[Dshield] Question about DShield log parsing

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Fri Jan 13 07:25:04 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12.1.2006 23:45 (UTC+2), Pete Cap wrote:
>  
>  I had a quick question about how logs are processed for DShield.
>  
>  When you submit a log, and you traffic is analyzed to be added to the port summaries, does it include both incoming and outgoing traffic?
>  
>  I mean, if you have a webserver then you would expect to submit a lot of port 80 hits.  What if you just have a lot of guys who surf the internet all day?  The destination port in all those transactions is going to be 80--so would it show up the same as if you were hosting a busy webserver?
>  

Are you referring to invalid packets received (and hence blocked by the
FW) or possibly something else?

Remember, only *blocked* traffic is reported in the first place.

Missing something in the post?

- -Pete



          "Knowledge is proud that he has learned so much;
               Wisdom is humble that he knows no more."
            William Cowper (1731 - 1800); English poet


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDx1XQQ21KCihDnSQRAucJAJ9YKEf7HqKyAVASi/xK/eTLmusPzQCfcbtn
Ik+Ssb/WCe+h4elYozDuuic=
=MS2i
-----END PGP SIGNATURE-----


More information about the list mailing list