[Dshield] Home LANs, firewalls, and DShield submissions

Wayne Larmon wlarmon at dshield.org
Wed May 29 13:29:55 GMT 2002


Yeah, this is de-NATting.  (Converting local IPs back to the IP that is
assigned to your router.)  We discussed this a while back.  In short,

1. It *might* be desirable to de-NAT local IPs that NAT routers put in logs,
but this is potentially bad if the user's IP is dynamically assigned (DHCP),
because it would be very difficult for a DShield converter to track what
external IP you had at any given time.  In this case, a local IP is much
better than having the converter put the wrong IP (for the time you were
actually connected) in the DShield log.  But de-NATting would be good if
your IP is static.

2. I promised to take a look at this and add it to the clients I maintain.
I still haven't.  I consider myself reminded.  Eelco Lempsink added
de-natting to the Python client that he wrote
(http://www.dshield.org/linux_clients.html#dshieldpy)  but this doen't help
you because you aren't running a *NIX machine.

3. Local IPs are still valuable for our database because they still are used
for all our stats.  The only thing they can't be used for is to send a
FightBack abuse report on your behalf, because ISPs require valid target
IPs.  So don't let this keep you from submitting.

Look at the Kiwi Syslog Daemon.
http://www.kiwisyslog.com/software_downloads.htm

It is a Windows program that accepts *NIX type syslog messages.  The only
thing is that I haven't wrote a CVTWIN Kiwi converter for Netgear logs yet.
There is one for Linksys, but not NetGear.  This is something else I
promised to do.  It is on my list of things to do.

If you get Kiwi running, then send me some sample logs.  I have some from
the first user who asked me to write a Kiwi Netgear converter, but it is
always best to have sample logs from different users.

Wayne Larmon
wlarmon at dshield.org


> Hi, All.
>
>     I assume I'm like the majority of people here when I say that I have
> several home computers connected with a router and sharing an internet
> connection.  (I'm just a User with a firewall--not an Admin with
> Experience.)
>
>     While testing some internet software, I ended up moving the test
> machine into the router's "DMZ", and discovered to my delight that the
> various probes and packets the router had been blocking were being passed
> in and captured by my machine's firewall (like I said: I'm just a User.)
>
>     Having captured a bunch of packets, I went to submit them using the
> Windows client and discovered that the default rules block submission of
> traffic to/from 192.168.0.x.  Because I'm behind the router, my machine
> only knows it's address on the local network.  I can think of a couple of
> ways to automatically get the address assigned to the router, but none of
> them seem foolproof (i.e.: gets address, loses connection, gets new
> address, doesn't get new address for several hours.)
>
>     My question is this: Is the knowledge that 1.2.3.4 sent a packet to
> port 80 of "some machine" useful enough information to submit?
> (Obviously
> it'd be useless for FightBack, but I'm not sure whether it'd be
> useful for
> tracking net trends in general, which is the only other reason I
> can think
> to submit.)  If not, how are other people dealing with this issue?  (In
> case it makes a difference, it's a NetGear "Web Safe" RP114 router.  It
> claims the ability to send logs to a local *nix machine, but I
> have neither
> the expertise to configure this nor a suitable host--I'm running all
> Winblows machines here.)
>
>
> Thanks,
>
> Neil R.
>
> --
> Supreme Lord High Commander and Keeper of the Holy Potato
> ----------
> Random thought for the day:
>
>     I am NOT Paranoid! And why are you always watching me??
>
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>





More information about the list mailing list