[Dshield] count field?

Johannes B. Ullrich jullrich at sans.org
Tue Jun 3 03:33:46 GMT 2003


only consolidate lines if the timestamp is identical as well.
For all practical purposes, you will hardly ever have to increment the
'count' field. The count field is kind of a 
left over from the very early days of DShield. We didn't require a
'time' back then...


On Mon, 2003-06-02 at 22:32, Michael Rash wrote:
> Hello list -
> 
> According to the dshield spec, in the dshield format the count field
> is used to summarize identical records.  So, suppose I have two
> identical iptables entries (separated by five seconds) like so:
> 
> Jun  2 22:18:32 orthanc kernel: DROP IN=eth0 OUT= MAC= ...
> Jun  2 22:18:37 orthanc kernel: DROP IN=eth0 OUT= MAC= ...
> 
> (source, destination, source port, and destination port are all the
> same, etc.).
> 
> When my program parses these two lines, should it only submit a
> single line in the dshield format with a count of 2?  If so, then
> should the timestamp be taken from the latest log entry?  I looked
> at the sample iptables.pl parser available on the dshield website
> and it does not appear to do this.
> 
> --Mike
> 
> Michael Rash
> http://www.cipherdyne.com
> Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list