[Dshield] Duplicate log entries?

John Sage jsage at finchhaven.com
Mon Nov 18 14:27:50 GMT 2002


Bogdan:

On Mon, Nov 18, 2002 at 08:38:40AM +0200, Bogdan Stancescu wrote:
> John Sage wrote:
> 
> >Bogdan:
> >
> >First of all, when you post stuff, *don't* post your *actual* user ID
> >number :-/
> >
> You are absolutely right. I haven't noticed it's listed in the actual 
> dshield log lines :(
> 
> Is there any way I could ask a sysop to change it? I know this is not a 
> nice thing to do, asking someone else to fix my mistakes, but... humm, 
> leaving it as it is doesn't look right either.

Johannes should be able to, but I wouldn't worry about it..

..I dunno. Just obfuscate, from now on.

> 
> >Notice the timestamps (19:23:03 :06 :12 :24) - these are all different
> >packets.
> >[snip]
> >
> >and all have the same source (1261) and destination 3042) port, so
> >they do look identical. But they arrived at different times...
> >
> >>So, the question is obvious: is what I'm sending correct or not?
> >>
> >I'd say, yes, it is correct...
> >
> Well, I don't know... I mean, yes, they did arrive at different times, 
> but why does the third field in the dshield logs look like that in the 
> following entries:

                                            1, 2, 3, 4 - that one?

> 2002-11-17 19:23:03 +02:00    12345678    1    62.47.161.110    1261    
> 217.156.116.130    3042    TCP    S
> 2002-11-17 19:23:06 +02:00    12345678    2    62.47.161.110    1261    
> 217.156.116.130    3042    TCP    S
> 2002-11-17 19:23:12 +02:00    12345678    3    62.47.161.110    1261    
> 217.156.116.130    3042    TCP    S
> 2002-11-17 19:23:24 +02:00    12345678    4    62.47.161.110    1261    
> 217.156.116.130    3042    TCP    S

That is weird.

My dshield logs never increment that digit.

In my:

<snip>
$VERSION='11082001';
#
# /usr/local/dshield/snort_18_syslog.plx
# at finchhaven.net 10/28/01
#
# DShield Client Framework
<snip>

<snip>
foreach $line (<LOGFILE>) {
	#
	#  @dshield_array:
	#
	# 0 - time/date/timezone 1 - author 2 - count
	# 3 - sourceip, 4 - sourceport, 
	# 5 - targetip, 6 - targetport,
	# 7 - protocol, 8 - flags
<snip>

And at: http://www.dshield.org/specs.html

3. Count (number, used to summarize identical records, default=1)

So this is what I get:

2002-11-17 08:39:56 -09:00 123456789   1  202.61.252.24   3181
 12.82.137.146  139     TCP
2002-11-17 08:39:56 -09:00 123456789   1  202.61.252.24   3181
 12.82.137.146  139     TCP
2002-11-17 08:39:56 -09:00 123456789   1  202.61.252.24   3181
 12.82.137.146  139     TCP
2002-11-17 08:39:56 -09:00 123456789   1  202.61.252.24   3183
 12.82.137.146  445     TCP
2002-11-17 08:39:56 -09:00 123456789   1  202.61.252.24   3184
 12.82.137.146  139     TCP
2002-11-17 08:39:56 -09:00 123456789   1  202.61.252.24   3184
 12.82.137.146  139     TCP
2002-11-17 08:39:56 -09:00 123456789   1  202.61.252.24   3184
 12.82.137.146  139     TCP

Note that all these happened at "08:39:56" and are otherwise
identical except for two changes in source port...



- John
-- 
Forest: a collection of trees

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list