On Fri, Aug 5, 2011 at 13:03, Walter Hurry <walterhu...@lavabit.com> wrote: > On Fri, 05 Aug 2011 11:59:51 -0400, shawn wilson wrote: > >> 1. How are you figuring the source country? If you're looking at the ip >> in the handshake and comparing this to a db of ip / country, you're only >> looking at half of the story. If you're a bit smarter and have a list of >> border routers that country owns and are looking at that for the source >> country, this is probably better. > > My router emails me with its log when it fills, with entries like these: > Aug 4 07:52:42 | Drop TCP packet from WAN (src:58.218.199.250:12200, > dst:nnn.nnn.nnn.nnn:nn) by default rule > Aug 4 06:25:53 | Drop PING request from WAN (ip:200.164.216.90). > > I just have a small shell script which reads the emails, extracts the IP > addresses and does a lookup on my Geo IP database. Nothing elaborate. >
darn, somehow my email got cut off. however this pretty much showed half of what i'm getting at: the statistics don't mean much. maybe the ping stats, but that's about it. also (as has been stated here) you don't really 'know' what country this stuff is coming from for many reasons. if you want some interesting stats, you might look into the 'verizon breech report' (read their diagnosis and not just the charts too). this is for the us, so some information might not apply as much to you however.... i have looked at these stats when monitoring snort logs and most of what you are probably seeing (most of what i saw) was not malicious data (and at that point, with an ids, you think about how you might improve the rule so that you don't see that but still see bad stuff). what you are likely to see if you go into it is: 1. universities and governments mapping and scanning the internet (sorta fun to look at the source and read up on their projects) 2. badly written programs messing up or malware or kids messing around 3. people actually trying to accomplish something (i've never seen this in a snort log) i don't know that i have enough knowledge (or maybe i have not put enough thought into how to find what you want) to figure out how to benchmark what you think you have. however, i don't think that your numbers mean anything. they are numbers, yes, but imo, meaningless. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cah_obid2v6gmye-rhhd2ot7u+yqywwxmusgjxa9y4rskgr3...@mail.gmail.com
