[Dshield] Request for Information re: Linksys Router Logging and Dshield Submissions

John Sage jsage at finchhaven.com
Thu Oct 16 17:39:37 GMT 2003

Let me edit for brevity, and then take a wild stab at answering what I
think is your question...

On Thu, Oct 16, 2003 at 12:23:18PM -0400, John Holmblad wrote:
> All,
> I recently made a modification to my Linksys router (BEFSX41) to 
> explicitly filter (by configuring a new filter using the filters tab on 
> the www browser based control console for the Linksys router)  incoming 
> packets targeted to  UDP port 1026 on my router and coming from the 
> Internet.

You are now "filtering" (i.e. stopping) incoming packets to UDP:1026..

/* snip */

> I now realize that these "hits" were 
> probably of that kind and that these submissions may have somehow 
> contributed to DShield's statistics, and, in turn, Microsoft's awareness 
> that something was going on with respect to a vulnerability in the 
> Messenger service.

Don't think for one second that Micro$oft pays any attention to what
dshield shows as active vulnerabilities...

> One side effect of this new filtering  rule in my router appears to be 
> that my daily submissions to Dshield via the CVTWIN software no longer 
> report such "hits".

OK: you're "filtering" them (see above), so how would dshield know
about them? 

> This diminution of  Dshield submission volume was 
> a surprising result to me


> especially because, when I use the 
> aforementioned Linksys "www browser based control console" to examine 
> the log file entries, such "hits", which formerly appeared in green type 
> font, are now in red, indicating that they were stopped by a filtering 
> rule!

OK: what are we missing here? Your rule stops the packets; Linksys
reports them as having been seen on your exterior interface, but they
were not accepted.

> Obviously, red should be of more concern than green, so why don't 
> these log entries, which are now flagged in read type font, get  into my 
> submissions to Dshield?

Because you're filtering them out.

/* snip */

Is your primary goal to supply dshield with comprehensive reports, or
to protect your system(s)?

- John
"Most people don't type their own logfiles;  but, what do I care?"
John Sage: InfoSec Groupie
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.

More information about the list mailing list