[Dshield] DShield vs. Symantec: new features?

Erwin Van de Velde erwin.vandevelde at ua.ac.be
Fri Jan 9 12:00:42 GMT 2004

On Friday 09 January 2004 04:30, Al Reust wrote:
> If I were to look at this pragmatically, you are responding to the data
> that has been presented for evaluation. Latency in the data feed would
> place you in a vulnerable position. If everyone uploads  log at 2:00am then
> latency is Large.. if they upload every two days latency is larger. If
> everyone automatically uploaded data every two hours your latency would be
> "two hours +" The Plus would be "your" checking the within the cycle and
> the information that you are checking to respond to.

Yes, I know, but this would only be one of the measures I take... I actively 
check the data of my own LAN too, but it could happen that the attack has not 
reached me yet, but that DShield already knows of it...
The problem with seeing it on your own LAN, is that it is on your own LAN :-)
Then you can only take containment measures, but it is to late for prevention.

> Johannes could set a semaphore (green, yellow, red or Hell is out for
> Lunch) file for the appropriate condition which included the "ports" you
> could then setup a GET to get Green, Yellow, Red etc.. and then grep the
> port information of which specific ports to close. If it comes from a HTTPS
> then reliability is "fairly" assured. So unless Johannes wants to play a
> little April Fools Joke, everyone is happy with shared developed scripts.

This would be a lot easier indeed, and let's hope he does not play tricks on 
us, his popularity would suffer of it anyway :-)

> The big key is getting everyone to send smaller logs more frequently, this
> would be to reduce the latency. Then the systems approaches "real time"
> activity. This goes along with training Sysadmins that schedule things for
> 2:00am because nothing else is happening and the backups are done..
> Learning to schedule small things for after the morning Login Rush.. it
> only takes 5 minutes, and if it really failed you wanted to know before in
> the morning. The "Servers" tend to do more work from 10:0pm to 5:00am (any
> time zone) than they do all day after the Login rush.

Yes indeed, my system could provide this, by automatically sending the logs 
every 15 minutes or every hour. I only have to see where I get with all my 
beautiful plans :-)
A year has only 12 months, and I'm not going to do my last year at university 
twice if I can avoid it :-)

Erwin Van de Velde
Student of University of Antwerp

More information about the list mailing list