[Dshield] Problems DShield Framework IPtables

Algol Tradent tradent at yahoo.com
Wed Apr 23 20:32:09 GMT 2008 

Thank you for your answer.

I guess I did not explain myself clearly enough. What
I am trying to achieve is log submissions to DShield. 

I'm not interested on updating the firewall rules
using stop lists. At least not yet ;)

Thanks

--- "Tomas L. Byrnes" <tomb at byrneit.net> wrote:

> You could use ThreatSTOP to achieve the same result:
> putting the DShield
> block list (and others, if you like), into your
> firewall.
> 
> The advantage is that it's DNS, so the scripts are
> simple: add the names
> to chains, run a cron job to update the chains.
> 
>  
> 
> > -----Original Message-----
> > From: list-bounces at lists.dshield.org 
> > [mailto:list-bounces at lists.dshield.org] On Behalf
> Of Algol Tradent
> > Sent: Wednesday, April 23, 2008 9:44 AM
> > To: list at lists.dshield.org
> > Subject: [Dshield] Problems DShield Framework
> IPtables
> > 
> > Greetings,
> > 
> > I have to issues with the DShield Framework
> IPtables parser.
> > 
> > My Setup: I run Shorewall with ulogd under debian
> 4.0
> > 
> > I've manually tested the logfiles and they are
> standard iptables logs.
> > 
> > 
> > 1. The DShield parser seems to be hardcoded to
> search for 
> > "kernel:" in each log line. Since I am using
> shorewall, my 
> > log lines do not contain the word "kernel:"
> > The documentation points out to set the
> line_filter if we 
> > need to search for something different.
> > In my case I have setup line_filter=Shorewall:
> > This setting does not have the intended effect and
> no lines 
> > are parsed.
> > 
> > Workarounds:
> > A. Editing the iptables.pl script directly and
> replacing the 
> > "kernel:" pattern by "Shorewall:" has the desired
> effect on parsing.
> > 
> > B. Commenting out the line that search for
> "kernel:"
> > on iptables.pl AND setting line_filter=Shorewall:
> in the 
> > config file also has the intended parsing effect.
> > 
> > 2. I implemented the workaround A mentioned above
> so I can 
> > parse my logs.
> > However, the e-mail message that I received on my
> test did 
> > NOT contained the lines in DShield format. It had
> the exact 
> > same lines as the original log file.
> > 
> > Any help with this is highly appreciated.
> > 
> > >From the debug file on my testing machine:
> >  
> > VERSION=[DShield Framework 2002-04-25 IPTABLES
> 2002-03-28] 
> > -------------------------------Processing line
> > 1-------------------------------
> > PARSING: Apr 20 06:41:11 kakarotto
> > Shorewall:net2fw:DROP: IN=eth1 OUT=
> > MAC=00:60:97:92:44:d5:00:11:88:80:cc:27:08:00  S
> > RC=218.10.137.142 DST=xxx.xxx.xxx.xxx LEN=485
> TOS=00 
> > PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=41553
> DPT=1026
> > LEN=465
> > PARSE RESULT:2008-04-20 06:41:11
> >
>
-05:00|0|1|218.10.137.142|41553|xxx.xxx.xxx.xxx|1026|UDP|
> > WRITTEN: Apr 20 06:41:11 kakarotto
> > Shorewall:net2fw:DROP: IN=eth1 OUT=
> > MAC=00:60:97:92:44:d5:00:11:88:80:cc:27:08:00  S
> > RC=218.10.137.142 DST=xxx.xxx.xxx.xxx LEN=485
> TOS=00 
> > PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=41553
> DPT=1026
> > LEN=465
> > -------------------------------Processing line
> > 2-------------------------------
> > 
> > Destination IP removed intentionally.
> > 
> > Thank you for your attention and help
> > 
> > 
> >       
> >
>
______________________________________________________________
> > ______________________
> > Be a better friend, newshound, and
> > know-it-all with Yahoo! Mobile.  Try it now.  
> >
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> > _________________________________________
> > SANS Security 2008 in New Orleans!! January 11-19
> 2008. Why 
> > freeze up north if you can be in New Orleans.  
> > http://www.sans.org/info/15826
> > 
> 
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19
> 2008. Why freeze up north if you can be in New
> Orleans.  http://www.sans.org/info/15826
> 



      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

More information about the list mailing list