[Dshield] count field?

Michael Rash mbr at cipherdyne.com
Tue Jun 3 02:32:43 GMT 2003


Hello list -

According to the dshield spec, in the dshield format the count field
is used to summarize identical records.  So, suppose I have two
identical iptables entries (separated by five seconds) like so:

Jun  2 22:18:32 orthanc kernel: DROP IN=eth0 OUT= MAC= ...
Jun  2 22:18:37 orthanc kernel: DROP IN=eth0 OUT= MAC= ...

(source, destination, source port, and destination port are all the
same, etc.).

When my program parses these two lines, should it only submit a
single line in the dshield format with a count of 2?  If so, then
should the timestamp be taken from the latest log entry?  I looked
at the sample iptables.pl parser available on the dshield website
and it does not appear to do this.

--Mike

Michael Rash
http://www.cipherdyne.com
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F




More information about the list mailing list