[Dshield] DShield vs. Symantec: new features?
Erwin Van de Velde
erwin.vandevelde at ua.ac.be
Fri Jan 9 12:00:42 GMT 2004
On Friday 09 January 2004 04:30, Al Reust wrote:
> If I were to look at this pragmatically, you are responding to the data
> that has been presented for evaluation. Latency in the data feed would
> place you in a vulnerable position. If everyone uploads log at 2:00am then
> latency is Large.. if they upload every two days latency is larger. If
> everyone automatically uploaded data every two hours your latency would be
> "two hours +" The Plus would be "your" checking the within the cycle and
> the information that you are checking to respond to.
Yes, I know, but this would only be one of the measures I take... I actively
check the data of my own LAN too, but it could happen that the attack has not
reached me yet, but that DShield already knows of it...
The problem with seeing it on your own LAN, is that it is on your own LAN :-)
Then you can only take containment measures, but it is to late for prevention.
> Johannes could set a semaphore (green, yellow, red or Hell is out for
> Lunch) file for the appropriate condition which included the "ports" you
> could then setup a GET to get Green, Yellow, Red etc.. and then grep the
> port information of which specific ports to close. If it comes from a HTTPS
> then reliability is "fairly" assured. So unless Johannes wants to play a
> little April Fools Joke, everyone is happy with shared developed scripts.
This would be a lot easier indeed, and let's hope he does not play tricks on
us, his popularity would suffer of it anyway :-)
> The big key is getting everyone to send smaller logs more frequently, this
> would be to reduce the latency. Then the systems approaches "real time"
> activity. This goes along with training Sysadmins that schedule things for
> 2:00am because nothing else is happening and the backups are done..
> Learning to schedule small things for after the morning Login Rush.. it
> only takes 5 minutes, and if it really failed you wanted to know before in
> the morning. The "Servers" tend to do more work from 10:0pm to 5:00am (any
> time zone) than they do all day after the Login rush.
Yes indeed, my system could provide this, by automatically sending the logs
every 15 minutes or every hour. I only have to see where I get with all my
beautiful plans :-)
A year has only 12 months, and I'm not going to do my last year at university
twice if I can avoid it :-)
Erwin Van de Velde
Student of University of Antwerp
More information about the list