[Dshield] DShield Database Incomplete?

Eric_D eric_d100 at yahoo.com
Sun Oct 9 17:31:02 GMT 2005


I'm experiencing similar discrepancies, I don't know
if they are related or not. Looking at my converted
logs from CVTWIN, a large percentage of entries are
rejected by some timing problem. I haven't seen any
port 12914's. 

I've contacted "Wayne Larmon" <wlarmon at dshield.org>
about a timing or time syncro problem, I was wondering
if other people were effected and not just me and my
firewall logs (8signs), what's puzzling is that it's
not consistent with the rejected time stamps, this
chunk of CVTWIN rejected lines has a rejected time
stamp of  2005-10-09 05:29:30 that I converted this
morning but it does appear to be random, I don't know
why it picked  05:29:30 today, as other days
previously that I converted the rejected time stamp
was different. The occupants of the house including
the cats were in deep slumber at 05:29:30 this
morning. 
CVTWIN log:
2005-10-09 03:30:02 (8Signs Firewall) Converted 17
lines. Last line: 2005-10-09 03:18:07 -07:00 -noui
2005-10-09 03:30:11 Email sent to reports at dshield.org.
 17 log lines 
2005-10-09 04:30:03 (8Signs Firewall) Converted 19
lines. Last line: 2005-10-09 04:26:43 -07:00 -noui
2005-10-09 04:30:05 Email sent to reports at dshield.org.
 19 log lines 
2005-10-09 05:30:02 (8Signs Firewall) Converted 25
lines. Last line: 2005-10-09 05:29:30 -07:00 -noui
2005-10-09 05:30:04 Email sent to reports at dshield.org.
 25 log lines 
------
todays CVTWIN rejected lines sample:
2005/10/09, 02:06:04.305, GMT -0700, 2010, Device 1,
Blocked incoming UDP packet (no matching rule),
src=61.188.214.6, dst=206.124.131.47, sport=1364,
dport=1434
Rejected: 2005-10-09 02:06:04 -07:00 is earlier than
2005-10-09 05:29:30 -07:00
2005/10/08, 21:09:42.526, GMT -0700, 2010, Device 1,
Blocked incoming UDP packet (no matching rule),
src=221.208.208.14, dst=206.124.131.47, sport=33059,
dport=1027
Rejected: 2005-10-08 21:09:42 -07:00 is earlier than
2005-10-09 05:29:30 -07:00
2005/10/07, 21:23:32.373, GMT -0700, 2010, Device 1,
Blocked incoming UDP packet (no matching rule),
src=221.208.208.14, dst=206.124.131.2, sport=33002,
dport=1026
Rejected: 2005-10-07 21:23:32 -07:00 is earlier than
2005-10-09 05:29:30 -07:00
2005/10/06, 04:42:30.043, GMT -0700, 2010, Device 1,
Blocked incoming UDP packet (no matching rule),
src=202.111.173.41, dst=206.124.131.229, sport=53708,
dport=1027
Rejected: 2005-10-06 04:42:30 -07:00 is earlier than
2005-10-09 05:29:30 -07:00
2005/10/05, 19:56:25.125, GMT -0700, 2010, Device 1,
Blocked incoming UDP packet (no matching rule),
src=221.5.251.219, dst=206.124.131.83, sport=33956,
dport=1026
Rejected: 2005-10-05 19:56:25 -07:00 is earlier than
2005-10-09 05:29:30 -07:00
2005/10/04, 19:21:05.792, GMT -0700, 2124, Device 1,
Blocked TCP packet from banned IP, src=206.124.131.7,
dst=206.124.131.193, sport=4463, dport=135
Rejected: 2005-10-04 19:21:05 -07:00 is earlier than
2005-10-09 05:29:30 -07:00
2005/10/03, 19:43:20.694, GMT -0700, 2010, Device 1,
Blocked incoming UDP packet (no matching rule),
src=61.147.118.211, dst=206.124.131.59, sport=57069,
dport=1026
Rejected: 2005-10-03 19:43:20 -07:00 is earlier than
2005-10-09 05:29:30 -07:00

Eric Dickinson
------
> > From: "Jon R. Kibler" <Jon.Kibler at aset.com>
> Subject: [Dshield] DShield Database Incomplete?
> Also, port 12914 scans.
> Date: Sat, 08 Oct 2005 07:42:06 -0400
> To: list at lists.dshield.org
> 
> Greetings:
> 
> I know that this is not the first time that I have
> posted on this topic... but, the problem seems to
> still be a problem.
> 
> It appears that the DShield database is not
> capturing all the records submitted. I submit log
> records hourly. The number of records I submit for a
> given day never seems to agree with our internal
> reports -- which have been verified against our
> DShield submissions. DShield always seems to only
> have a small fraction of our submittals.
> 
> For example, yesterday's DShield Report Summary:
> > For 2005-10-07 you submitted 3360 packets from 793
> sources hitting 39 targets.
> 
>  From our own internal reports:
> > Analysis of router log intrusion statistics for:
> Oct  7
> > Total log records:	      8793
> > Total packets:	     13709
> > 
> > Unique sources:	      1719
> > Unique destinations:	        42
> > 
> > 
> > Packets by type:
> > 	tcp	     11829
> > 	icmp	      1615
> > 	udp	       265
> > 
> > 	TOTAL	     13709
> 
> Needless to say, they don't even come close to
> agreeing!
> 
> What got me checking again were scans to the
> external interface of one of our routers for a small
> netblock. I was seeing scans on port 12914 and I had
> no idea what was up, so I went to DShield Port
> Report to check it out. For yesterday it showed:
> >    Date    Sources	    Targets	     Records
> > 2005-10-07 	15 		7		39
> 
> Well, that was fewer sources and records than I knew
> I had -- but for 7x the number of targets... so,
> obviously a problem! Here's what my logs show were
> submitted to DShield:
> > $ router.count-port-sources 12914 'Oct  7'
> > SOURCES FOR SCANS ON PORT 12914
> >    9 61.172.245.247
> >    8 221.212.109.202
> >    7 202.103.178.130
> >    6 202.103.178.212
> >    3 222.188.127.29
> >    2 60.190.127.82
> >    2 222.191.251.104
> >    2 220.232.130.219
> >    2 218.22.154.37
> >    1 61.188.39.37
> >    1 222.217.221.85
> >    1 222.174.66.237
> >    1 221.231.121.33
> >    1 221.231.109.80
> >    1 219.128.2.230
> >    1 202.103.213.138
> >   16 Sources
> >   48 Packets
> > $ router.count-port-destinations 12914 'Oct  7'
> > DESTINATIONS FOR SCANS ON PORT 12914
> >   48 63.113.60.42
> >    1 Targets
> >   48 Packets
> 
> 
> Even if the DShield database had not completely
> updated at the time the daily reports were run,
> checking prior days show similar discrepancies.
> 
> Questions:
> 	What is the problem?
> 	What is the fix?
> 	Does anyone have a clue what port 12914 scans are
> about?
> 
> Here are raw the data from yesterday:
> > Oct  7 01:09:39 border6837 list 110 denied tcp
> 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> > Oct  7 02:19:42 border6837 list 110 denied tcp
> 202.103.178.130(7000) -> 63.113.60.42(12914), 1
> packet
> > Oct  7 02:25:41 border6837 list 110 denied tcp
> 202.103.178.130(7000) -> 63.113.60.42(12914), 6
> packets
> > Oct  7 02:26:36 border6837 list 110 denied tcp
> 202.103.178.212(7000) -> 63.113.60.42(12914), 1
> packet
> > Oct  7 02:31:41 border6837 list 110 denied tcp
> 202.103.178.212(7000) -> 63.113.60.42(12914), 5
> packets
> > Oct  7 04:18:50 border6837 list 110 denied tcp
> 60.190.127.82(7000) -> 63.113.60.42(12914), 1 packet
> > Oct  7 04:57:37 border6837 list 110 denied tcp
> 222.174.66.237(7000) -> 63.113.60.42(12914), 1
> packet
> > Oct  7 06:52:22 border6837 list 110 denied tcp
> 221.231.121.33(7000) -> 63.113.60.42(12914), 1
> packet
> > Oct  7 07:07:50 border6837 list 110 denied tcp
> 60.190.127.82(7000) -> 63.113.60.42(12914), 1 packet
> > Oct  7 07:17:26 border6837 list 110 denied tcp
> 219.128.2.230(21) -> 63.113.60.42(12914), 1 packet
> > Oct  7 07:24:12 border6837 list 110 denied tcp
> 221.212.109.202(7000) -> 63.113.60.42(12914), 1
> packet
> > Oct  7 07:29:50 border6837 list 110 denied tcp
> 221.212.109.202(7000) -> 63.113.60.42(12914), 7
> packets
> > Oct  7 07:47:01 border6837 list 110 denied tcp
> 218.22.154.37(7000) -> 63.113.60.42(12914), 1 packet
> > Oct  7 07:52:51 border6837 list 110 denied tcp
> 218.22.154.37(7000) -> 63.113.60.42(12914), 1 packet
> > Oct  7 08:07:10 border6837 list 110 denied tcp
> 61.188.39.37(7000) -> 63.113.60.42(12914), 1 packet
> > Oct  7 09:25:27 border6837 list 110 denied tcp
> 221.231.109.80(7000) -> 63.113.60.42(12914), 1
> packet
> > Oct  7 10:01:02 border6837 list 110 denied tcp
> 222.188.127.29(7000) -> 63.113.60.42(12914), 1
> packet
> > Oct  7 10:06:54 border6837 list 110 denied tcp
> 222.188.127.29(7000) -> 63.113.60.42(12914), 2
> packets
> > Oct  7 10:46:05 border6837 list 110 denied tcp
> 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> > Oct  7 10:51:56 border6837 list 110 denied tcp
> 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> > Oct  7 11:03:18 border6837 list 110 denied tcp
> 222.191.251.104(80) -> 63.113.60.42(12914), 1 packet
> > Oct  7 11:08:56 border6837 list 110 denied tcp
> 222.191.251.104(80) -> 63.113.60.42(12914), 1 packet
> > Oct  7 11:20:41 border6837 list 110 denied tcp
> 220.232.130.219(80) -> 63.113.60.42(12914), 1 packet
> > Oct  7 11:25:57 border6837 list 110 denied tcp
> 220.232.130.219(80) -> 63.113.60.42(12914), 1 packet
> > Oct  7 15:02:48 border6837 list 110 denied tcp
> 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> > Oct  7 15:08:03 border6837 list 110 denied tcp
> 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> > Oct  7 16:01:14 border6837 list 110 denied tcp
> 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> > Oct  7 16:07:05 border6837 list 110 denied tcp
> 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> > Oct  7 18:51:02 border6837 list 110 denied tcp
> 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> > Oct  7 18:56:09 border6837 list 110 denied tcp
> 61.172.245.247(80) -> 63.113.60.42(12914), 1 packet
> > Oct  7 22:24:26 border6837 list 110 denied tcp
> 202.103.213.138(7000) -> 63.113.60.42(12914), 1
> packet
> > Oct  7 23:56:37 border6837 list 110 denied tcp
> 222.217.221.85(7000) -> 63.113.60.42(12914), 1
> packet
> 
> Note that source ports are 80, 7000, and 21. Given
> how few port 7000 scans are reported in DShield,
> this doesn't seem to be backscatter...
> 
> Any thoughts, comments, questions, answers to my
> questions, etc. appreciated!
> 
> Jon Kibler
> --
> Jon R. Kibler
> A.S.E.T., Inc.
> Charleston, SC  USA
> 



		
__________________________________ 
Yahoo! Music Unlimited 
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/


More information about the list mailing list