Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

We want your logs, obfuscated even.

Published: 2009-02-13
Last Updated: 2009-02-13 03:06:14 UTC
by Joel Esler (Version: 2)
0 comment(s)

We always have a banner up on the webpage that says "We want your logs" or "How to submit your logs", however, I want to encourage you to do so.

We love Firewall logs from Cable Modems and Home Users, because they cover more end IP addresses, it allows for more diversity, however, we like to make a call out for large submissions as well.  Corporations, small business..etc..  We don't even mind if you obfuscate your logs (there is a feature in the Dshield firewall log submitter to do this!).

We'd like you to automate the logs if you want to, every 6 hours or so, do an automatic submission. 

The more logs we get, the more we can correlate, the more visibility we have into the "Bad guys" and the more reactive research we can provide to the public as well.  

We at the Internet Storm Center are currently working on a couple projects to be able to not only react to "Bad traffic" (of all kinds!) better, but enable you to be able to interact with the data so you can better protect your networks, and react to threats emerging from your networks as well.  To effectively work on this project we need more logs, not only from firewalls, but if you take notice at our "How to submit your logs" page, we want logs from things like Snort, LaBrea, and routers as well.    Again, please feel free to obfuscate.  We aren't interested in YOUR ip's.  We are interested in the IP's attacking, and the ports being attacked.

Currently we process about 10-20 million log entries a day.  I'd like to AT LEAST double it.  Triple or Quadruple it would be ideal. 

Thanks!  Please submit your logs!  Click here to see how.

But first, please, make sure you are allowed to do so!

-- Joel Esler http://www.joelesler.net

Keywords:
0 comment(s)
Diary Archives