[Dshield] CVTWIN DShield Logs Not Matching

Johannes Ullrich jullrich at euclidian.com
Wed Sep 10 11:46:36 GMT 2003


> ip>
> 
> Actually, this may be a rather common convention: since ICMP does not
> use source or destination ports in the sense that TCP or UDP does (at
> all, for that matter), it's not uncommon to see the ICMP type (8 for a
> ping) and ICMP code (0 for a ping) represented as "source port" and
> "destination port"
> 
> The meaning here becomes:
> 
> > 2003-09-08 11:17:29 -04:00 96526936 1 66.57.223.157 8 10.57.81.134 0 ICMP 
> 
> ICMP type 8, code 0 = ping


Correct. Sorry for not responding earlier. The 'type=source port' and
'code=target port' convention is just for database design convinience. 
In addition, the types/codes are not typically used ports, so it is a
good assumption to say "target port 0 = ping".

We could break things out by protocol in our reports. But this would add
another layer of complexity to the reporting and in most cases wouldn't
make a big difference. Port 135 is probably the only "prominent" port
where UDP and TCP are used frequently. On the other hand: before
blaster, we saw almost exclusively UDP (popup spam), while now we see
almost exclusively TCP from blaster.



-- 
--------------------------------------------------------------
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net
--------------------------------------------------------------





More information about the list mailing list