[Dshield] DShield Linux client working?

Johannes B. Ullrich jullrich at euclidian.com
Tue Oct 30 18:28:03 GMT 2001


Most likely, your from address is something like 'root at yourbox...' .
The basic authentication only looks at the USERID field in the subject 
line and the 'From' header.

For the minimal shell script, add a '-fyouremail at yourisp' to make it 
work or change the address in your account profile. For the first method, 
the user that runs the shell script should be a 'trusted' user for 
sendmail.




On Tue, 30 Oct 2001, Jim McQueen wrote:

> First off, I'm somewhat of a Linux newbie.
> 
> I am running the "Minimal shell script" as a cron job.  It appears to correctly mail off a report nightly, but when I log on to the
> web site and "check my reports", I don't see my submissions in the database.
> 
> I added a line to the script to mail off a duplicate report to me directly, and those arrive correctly.
> 
> I have tried mail subject lines using both "FORMAT LINUX" and "FORMAT IPCHAINS".
> 
> I have tried both with and without "TZ -08:00".
> 
> I have tried both with and without an e-mail address in the subject line.  (The script sets a variable with an e-mail address, but
> then doesn't use it.  Is there a use for it?  I guessed at "EMAIL dshield at jimmcqueen.com".)
> 
> The "logic" part of the script seems to work just fine.  As I said, I am getting my copies of the reports.  And when I cut and paste
> them into the web submission form, they show up in the database OK.
> 
> My (slightly modified) script is listed below.  My user ID number is obfuscated, but IS correct in the script.  And I have proven
> that the user ID works, by copying and pasting it into the web submission form, from the copy of the dshield reports I'm mailing
> myself.
> 
> Thanks,
> Jim McQueen
> 
> 
> 
> ----- Begin Listing -----
> 
> #!/bin/sh
> 
> #  DShield bash client. V 0.0.1
> #
> #  Parameters
> #
> 
> # your dshield userid. leave '0' to submit anonymous logs.
> userid=(my CORRECT number obfuscated)
> 
> # your return email address. leave 'none' to submit anonymous logs.
> email=dshield at jimmcqueen.com
> 
> # where to send logs to. replace with your own e-mail address for testing.
> to=report at dshield.org
> #to=dshield at jimmcqueen.com
> 
> # Time Zone.  (PST = -08:00  PDT = -07:00)
> #timezone="-07:00"
> timezone="-08:00"
> 
> # what lines to grep for. 'input DENY' should get it
> # change if you are logging differently (e.g. different chain name or
> # redirect/reject instead of deny
> filter="input DENY"
> 
> # temp. file to remember length of log file between runs.
> state=/var/tmp/dshield
> 
> # name of log file.
> logfile=/var/log/messages
> 
> # where to find your 'mail' program.
> mail='/bin/mail'
> 
> # setup a temp file name.
> tmp=/tmp/dshield.$$.tmp
> 
> #
> # the 'logic part'. Try to avoid changing this part.
> #
> 
> last_count=0
> 
> # read length of file from 'state'
> if [ -e $state ] ; then
>   last_count=`cat $state | tr -d "\n"`
> fi
> 
> # get current length of log file
> length=`wc -l $logfile | sed 's/[^0-9]//g' | tr -d "\n"`
> 
> # if the new length is short than the old length,
> # we assume a new log file was opened. Take it all.
> if [ "$length" -lt "$last_count" ] ; then
>   last_count=0
> fi
> 
> #calculate how many lines where written since we ran last.
> count=$[length-last_count]
> 
> # get the new lines from the log file and write them to $tmp
> tail -$count $logfile | grep "$filter" > $tmp
> 
> # only send an e-mail if the $tmp file is not empty
> if [ -s $tmp ] ; then
>   $mail -s "FORMAT LINUX USERID $userid TZ $timezone" $to < $tmp
>   $mail -s "FORMAT LINUX USERID $userid TZ $timezone" dshield at jimmcqueen.com < $tmp
> fi
> 
> #delete tmp file.
> rm /tmp/dshield.$$.tmp
> 
> #remember new length of log file.
> echo $length > $state
> 
> 
> ----- End Listing -----
> 
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
> 

-- 
-------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System





More information about the list mailing list