[Dshield] Iptables parsing

Johannes B. Ullrich jullrich at euclidian.com
Fri Jun 10 11:16:12 GMT 2005


> 
> Correct me if I'm wrong folks but Dshield excludes ICMP.
> 

We stopped accepting ICMP as Nachi came out and ICMP traffic went 
through the roof. I guess I should try to turn it on again. Not sure how 
much ICMP we get these days. Some of the ICMP traffic is usefully to us 
(e.g. ICMP other then echo request / reply, and echo request to 
broadcast ips and such).



> 
>>None of this shows up as being reported in my database. The reports I get
>>back (when I get one back) always show 0 lines imported. Whereas  
> 
> 
>>Where as the output from my Dlink router does get entered into the database:
> 
> 
>>Jun/08/2005 14:59:37
>> Drop UDP packet from WAN src:61.152.158.126:58033 dst:68.106.147.232:1029
>>Rule: Default deny
>>Jun/08/2005 14:59:37
>> Drop UDP packet from WAN src:61.152.158.126:58033 dst:68.106.147.232:1026
>>Rule: Default deny
>>Jun/08/2005 14:58:35
>> Drop UDP packet from WAN src:204.253.46.76:20148 dst:68.106.147.232:1026
>>Rule: Default deny
> 
> 
>>Lines written to database (up to 10):
>>Dec 28 21:24:46 gw kernel: Bogon Drop IN= OUT=eth0 SRC=10.0.0.53
>>DST=224.0.0.251 LEN=114 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP
>>SPT=5353 DPT=5353 LEN=94 
>>
>>Dec 28 21:24:46 gw kernel: Bogon Drop IN= OUT=eth0 SRC=10.0.0.53
>>DST=224.0.0.251 LEN=132 TOS=0x00 PREC=0x00 TTL=255 ID=1 DF PROTO=UDP
>>SPT=5353 DPT=5353 LEN=112 
>>
> 
> You have an inconsistency - UDP vs ICMP.
> 




More information about the list mailing list