[Dshield] Iptables parsing

Don don at thewilders.org
Fri Jun 10 21:02:56 GMT 2005


 

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of David Cary Hart
> 
> On Fri, 2005-06-10 at 07:25 -0400, Don wrote:
> > Thanks all,
> > 
> > I found my error... Was in my firewall script. I wasn't logging 
> > anything except ICMP special types.
> > 
> > Perhaps the ICMP rejects could be added to the "Dshield Submission 
> > Confirmation Reports" as rejected? I saw log lines going in and 
> > nothing being added or rejected, so I thought something was 
> wrong with 
> > the parser. I was however seeing the ICMP being rejected in 
> the Dlink 
> > logs that were submitted so perhaps it's just the Iptables 
> parser at 
> > dshield that needs the patch. :)
> > 
> Too many cycles and too much bandwidth for too little benefit IMO.

Why do you say that? Didn't Johannes in a previous post wonder how much ICMP
traffic was there? Even if it were just a count of lines rejected it would
be a good metric to have. And it would keep people from wondering (like I
did) why they were submitting several lines of log entries only to get back
that 0 lines were accepted and 0 lines were rejected.

BTW: This does work in the dlink reports which is another factor that really
confused me. 

I would be willing to volunteer my time to modify the iptables parser to at
least count the ICMP lines of submission... Or re-write the client
iptables.pl to ignore ICMP events all together so it doesn't even get to the
DSHIELD servers.

> -- 
> Multi-RBL Check:         http://www.TQMcube.com/rblcheck.htm
> Kill Spam at the Source: http://www.TQMcube.com/spam_trap.htm
> Today's Spam Trap Adds:  http://www.TQMcube.com/BlockedToday
> RBLDNSD HowTo:           http://www.TQMcube.com/rbldnsd.htm
> -------------- Sponsor Message ------------------------------------
> Join us at SANSFIRE 2005 in Atlanta!
> The Internet Storm Center Conference.
> Details: http://www.sans.org/sansfire2005
> 
> _______________________________________________
> send all posts to list at lists.dshield.org To change your 
> subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 




More information about the list mailing list