[Dshield] Question about DShield log parsing
peter.stendahl-juvonen at welho.com
Fri Jan 13 07:25:04 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
On 12.1.2006 23:45 (UTC+2), Pete Cap wrote:
> I had a quick question about how logs are processed for DShield.
> When you submit a log, and you traffic is analyzed to be added to the port summaries, does it include both incoming and outgoing traffic?
> I mean, if you have a webserver then you would expect to submit a lot of port 80 hits. What if you just have a lot of guys who surf the internet all day? The destination port in all those transactions is going to be 80--so would it show up the same as if you were hosting a busy webserver?
Are you referring to invalid packets received (and hence blocked by the
FW) or possibly something else?
Remember, only *blocked* traffic is reported in the first place.
Missing something in the post?
"Knowledge is proud that he has learned so much;
Wisdom is humble that he knows no more."
William Cowper (1731 - 1800); English poet
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the list