[Dshield] Question about DShield log parsing

Johannes B. Ullrich jullrich at sans.org
Fri Jan 13 03:49:37 GMT 2006

Pete Cap wrote:

> I had a quick question about how logs are processed for DShield.
> When you submit a log, and you traffic is analyzed to be added to the port summaries, does it include both incoming and outgoing traffic?
> I mean, if you have a webserver then you would expect to submit a lot of port 80 hits.  What if you just have a lot of guys who surf the internet all day?  The destination port in all those transactions is going to be 80--so would it show up the same as if you were hosting a busy webserver?
The DShield database has no concept of what is 'inbound' or 'outbound'
for you. Any filtering like this has to be done before submitting the data.
The "busy web server" scenario is real, and a common reason for 'false
positives' in our database.

however, we can not just ignore data from port 80 to a high port, as it
is also one way to bypass bad firewall rules or hide malicious traffic.

Its actually important that we do not clean up "false positives". Any
changes in this type of traffic are still of interest. For example if
you look at P2P traffic afterglow. A couple of our top 10 ports are
typically P2P traffic.

We will however eliminate such reports from 'fightback'. If something
sticks out, then we will follow up manually to see whats going on. (e.g.
if its a busy web site or not).

> Just wondering...
> Regards,
> Pete
>Yahoo! Photos
> Ring in the New Year with Photo Calendars. Add photos, events, holidays, whatever.
>Learn about Intrusion Detection in Depth from the comfort of your own couch:
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

Johannes Ullrich                        jullrich at sans.org
Chief Research Officer                     (617) 639 5000
PGP Key: https://secure.dshield.org/PGPKEYS 

"We use [isc.sans.org] every day to keep on top of 
 security at our bank" Matt, Network Administrator. 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20060112/eb3743f6/signature.bin

More information about the list mailing list