[Dshield] DShield Linux client working?

Jim McQueen dshield at jimmcqueen.com
Tue Oct 30 17:10:13 GMT 2001


First off, I'm somewhat of a Linux newbie.

I am running the "Minimal shell script" as a cron job.  It appears to correctly mail off a report nightly, but when I log on to the
web site and "check my reports", I don't see my submissions in the database.

I added a line to the script to mail off a duplicate report to me directly, and those arrive correctly.

I have tried mail subject lines using both "FORMAT LINUX" and "FORMAT IPCHAINS".

I have tried both with and without "TZ -08:00".

I have tried both with and without an e-mail address in the subject line.  (The script sets a variable with an e-mail address, but
then doesn't use it.  Is there a use for it?  I guessed at "EMAIL dshield at jimmcqueen.com".)

The "logic" part of the script seems to work just fine.  As I said, I am getting my copies of the reports.  And when I cut and paste
them into the web submission form, they show up in the database OK.

My (slightly modified) script is listed below.  My user ID number is obfuscated, but IS correct in the script.  And I have proven
that the user ID works, by copying and pasting it into the web submission form, from the copy of the dshield reports I'm mailing
myself.

Thanks,
Jim McQueen



----- Begin Listing -----

#!/bin/sh

#  DShield bash client. V 0.0.1
#
#  Parameters
#

# your dshield userid. leave '0' to submit anonymous logs.
userid=(my CORRECT number obfuscated)

# your return email address. leave 'none' to submit anonymous logs.
email=dshield at jimmcqueen.com

# where to send logs to. replace with your own e-mail address for testing.
to=report at dshield.org
#to=dshield at jimmcqueen.com

# Time Zone.  (PST = -08:00  PDT = -07:00)
#timezone="-07:00"
timezone="-08:00"

# what lines to grep for. 'input DENY' should get it
# change if you are logging differently (e.g. different chain name or
# redirect/reject instead of deny
filter="input DENY"

# temp. file to remember length of log file between runs.
state=/var/tmp/dshield

# name of log file.
logfile=/var/log/messages

# where to find your 'mail' program.
mail='/bin/mail'

# setup a temp file name.
tmp=/tmp/dshield.$$.tmp

#
# the 'logic part'. Try to avoid changing this part.
#

last_count=0

# read length of file from 'state'
if [ -e $state ] ; then
  last_count=`cat $state | tr -d "\n"`
fi

# get current length of log file
length=`wc -l $logfile | sed 's/[^0-9]//g' | tr -d "\n"`

# if the new length is short than the old length,
# we assume a new log file was opened. Take it all.
if [ "$length" -lt "$last_count" ] ; then
  last_count=0
fi

#calculate how many lines where written since we ran last.
count=$[length-last_count]

# get the new lines from the log file and write them to $tmp
tail -$count $logfile | grep "$filter" > $tmp

# only send an e-mail if the $tmp file is not empty
if [ -s $tmp ] ; then
  $mail -s "FORMAT LINUX USERID $userid TZ $timezone" $to < $tmp
  $mail -s "FORMAT LINUX USERID $userid TZ $timezone" dshield at jimmcqueen.com < $tmp
fi

#delete tmp file.
rm /tmp/dshield.$$.tmp

#remember new length of log file.
echo $length > $state


----- End Listing -----





More information about the list mailing list