[Dshield] Duplicate log entries?

John Sage jsage at finchhaven.com
Mon Nov 18 06:15:29 GMT 2002


Bogdan:

First of all, when you post stuff, *don't* post your *actual* user ID
number :-/

On Mon, Nov 18, 2002 at 01:17:12AM +0200, Bogdan Stancescu wrote:
>   Hello all!
> 
> I'm new to the dshield concept in particular, and new to security in 
> general (also reached for help on this list for setting up my dshield 
> account a few days ago).
> 
> Here's my latest problem: I use dshield.py for parsing my shorewall 
> (iptables based) firewall - and I think I'm sending duplicate log 
> entries, but I'm not sure. Please take a look at the log entries below - 
> they're the latest my machine sent to dshield. As far as I can 
> understand from them, it appears to me that the first four, for 
> instance, should be listed as one single entry - the fourth, that is. I 
> think the first three are duplicates of the fourth, and I'm afraid 
> dshield.py is erroneously sending... humm, I don't think math has any 
> specific term for that (first thought of "factorial", but that's a 
> product, not a sum). But you can see what I mean.
> 
> Here are the respective entries in my /var/log/messages for the first 
> four dshield log entries below:

Notice the timestamps (19:23:03 :06 :12 :24) - these are all different
packets.

> Nov 17 19:23:03 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
> MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=62.47.161.110 DST=217.156
> .116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=2067 DF PROTO=TCP SPT=1261 
> DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0

> 2002-11-17 19:23:03 +02:00 1234567890 1 62.47.161.110 1261 217.156.116.130 3042 TCP S

> Nov 17 19:23:06 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
> MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=62.47.161.110 DST=217.156
> .116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=29715 DF PROTO=TCP 
> SPT=1261 DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0

> 2002-11-17 19:23:06 +02:00 1234567890 2 62.47.161.110 1261 217.156.116.130 3042 TCP S

> Nov 17 19:23:12 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
> MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=62.47.161.110 DST=217.156
> .116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=52499 DF PROTO=TCP 
> SPT=1261 DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0

> 2002-11-17 19:23:12 +02:00 1234567890 3 62.47.161.110 1261 217.156.116.130 3042 TCP S

> Nov 17 19:23:24 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
> MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=62.47.161.110 DST=217.156
> .116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=50197 DF PROTO=TCP 
> SPT=1261 DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0

> 2002-11-17 19:23:24 +02:00 1234567890 4 62.47.161.110 1261 217.156.116.130 3042 TCP S

All source IP 62.47.161.110:

[toot at sparky]# host 62.47.161.110
110.161.47.62.in-addr.arpa. domain name pointer M412P014.adsl.highway.telekom.at.

to destination 217.156.116.130:

[toot at sparky]# host 217.156.116.130
130.116.156.217.in-addr.arpa. domain name pointer cg.canad.ro.

and all have the same source (1261) and destination 3042) port, so
they do look identical. But they arrived at different times...


> So, the question is obvious: is what I'm sending correct or not?
> 
> Bogdan


I'd say, yes, it is correct...


- John
-- 
Forest: a collection of trees

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list