[Dshield] DShield Linux client working?

Jim McQueen jim at jimmcqueen.com
Thu Nov 1 15:36:51 GMT 2001


OK, I'm halfway there.  My biggest problem was, that I hadn't poked a hole
in the firewall to allow mail directly to dshield.org.

Last night's submission was accepted and confirmed, with this warning:

               Authorized Userid: 0
  The e-mail address you used to submit this report from
  did not match the address we have on file.

Which sounds exactly like the problem you suggested.  Your fix seems to
apply to sendmail, which I'm not running (I think.)  My reports are
dispatched by /bin/mail, and I haven't yet found a switch similar to '-f'
in the mail man page.  I'm still looking (and, hopefully, learning.  That's
the fun of Linux...)

Thanks,
Jim McQueen


-----Original Message-----
From: Johannes B. Ullrich <jullrich at euclidian.com>
To: dshield at dshield.org <dshield at dshield.org>
Date: Tuesday, October 30, 2001 11:03 AM
Subject: Re: [Dshield] DShield Linux client working?


>
>Most likely, your from address is something like 'root at yourbox...' .
>The basic authentication only looks at the USERID field in the subject
>line and the 'From' header.
>
>For the minimal shell script, add a '-fyouremail at yourisp' to make it
>work or change the address in your account profile. For the first method,
>the user that runs the shell script should be a 'trusted' user for
>sendmail.
>
>
>
>
>On Tue, 30 Oct 2001, Jim McQueen wrote:
>
>> First off, I'm somewhat of a Linux newbie.
>>
>> I am running the "Minimal shell script" as a cron job.  It appears to
correctly mail off a report nightly, but when I log on to the
>> web site and "check my reports", I don't see my submissions in the
database.
>>
>> I added a line to the script to mail off a duplicate report to me
directly, and those arrive correctly.
>>
>> I have tried mail subject lines using both "FORMAT LINUX" and "FORMAT
IPCHAINS".
>>
>> I have tried both with and without "TZ -08:00".
>>
>> I have tried both with and without an e-mail address in the subject
line.  (The script sets a variable with an e-mail address, but
>> then doesn't use it.  Is there a use for it?  I guessed at "EMAIL
dshield at jimmcqueen.com".)
>>
>> The "logic" part of the script seems to work just fine.  As I said, I am
getting my copies of the reports.  And when I cut and paste
>> them into the web submission form, they show up in the database OK.
>>
>> My (slightly modified) script is listed below.  My user ID number is
obfuscated, but IS correct in the script.  And I have proven
>> that the user ID works, by copying and pasting it into the web
submission form, from the copy of the dshield reports I'm mailing
>> myself.
>>
>> Thanks,
>> Jim McQueen
>>
>>
>>
>> ----- Begin Listing -----
>>
>> #!/bin/sh
>>
>> #  DShield bash client. V 0.0.1
>> #
>> #  Parameters
>> #
>>
>> # your dshield userid. leave '0' to submit anonymous logs.
>> userid=(my CORRECT number obfuscated)
>>
>> # your return email address. leave 'none' to submit anonymous logs.
>> email=dshield at jimmcqueen.com
>>
>> # where to send logs to. replace with your own e-mail address for
testing.
>> to=report at dshield.org
>> #to=dshield at jimmcqueen.com
>>
>> # Time Zone.  (PST = -08:00  PDT = -07:00)
>> #timezone="-07:00"
>> timezone="-08:00"
>>
>> # what lines to grep for. 'input DENY' should get it
>> # change if you are logging differently (e.g. different chain name or
>> # redirect/reject instead of deny
>> filter="input DENY"
>>
>> # temp. file to remember length of log file between runs.
>> state=/var/tmp/dshield
>>
>> # name of log file.
>> logfile=/var/log/messages
>>
>> # where to find your 'mail' program.
>> mail='/bin/mail'
>>
>> # setup a temp file name.
>> tmp=/tmp/dshield.$$.tmp
>>
>> #
>> # the 'logic part'. Try to avoid changing this part.
>> #
>>
>> last_count=0
>>
>> # read length of file from 'state'
>> if [ -e $state ] ; then
>>   last_count=`cat $state | tr -d "\n"`
>> fi
>>
>> # get current length of log file
>> length=`wc -l $logfile | sed 's/[^0-9]//g' | tr -d "\n"`
>>
>> # if the new length is short than the old length,
>> # we assume a new log file was opened. Take it all.
>> if [ "$length" -lt "$last_count" ] ; then
>>   last_count=0
>> fi
>>
>> #calculate how many lines where written since we ran last.
>> count=$[length-last_count]
>>
>> # get the new lines from the log file and write them to $tmp
>> tail -$count $logfile | grep "$filter" > $tmp
>>
>> # only send an e-mail if the $tmp file is not empty
>> if [ -s $tmp ] ; then
>>   $mail -s "FORMAT LINUX USERID $userid TZ $timezone" $to < $tmp
>>   $mail -s "FORMAT LINUX USERID $userid TZ $timezone"
dshield at jimmcqueen.com < $tmp
>> fi
>>
>> #delete tmp file.
>> rm /tmp/dshield.$$.tmp
>>
>> #remember new length of log file.
>> echo $length > $state
>>
>>
>> ----- End Listing -----
>>
>>
>> _______________________________________________
>> Dshield mailing list
>> Dshield at dshield.org
>> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
>>
>
>--
>-------
>jullrich at sans.org                    Join http://www.DShield.org
>                          Distributed Intrusion Detection System
>
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
>




More information about the list mailing list