[Dshield] Problems DShield Framework IPtables
Tomas L. Byrnes
tomb at byrneit.net
Wed Apr 23 18:17:25 GMT 2008
You could use ThreatSTOP to achieve the same result: putting the DShield
block list (and others, if you like), into your firewall.
The advantage is that it's DNS, so the scripts are simple: add the names
to chains, run a cron job to update the chains.
> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Algol Tradent
> Sent: Wednesday, April 23, 2008 9:44 AM
> To: list at lists.dshield.org
> Subject: [Dshield] Problems DShield Framework IPtables
>
> Greetings,
>
> I have to issues with the DShield Framework IPtables parser.
>
> My Setup: I run Shorewall with ulogd under debian 4.0
>
> I've manually tested the logfiles and they are standard iptables logs.
>
>
> 1. The DShield parser seems to be hardcoded to search for
> "kernel:" in each log line. Since I am using shorewall, my
> log lines do not contain the word "kernel:"
> The documentation points out to set the line_filter if we
> need to search for something different.
> In my case I have setup line_filter=Shorewall:
> This setting does not have the intended effect and no lines
> are parsed.
>
> Workarounds:
> A. Editing the iptables.pl script directly and replacing the
> "kernel:" pattern by "Shorewall:" has the desired effect on parsing.
>
> B. Commenting out the line that search for "kernel:"
> on iptables.pl AND setting line_filter=Shorewall: in the
> config file also has the intended parsing effect.
>
> 2. I implemented the workaround A mentioned above so I can
> parse my logs.
> However, the e-mail message that I received on my test did
> NOT contained the lines in DShield format. It had the exact
> same lines as the original log file.
>
> Any help with this is highly appreciated.
>
> >From the debug file on my testing machine:
>
> VERSION=[DShield Framework 2002-04-25 IPTABLES 2002-03-28]
> -------------------------------Processing line
> 1-------------------------------
> PARSING: Apr 20 06:41:11 kakarotto
> Shorewall:net2fw:DROP: IN=eth1 OUT=
> MAC=00:60:97:92:44:d5:00:11:88:80:cc:27:08:00 S
> RC=218.10.137.142 DST=xxx.xxx.xxx.xxx LEN=485 TOS=00
> PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=41553 DPT=1026
> LEN=465
> PARSE RESULT:2008-04-20 06:41:11
> -05:00|0|1|218.10.137.142|41553|xxx.xxx.xxx.xxx|1026|UDP|
> WRITTEN: Apr 20 06:41:11 kakarotto
> Shorewall:net2fw:DROP: IN=eth1 OUT=
> MAC=00:60:97:92:44:d5:00:11:88:80:cc:27:08:00 S
> RC=218.10.137.142 DST=xxx.xxx.xxx.xxx LEN=485 TOS=00
> PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=41553 DPT=1026
> LEN=465
> -------------------------------Processing line
> 2-------------------------------
>
> Destination IP removed intentionally.
>
> Thank you for your attention and help
>
>
>
> ______________________________________________________________
> ______________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now.
> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why
> freeze up north if you can be in New Orleans.
> http://www.sans.org/info/15826
>
More information about the list
mailing list