Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Packet numbers different in various Dshield reports SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Packet numbers different in various Dshield reports
Gentlemen;

Every morning about 07:00 local, I submit packets. Recently, the reports I receive from Dshield show vastly different numbers of packets being acknowledged. Am I doing something wrong?


For example for Saturday 2015/04/17, I received these two messages

From: admin@dshield.org at 17/04/2015 07:15
Subject: DShield Submission Confirmation
Authorized Userid: 1016641719
Format: DSHIELD
Timezone: -04:00
Lines in file: 714
Lines rejected: 8
Unique lines written to database: 558


From: bounces@dshield.org at 04/18/2015 02:47
Subject: Daily DShield Report 2015/04/17
Day: 2015-04-17
Userid: 1016641719
For 2015-04-17 you submitted 11 packets from 7 sources hitting 1 targets.

Any idea why the number of packets / Lines in file are so vastly different in these reports?

Gord
Telserv

5 Posts
For those who may be having the same issue, this was simply due to the fact that we do not import ICMP packets that are submitted. Alex Stanford

136 Posts
The final solution to this problem is to put in a filter under
Edit | Edit Line Exclusion Filters to exclude ICMP, or in my case,
Edit | Edit Line Inclusion Filters, and add "pppoe0" as required text in every line that I send to DShield.

Thanks Alex
Telserv

5 Posts

Sign Up for Free or Log In to start participating in the conversation!