[Dshield] Duplicate log entries?

Bogdan Stancescu mgv at fx.ro
Mon Nov 18 06:38:40 GMT 2002


John Sage wrote:

>Bogdan:
>
>First of all, when you post stuff, *don't* post your *actual* user ID
>number :-/
>
You are absolutely right. I haven't noticed it's listed in the actual 
dshield log lines :(

Is there any way I could ask a sysop to change it? I know this is not a 
nice thing to do, asking someone else to fix my mistakes, but... humm, 
leaving it as it is doesn't look right either.

>Notice the timestamps (19:23:03 :06 :12 :24) - these are all different
>packets.
>[snip]
>  
>
>and all have the same source (1261) and destination 3042) port, so
>they do look identical. But they arrived at different times...
>
>  
>
>>So, the question is obvious: is what I'm sending correct or not?
>>    
>>
>I'd say, yes, it is correct...
>
>  
>
Well, I don't know... I mean, yes, they did arrive at different times, 
but why does the third field in the dshield logs look like that in the 
following entries:
2002-11-17 19:23:03 +02:00    12345678    1    62.47.161.110    1261    
217.156.116.130    3042    TCP    S
2002-11-17 19:23:06 +02:00    12345678    2    62.47.161.110    1261    
217.156.116.130    3042    TCP    S
2002-11-17 19:23:12 +02:00    12345678    3    62.47.161.110    1261    
217.156.116.130    3042    TCP    S
2002-11-17 19:23:24 +02:00    12345678    4    62.47.161.110    1261    
217.156.116.130    3042    TCP    S

when the entries above obviously are the representation of these 
Shorewall log entries:
Nov 17 19:23:03 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=62.47.161.110 DST=217.156
.116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=2067 DF PROTO=TCP SPT=1261 
DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 17 19:23:06 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=62.47.161.110 DST=217.156
.116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=29715 DF PROTO=TCP 
SPT=1261 DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 17 19:23:12 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=62.47.161.110 DST=217.156
.116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=52499 DF PROTO=TCP 
SPT=1261 DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0
Nov 17 19:23:24 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=62.47.161.110 DST=217.156
.116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=50197 DF PROTO=TCP 
SPT=1261 DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0

Please note the timestamps match, as well as the rest of the data.

Based on the dshield log structure documented here 
http://www.dshield.org/specs.html#dshield_format I figure dshield.py 
should have returned one single line like so:
2002-11-17 19:23:03 +02:00    12345678    4    62.47.161.110    1261    
217.156.116.130    3042    TCP    S

or, in the worst case, report four distinct lines but *without* 
incrementing the "count" field, like so:
2002-11-17 19:23:03 +02:00    12345678    1    62.47.161.110    1261    
217.156.116.130    3042    TCP    S
2002-11-17 19:23:06 +02:00    12345678    1    62.47.161.110    1261    
217.156.116.130    3042    TCP    S
2002-11-17 19:23:12 +02:00    12345678    1    62.47.161.110    1261    
217.156.116.130    3042    TCP    S
2002-11-17 19:23:24 +02:00    12345678    1    62.47.161.110    1261    
217.156.116.130    3042    TCP    S

As far as I understand, reporting what it does would mean that Shorewall 
dropped one connection at 19:23:03, TWO at 19:23:06, THREE at 19:23:12 
and FOUR at 19:23:24 totaling TEN dropped connections from 
62.47.161.110. Which is not true - it only dropped four connections.

This is obviously not a real problem in this case even if I did 
understand it right and if it actually is a problem - ten versus four 
connections on port 3042 won't mess any statistics. Imagine 100 
connections on port... 137 for instance (since everybody seems to be 
talking about that). I would report no less than 100*101/2=5050 
connections instead of 100!

Bogdan




More information about the list mailing list