[Dshield] Iptables parsing

Don don at thewilders.org
Thu Jun 9 11:42:04 GMT 2005


Thanks for the suggestion David,

Email addresses have been (modified) to avoid harvesting...

Here is the content from my /etc/dshield.cnf:

from=don(AT)hbs-inc(dot)ws
userid=(DSHIELD_ID)
to=report(AT)dshield(dot)org
cc=don(AT)hbs-inc(dot)ws
bcc=
log=/var/log/messages
sendmail=/usr/sbin/sendmail -oi -t
whereto=MAIL
source_exclude=/etc/dshield-source-exclude.lst
target_exclude=/etc/dshield-target-exclude.lst
source_port_exclude=/etc/dshield-source-port-exclude.lst
target_port_exclude=/etc/dshield-target-port-exclude.lst
obfus=N
linecnt=/tmp/dshield.cnt
verbose=Y
debug=Y
rotate=N

---------------------------------------------------

I know information is being submitted... Here is a snippit from the latest
inputs:

To: report(AT)dshield(dot)org
Cc: don(AT)hbs-inc(dot)ws
Subject: FORMAT IPTABLES USERID (DSHIELD_ID) TZ -04:00 VERSION DShield
Framework 2002-04-25 IPTABLES 2002-03-28

Jun  8 04:09:45 gw kernel: ICMP Drop IN=eth1 OUT=
MAC=00:20:fc:1e:18:9c:00:50:57:00:86:a4:08:00 SRC=68.104.113.131
DST=68.106.147.231 LEN=92 TOS=0x00 PREC=0x00 TTL=111 ID=38065 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=23037 
Jun  8 09:54:44 gw kernel: ICMP Drop IN=eth1 OUT=
MAC=00:20:fc:1e:18:9c:00:50:57:00:86:a4:08:00 SRC=68.104.113.131
DST=68.106.147.231 LEN=92 TOS=0x00 PREC=0x00 TTL=111 ID=9379 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=14801 
Jun  8 11:56:20 gw kernel: ICMP Drop IN=eth1 OUT=
MAC=00:20:fc:1e:18:9c:00:50:57:00:86:a4:08:00 SRC=68.104.113.131
DST=68.106.147.231 LEN=92 TOS=0x00 PREC=0x00 TTL=111 ID=6509 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=33474 
Jun  8 13:55:21 gw kernel: ICMP Drop IN=eth1 OUT=
MAC=00:20:fc:1e:18:9c:00:50:57:00:86:a4:08:00 SRC=68.104.113.131
DST=68.106.147.231 LEN=92 TOS=0x00 PREC=0x00 TTL=111 ID=1686 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=63667 

None of this shows up as being reported in my database. The reports I get
back (when I get one back) always show 0 lines imported. Whereas  


Where as the output from my Dlink router does get entered into the database:

To: don(AT)hbs-inc(dot)ws; dlink(DSHIELD_ID)(AT)dshield.com
Subject: Log Full(from: 68.106.147.232 DI-784)

Jun/08/2005 14:59:37
 Drop UDP packet from WAN src:61.152.158.126:58033 dst:68.106.147.232:1029
Rule: Default deny
Jun/08/2005 14:59:37
 Drop UDP packet from WAN src:61.152.158.126:58033 dst:68.106.147.232:1026
Rule: Default deny
Jun/08/2005 14:58:35
 Drop UDP packet from WAN src:204.253.46.76:20148 dst:68.106.147.232:1026
Rule: Default deny


If I need to modify the iptables.pl to match the above output I feel
confident I can, but I am curious as to why the Dlink input gets entered
where as the Iptables one does not. (this same configuration used to work
for both)



Here is an input from Dec 29, 2004 that did work... Somewhat 

Lines written to database (up to 10):
Dec 28 21:24:46 gw kernel: Bogon Drop IN= OUT=eth0 SRC=10.0.0.53
DST=224.0.0.251 LEN=114 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP
SPT=5353 DPT=5353 LEN=94 

Dec 28 21:24:46 gw kernel: Bogon Drop IN= OUT=eth0 SRC=10.0.0.53
DST=224.0.0.251 LEN=132 TOS=0x00 PREC=0x00 TTL=255 ID=1 DF PROTO=UDP
SPT=5353 DPT=5353 LEN=112 



And at the risk of making this email too long... Here is some of the
information from the debug file...
=============================Calculating Time
Zone=============================
DEBUG: calculated RFC 821 based tz = -0400
DEBUG: calculated tz = -04:00
============================Variable
initialization============================
DEBUG: FRAMEWORK_VERSION=[2002-04-25]
DEBUG: PARSER_VERSION=[2002-03-28]
DEBUG: PARSER=[IPTABLES]
DEBUG: VERSION=[DShield Framework 2002-04-25 IPTABLES 2002-03-28]
DEBUG: format=[IPTABLES]
DEBUG: upper_date=[20050610245959]
DEBUG: lower_date=[20040610000000]
DEBUG: whereto=[MAIL]
DEBUG: from=[don(AT)hbs-inc(dot)ws]
DEBUG: to=[report(AT)dshield(dot)org]
DEBUG: cc=[don(AT)hbs-inc(dot)ws]
DEBUG: bcc=[]
DEBUG: userid=[(DSHIELD_ID)]
DEBUG: line_filter=[]
DEBUG: line_exclude=[]
DEBUG: this_year=[2005]
DEBUG: this_month=[6]
DEBUG: tz=[-04:00]
DEBUG: log=[/var/log/messages]
DEBUG: verbose=[Y]
DEBUG: sendmail=[/usr/sbin/sendmail -oi -t]
DEBUG: rotate=[N]
DEBUG: linecnt=[/tmp/dshield.cnt]
DEBUG: obfus=[N]
DEBUG: tmpfile=[/tmp/dshield.25753.tmp]
DEBUG: source_exclude=[/etc/dshield-source-exclude.lst]
DEBUG: target_exclude=[/etc/dshield-target-exclude.lst]
DEBUG: source_port_exclude=[/etc/dshield-source-port-exclude.lst]
DEBUG: target_port_exclude=[/etc/dshield-target-port-exclude.lst]
========================Exclusions file
initialization=========================
DEBUG: Source Exclude IPs:
DEBUG: Using 7 exclusions.
DEBUG: 1  000.000.000.000 - 000.000.000.000
DEBUG: 2  127.000.000.000 - 127.255.255.255
DEBUG: 3  255.255.255.255 - 255.255.255.255
DEBUG: 4  010.002.000.000 - 010.255.255.255
DEBUG: 5  169.254.000.000 - 169.254.255.255
DEBUG: 6  172.016.000.000 - 172.031.255.255
DEBUG: 7  192.168.000.000 - 192.168.255.255
DEBUG: Target Exclude IPs:
DEBUG: Using 4 exclusions.
DEBUG: 1  000.000.000.000 - 000.000.000.000
DEBUG: 2  127.000.000.000 - 127.255.255.255
DEBUG: 3  255.255.255.255 - 255.255.255.255
DEBUG: 4  010.000.000.000 - 010.001.255.255
DEBUG: Source Exclude Ports:
DEBUG: No exclusions.
DEBUG: Target Exclude Ports:
DEBUG: No exclusions.
===========================Other file
initialization===========================
DEBUG: Opening time stamp file /tmp/dshield.cnt
DEBUG: Will only submit log lines later than 2005-06-08 01:18:23 (from
previous session.)
DEBUG: opening /var/log/messages for reading

-----------------------------Processing line
38014-----------------------------
PARSING: Jun  8 13:55:21 gw kernel: ICMP Drop IN=eth1 OUT=
MAC=00:20:fc:1e:18:9c:00:50:57:00:86:a4:08:00 SRC=68.104.113.131
DST=68.106.147.231 LEN=92 TOS=0x00 PREC=0x00 TTL=111 ID=1686 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=63667 
PARSE RESULT:2005-06-08 13:55:21
-04:00|(DSHIELD_ID)|1|68.104.113.131|8|68.106.147.231|0|ICMP|
WRITTEN: Jun  8 13:55:21 gw kernel: ICMP Drop IN=eth1 OUT=
MAC=00:20:fc:1e:18:9c:00:50:57:00:86:a4:08:00 SRC=68.104.113.131
DST=68.106.147.231 LEN=92 TOS=0x00 PREC=0x00 TTL=111 ID=1686 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=63667 
-----------------------------Processing line
38066-----------------------------
PARSING: Jun  8 18:09:43 gw kernel: ICMP Drop IN=eth1 OUT=
MAC=00:20:fc:1e:18:9c:00:50:57:00:86:a4:08:00 SRC=208.254.18.130
DST=68.106.147.231 LEN=84 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=44802 SEQ=20190 
PARSE RESULT:2005-06-08 18:09:43
-04:00|(DSHIELD_ID)|1|208.254.18.130|8|68.106.147.231|0|ICMP|
WRITTEN: Jun  8 18:09:43 gw kernel: ICMP Drop IN=eth1 OUT=
MAC=00:20:fc:1e:18:9c:00:50:57:00:86:a4:08:00 SRC=208.254.18.130
DST=68.106.147.231 LEN=84 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=44802 SEQ=20190 
-----------------------------Processing line
38067-----------------------------
PARSING: Jun  8 18:09:43 gw kernel: ICMP Drop IN=eth1 OUT=
MAC=00:20:fc:1e:18:9c:00:50:57:00:86:a4:08:00 SRC=65.169.170.131
DST=68.106.147.231 LEN=84 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=53506 SEQ=8161 
PARSE RESULT:2005-06-08 18:09:43
-04:00|(DSHIELD_ID)|1|65.169.170.131|8|68.106.147.231|0|ICMP|
WRITTEN: Jun  8 18:09:43 gw kernel: ICMP Drop IN=eth1 OUT=
MAC=00:20:fc:1e:18:9c:00:50:57:00:86:a4:08:00 SRC=65.169.170.131
DST=68.106.147.231 LEN=84 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=53506 SEQ=8161 
-----------------------------Processing line
38068-----------------------------
PARSING: Jun  8 18:09:43 gw kernel: ICMP Drop IN=eth1 OUT=
MAC=00:20:fc:1e:18:9c:00:50:57:00:86:a4:08:00 SRC=65.170.56.2
DST=68.106.147.231 LEN=84 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=8528 SEQ=2116 
PARSE RESULT:2005-06-08 18:09:43
-04:00|(DSHIELD_ID)|1|65.170.56.2|8|68.106.147.231|0|ICMP|
WRITTEN: Jun  8 18:09:43 gw kernel: ICMP Drop IN=eth1 OUT=
MAC=00:20:fc:1e:18:9c:00:50:57:00:86:a4:08:00 SRC=65.170.56.2
DST=68.106.147.231 LEN=84 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=8528 SEQ=2116 


Don
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Difference Between A Successful Person And Others Is
Not A Lack Of Strength, Not A Lack Of Knowledge, 
But Rather In A Lack Of Will.


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of David Cary Hart
Sent: Wednesday, June 08, 2005 9:22 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Iptables parsing

On Wed, 2005-06-08 at 18:01 -0400, Don wrote:
> I have been submitting my logs some time now from Iptables and a Dlink
box.
> I noticed recently that the Dlink messages seem to parse correctly for
> submission but the Iptables input always seems to come back with no lines
> being submitted. Has anyone else seen this behavior, or did I miss
something
> in the archives...
> 
You might want to post your conf file. Possibly, there's an error.
- 
Multi-RBL Check:         http://www.TQMcube.com/rblcheck.htm
Kill Spam at the Source: http://www.TQMcube.com/spam_trap.htm
Today's Spam Trap Adds:  http://www.TQMcube.com/BlockedToday
RBLDNSD HowTo:           http://www.TQMcube.com/rbldnsd.htm
-------------- Sponsor Message ------------------------------------
Join us at SANSFIRE 2005 in Atlanta!
The Internet Storm Center Conference.
Details: http://www.sans.org/sansfire2005

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list