I think it would be nice to have the option to submit our firewall logs to DShield.
Either triggered manually or an automatic daily submission.
I agree this would be a nice feature. A few other firewalls already have it.
I really don’t see the use of this, you won’t be telling actually something to anyone, except who tried to get to your public IP that probably is dynamically changed by your ISP every time you initialize your modem/PC.
There are a number of file sharing programs and other software that would make IP/Port scans and hackers also, and you are not telling which is which, just some random statistics, mostly garbage for anyone if you think about it, or what are you trying to accomplish with this suggestion?
DShield.org charts the ports scanned and the IP doing the scanning.
Using this data it’s easier to spot upcoming threats, how prevalent a threat is, who the biggest offenders are (for IP blacklists), etc…
You don’t find this information even slightly useful?
Would be if you knew from which programs/apps those IP/Ports scans come from or the intention of the scanner, but you can’t actually do this, can you? maybe the port number tells a little about the intention but is not for sure. You try to pinpoint threats and the seriousness of them with data that do reflect the activity of neither: not the former nor the latter.
How would you know what PCs are the offenders if, as I said in my previous post, the public IPs are dynamically changed for most if not all home PC users, and the tracing is not always a reliable because some ISPs have firewall/proxys behind their public IPs and the home PC can have also a firewall/proxy, also some users use a few file sharing programs at the same time making look themselves as port/IP scanner hacker while only sharing files.
As you can see the usefulness of this data is far from accurate and would be a very raw estimate for a lot of log info submitted, so I really don’t know if they are gonna bother receiving a bunch of data to make a rough estimate with a huge error margin.
Edit: This is one of the limitations of IPv4, this would be a success with IPv6 if the IPs get mapped correctly geographically.
At some point it is, as I wrote before, the question is how much? and the answer I really don’t think is “a lot”.
Every lit bit helps. The more data they receive, the more accurate the picture.
Yes, there is a lot of superfluous data, but it’s not difficult to pick out the big offenders.
Really? how do you say?
Gee, I don’t know… An ISP that has a lot of traffic targeting specific ports is a bit of a giveaway. I’d imagine that’s how they set up their recommended IP blacklists.
Assuming the ISPs actually have proof of that port is exclusively hacker only and that the info passing through is for hacking purposes only to justify to block IPs, and since home PC users get new public IPs from time to time you’d have to know when this happens and to what IPs those PCs changed and since those PC are behind another ISP Firewall/proxy/netscreens this is actually impossible to know therefore to prove, hence I’d say is NOT easy pick out the offenders. You can only have rough estimates with huge margin errors, you’d be eventually chocking the Internet to death, so from this POV the practical thing to do is have a a great firewall like COMODO’s and in business enviroment a security/network admin. to try pick out offending IPs.
I figure the security experts who like they data know what to look for.
Even the experts don’t know for sure, check the point five of this .pdf on the site you pointed out:
5) Suspicious or Unauthorized Network Traffic Patterns
http://www.sans.org/info/3766
As you can see public firewall logs from around the world wont help, they make no reference to ISPs or public firewall log database resources, they refer only to the logs on systems/servers. This proves my point.
Yes, if you are a network administrator, you’d definitely want to check your logs for suspicious or unathorized network traffic patterns.
The .pdf mentions this should be monitored on a regular basis. What does this have to do with sending firewall logs to DShield.org?
If Sans didn’t feel the data was important, then why would they sponsor DShield?
DShield; Cooperative Network Security Community - Internet Security Read this to see how the information is useful…
It has to do since they didn’t mentioned any log sharing at all as a effective and easy way to pick out offending IPs. But in the link you provided in you last post (you should had posted the link in you first post to justify it) explains how a constant checking this public logs could help in the long run, this justifies your point. Anyway COMODO should see what range of logs to send to be actually useful.
Edit: this would be much more effective when IPv6 replace IPv4 and this is coming soon 