[Dshield] Duplicate log entries?

Gene Bradford geneb at columbus.rr.com
Mon Nov 18 12:44:29 GMT 2002


Bogdan,
I'd say John is correct also.  Look again at the timestamps.  They're doubling 
in each case, i.e. from 03 to 06 to 12 to 24 in the seconds column.  In a lot 
of cases this is indicative of retries.  Depending on the OS the time between 
retries varies but this seems to be pretty standard.  Also take a look at the 
IP's...they remain the same.  So what we could be seeing is something purely 
innocent or a scan.  Either way, the logs themselves appear to be ok.

Gene


On Monday 18 November 2002 01:38 am, Bogdan Stancescu wrote:

> >>So, the question is obvious: is what I'm sending correct or not?
> >
> >I'd say, yes, it is correct...
>
> Well, I don't know... I mean, yes, they did arrive at different times,
> but why does the third field in the dshield logs look like that in the
> following entries:
> 2002-11-17 19:23:03 +02:00    12345678    1    62.47.161.110    1261
> 217.156.116.130    3042    TCP    S
> 2002-11-17 19:23:06 +02:00    12345678    2    62.47.161.110    1261
> 217.156.116.130    3042    TCP    S
> 2002-11-17 19:23:12 +02:00    12345678    3    62.47.161.110    1261
> 217.156.116.130    3042    TCP    S
> 2002-11-17 19:23:24 +02:00    12345678    4    62.47.161.110    1261
> 217.156.116.130    3042    TCP    S

 
*************************************************************************************
"You've never seen boredom until you've seen a bunch of computer people 
without electricity." -- John Young NASA




More information about the list mailing list