[Dshield] count field?
mbr at cipherdyne.com
Tue Jun 3 02:32:43 GMT 2003
Hello list -
According to the dshield spec, in the dshield format the count field
is used to summarize identical records. So, suppose I have two
identical iptables entries (separated by five seconds) like so:
Jun 2 22:18:32 orthanc kernel: DROP IN=eth0 OUT= MAC= ...
Jun 2 22:18:37 orthanc kernel: DROP IN=eth0 OUT= MAC= ...
(source, destination, source port, and destination port are all the
When my program parses these two lines, should it only submit a
single line in the dshield format with a count of 2? If so, then
should the timestamp be taken from the latest log entry? I looked
at the sample iptables.pl parser available on the dshield website
and it does not appear to do this.
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
More information about the list