[Dshield] Question about DShield log parsing

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Fri Jan 13 07:25:04 GMT 2006

Hash: SHA1

On 12.1.2006 23:45 (UTC+2), Pete Cap wrote:
>  I had a quick question about how logs are processed for DShield.
>  When you submit a log, and you traffic is analyzed to be added to the port summaries, does it include both incoming and outgoing traffic?
>  I mean, if you have a webserver then you would expect to submit a lot of port 80 hits.  What if you just have a lot of guys who surf the internet all day?  The destination port in all those transactions is going to be 80--so would it show up the same as if you were hosting a busy webserver?

Are you referring to invalid packets received (and hence blocked by the
FW) or possibly something else?

Remember, only *blocked* traffic is reported in the first place.

Missing something in the post?

- -Pete

          "Knowledge is proud that he has learned so much;
               Wisdom is humble that he knows no more."
            William Cowper (1731 - 1800); English poet

Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the list mailing list