[Dshield] Question about DShield log parsing
dshield at hilotec.net
Fri Jan 13 11:33:29 GMT 2006
> When you submit a log, and you traffic is analyzed to be added to the
> port summaries, does it include both incoming and outgoing traffic?
> I mean, if you have a webserver then you would expect to submit a lot
> of port 80 hits. What if you just have a lot of guys who surf the
> internet all day? The destination port in all those transactions is
> going to be 80--so would it show up the same as if you were hosting a
> busy webserver?
You should submit only suspicious traffic. If you run a web server then
you better not submit all traffic but only the log lines related to
accesses that try to exploit your webserver (wrong usernames and/or
passwords, known exploits, strange requests, ...)
If you submit your outgoing connections then it's of not much use as you
know who is accessing strange sites and you can directly take
consequences against your users, don't you?
HILOTEC Engineering + Consulting GmbH
Energietechnik und Datensysteme
Tel: +41 34 402 74 00 - http://www.hilotec.com/
More information about the list