[Dshield] Duplicate log entries?

domo netdata netdata2002 at numericable.fr
Mon Nov 18 08:43:54 GMT 2002


Hi 

I strongly believe that most of the DSHIELD readers, afficionados whatever 
from my favorite security list are great people with real dedication.

But these days  of dull, stark insecure network paths I would advise not to 
send on a .list a full firewall report.

I belong to a new "hackers" university opened in Paris. Most students are Net 
admin but some are script kiddies, psychologically unsecured hackers , 
introverts dying for an exploit. They love dshield.org and I know for sure 
that the info you passed on is juicy.

dshield has helped me a lot being aware of the Internet scum and one of the 
first lesson I got was do not give ammunitions to the ruffians on the dark 
Internet.

A simple E mail shows your IP ( unless you spoof it using the "proxy 
addresses sites)

Warmest regards


Dom - Paris and this is to much info already



On Monday 18 November 2002 00:17, Bogdan Stancescu wrote:
>   Hello all!
>
> I'm new to the dshield concept in particular, and new to security in
> general (also reached for help on this list for setting up my dshield
> account a few days ago).
>
> Here's my latest problem: I use dshield.py for parsing my shore wall
> (ip tables based) firewall - and I think I'm sending duplicate log
> entries, but I'm not sure. Please take a look at the log entries below -
> they're the latest my machine sent to dshield. As far as I can
> understand from them, it appears to me that the first four, for
> instance, should be listed as one single entry - the fourth, that is. I
> think the first three are duplicates of the fourth, and I'm afraid
> dshield.py is erroneously sending... hmm, I don't think math has any
> specific term for that (first thought of "factorial", but that's a
> product, not a sum). But you can see what I mean.
>
> Here are the respective entries in my /var/log/messages for the first
> four dshield log entries below:
> Nov 17 19:23:03 bogdan kernel: Shore wall:net2all:DROP:IN=eth0 OUT=
> MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=62.47.161.110 DST=217.156
> .116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=2067 DF PROTO=TCP SPT=1261
> DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0
> Nov 17 19:23:06 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
> MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=62.47.161.110 DST=217.156
> .116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=29715 DF PROTO=TCP
> SPT=1261 DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0
> Nov 17 19:23:12 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
> MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=62.47.161.110 DST=217.156
> .116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=52499 DF PROTO=TCP
> SPT=1261 DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0
> Nov 17 19:23:24 bogdan kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
> MAC=52:54:05:e5:67:42:00:02:44:4f:2b:9b:08:00 SRC=62.47.161.110 DST=217.156
> .116.130 LEN=48 TOS=0x00 PREC=0x80 TTL=114 ID=50197 DF PROTO=TCP
> SPT=1261 DPT=3042 WINDOW=8192 RES=0x00 SYN URGP=0
>
> So, the question is obvious: is what I'm sending correct or not?
>
> Bogdan
>
> 2002-11-17 19:23:03
> +02:00	59254230	1	62.47.161.110	1261	217.156.116.130	3042	TCP	S 2002-11-17
> 19:23:06 +02:00	59254230	2	62.47.161.110	1261	217.156.116.130	3042	TCP	S
> 2002-11-17 19:23:12
> +02:00	59254230	3	62.47.161.110	1261	217.156.116.130	3042	TCP	S 2002-11-17
> 19:23:24 +02:00	59254230	4	62.47.161.110	1261	217.156.116.130	3042	TCP	S
> 2002-11-17 19:24:12
> +02:00	59254230	1	62.147.50.251	1210	217.156.116.130	3042	TCP	S 2002-11-17
> 19:24:15 +02:00	59254230	2	62.147.50.251	1210	217.156.116.130	3042	TCP	S
> 2002-11-17 19:24:21
> +02:00	59254230	3	62.147.50.251	1210	217.156.116.130	3042	TCP	S 2002-11-17
> 19:30:58 +02:00	59254230	1	151.24.192.12	4129	217.156.116.130	3042	TCP	S
> 2002-11-17 19:31:01
> +02:00	59254230	2	151.24.192.12	4129	217.156.116.130	3042	TCP	S 2002-11-17
> 19:31:07 +02:00	59254230	3	151.24.192.12	4129	217.156.116.130	3042	TCP	S
> 2002-11-17 19:31:19
> +02:00	59254230	4	151.24.192.12	4129	217.156.116.130	3042	TCP	S 2002-11-17
> 19:49:54 +02:00	59254230	1	151.24.198.199	1140	217.156.116.130	3042	TCP	S
> 2002-11-17 19:49:57
> +02:00	59254230	2	151.24.198.199	1140	217.156.116.130	3042	TCP	S 2002-11-17
> 19:50:03 +02:00	59254230	3	151.24.198.199	1140	217.156.116.130	3042	TCP	S
> 2002-11-17 19:50:15
> +02:00	59254230	4	151.24.198.199	1140	217.156.116.130	3042	TCP	S 2002-11-17
> 19:56:00 +02:00	59254230	1	62.147.50.251	1643	217.156.116.130	3042	TCP	S
> 2002-11-17 19:56:03
> +02:00	59254230	2	62.147.50.251	1643	217.156.116.130	3042	TCP	S 2002-11-17
> 19:56:09 +02:00	59254230	3	62.147.50.251	1643	217.156.116.130	3042	TCP	S
> 2002-11-17 20:12:30
> +02:00	59254230	1	62.57.65.1	2336	217.156.116.130	1214	UDP 2002-11-17
> 20:12:33 +02:00	59254230	2	62.57.65.1	2336	217.156.116.130	1214	UDP
> 2002-11-17 20:32:24
> +02:00	59254230	1	61.221.88.125	60268	217.156.116.130	21	TCP	S 2002-11-17
> 20:40:39 +02:00	59254230	1	217.233.139.49	1847	217.156.116.130	3042	TCP	S
> 2002-11-17 20:40:42
> +02:00	59254230	2	217.233.139.49	1847	217.156.116.130	3042	TCP	S 2002-11-17
> 20:40:48 +02:00	59254230	3	217.233.139.49	1847	217.156.116.130	3042	TCP	S
> 2002-11-17 20:41:01
> +02:00	59254230	4	217.233.139.49	1847	217.156.116.130	3042	TCP	S 2002-11-17
> 21:14:47 +02:00	59254230	1	80.14.162.39	2589	217.156.116.130	3042	TCP	S
> 2002-11-17 21:14:50
> +02:00	59254230	2	80.14.162.39	2589	217.156.116.130	3042	TCP	S 2002-11-17
> 21:14:56 +02:00	59254230	3	80.14.162.39	2589	217.156.116.130	3042	TCP	S
> 2002-11-17 21:14:59
> +02:00	59254230	1	80.14.162.39	2654	217.156.116.130	3042	TCP	S 2002-11-17
> 21:14:59 +02:00	59254230	1	80.14.162.39	2659	217.156.116.130	3042	TCP	S
> 2002-11-17 21:15:01
> +02:00	59254230	1	80.14.162.39	2702	217.156.116.130	3042	TCP	S 2002-11-17
> 21:15:03 +02:00	59254230	1	80.14.162.39	2751	217.156.116.130	3042	TCP	S
> 2002-11-17 21:15:03
> +02:00	59254230	1	80.14.162.39	2752	217.156.116.130	3042	TCP	S 2002-11-17
> 21:18:24 +02:00	59254230	1	62.147.50.251	3943	217.156.116.130	3042	TCP	S
> 2002-11-17 21:18:27
> +02:00	59254230	2	62.147.50.251	3943	217.156.116.130	3042	TCP	S 2002-11-17
> 21:18:33 +02:00	59254230	3	62.147.50.251	3943	217.156.116.130	3042	TCP	S
> 2002-11-17 23:03:33
> +02:00	59254230	1	217.216.93.186	3739	217.156.116.130	3042	TCP	S 2002-11-17
> 23:03:34 +02:00	59254230	2	217.216.93.186	3739	217.156.116.130	3042	TCP	S
> 2002-11-17 23:03:41
> +02:00	59254230	3	217.216.93.186	3739	217.156.116.130	3042	TCP	S 2002-11-17
> 23:03:53 +02:00	59254230	4	217.216.93.186	3739	217.156.116.130	3042	TCP	S
> 2002-11-17 23:30:25
> +02:00	59254230	1	61.70.64.135	3128	217.156.116.130	3128	TCP	S 2002-11-18
> 00:51:48 +02:00	59254230	1	62.231.67.202	412	217.156.116.130	1412	UDP
>
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list

-- 
Dominique Fiori




More information about the list mailing list