.49	1847	217.156.116.130	3042	TCP	S
2002-11-17 20:41:01 +02:00	59254230	4	217.233.139.49	1847	217.156.116.130	3042	TCP	S
2002-11-17 21:14:47 +02:00	59254230	1	80.14.162.39	2589	217.156.116.130	3042	TCP	S
2002-11-17 21:14:50 +02:00	59254230	2	80.14.162.39	2589	217.156.116.130	3042	TCP	S
2002-11-17 21:14:56 +02:00	59254230	3	80.14.162.39	2589	217.156.116.130	3042	TCP	S
2002-11-17 21:14:59 +02:00	59254230	1	80.14.162.39	2654	217.156.116.130	3042	TCP	S
2002-11-17 21:14:59 +02:00	59254230	1	80.14.162.39	2659	217.156.116.130	3042	TCP	S
2002-11-17 21:15:01 +02:00	59254230	1	80.14.162.39	2702	217.156.116.130	3042	TCP	S
2002-11-17 21:15:03 +02:00	59254230	1	80.14.162.39	2751	217.156.116.130	3042	TCP	S
2002-11-17 21:15:03 +02:00	59254230	1	80.14.162.39	2752	217.156.116.130	3042	TCP	S
2002-11-17 21:18:24 +02:00	59254230	1	62.147.50.251	3943	217.156.116.130	3042	TCP	S
2002-11-17 21:18:27 +02:00	59254230	2	62.147.50.251	3943	217.156.116.130	3042	TCP	S
2002-11-17 21:18:33 +02:00	59254230	3	62.147.50.251	3943	217.156.116.130	3042	TCP	S
2002-11-17 23:03:33 +02:00	59254230	1	217.216.93.186	3739	217.156.116.130	3042	TCP	S
2002-11-17 23:03:34 +02:00	59254230	2	217.216.93.186	3739	217.156.116.130	3042	TCP	S
2002-11-17 23:03:41 +02:00	59254230	3	217.216.93.186	3739	217.156.116.130	3042	TCP	S
2002-11-17 23:03:53 +02:00	59254230	4	217.216.93.186	3739	217.156.116.130	3042	TCP	S
2002-11-17 23:30:25 +02:00	59254230	1	61.70.64.135	3128	217.156.116.130	3128	TCP	S
2002-11-18 00:51:48 +02:00	59254230	1	62.231.67.202	412	217.156.116.130	1412	UDP	






More information about the list mailing list