Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Packet numbers different in various Dshield reports SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Packet numbers different in various Dshield reports

Every morning about 07:00 local, I submit packets. Recently, the reports I receive from Dshield show vastly different numbers of packets being acknowledged. Am I doing something wrong?

For example for Saturday 2015/04/17, I received these two messages

From: at 17/04/2015 07:15
Subject: DShield Submission Confirmation
Authorized Userid: 1016641719
Timezone: -04:00
Lines in file: 714
Lines rejected: 8
Unique lines written to database: 558

From: at 04/18/2015 02:47
Subject: Daily DShield Report 2015/04/17
Day: 2015-04-17
Userid: 1016641719
For 2015-04-17 you submitted 11 packets from 7 sources hitting 1 targets.

Any idea why the number of packets / Lines in file are so vastly different in these reports?


5 Posts
For those who may be having the same issue, this was simply due to the fact that we do not import ICMP packets that are submitted. Alex Stanford

136 Posts
The final solution to this problem is to put in a filter under
Edit | Edit Line Exclusion Filters to exclude ICMP, or in my case,
Edit | Edit Line Inclusion Filters, and add "pppoe0" as required text in every line that I send to DShield.

Thanks Alex

5 Posts

Sign Up for Free or Log In to start participating in the conversation!