[Dshield] DShield Submission Confirmation Question re unique lines

Johannes Ullrich jullrich at euclidian.com
Fri Mar 14 12:59:34 GMT 2003

> This is from a daily pf parser submission and I'm curious about the 492 lines in file and 290 lines 
> written to the database. I realize the parser counts each as '1' but given that each line had a 
> unique time stamp; wouldn't all of the lines have been written? Or is it simply that the lines are 
> added up during the submission process and there is no need to actually write each line to the 
> database?

The parser only consolidates identical lines. So if each line had a 
unique time stamp, the number of submitted and unique lines should
be identical. I will have to check your submission for details
and will respond off list (don't want to post your submission to the
list here).

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

