[Dshield] Iptables parsing

Don don at thewilders.org
Fri Jun 10 11:25:42 GMT 2005


Thanks all,

I found my error... Was in my firewall script. I wasn't logging anything
except ICMP special types. 

Perhaps the ICMP rejects could be added to the "Dshield Submission
Confirmation Reports" as rejected? I saw log lines going in and nothing
being added or rejected, so I thought something was wrong with the parser. I
was however seeing the ICMP being rejected in the Dlink logs that were
submitted so perhaps it's just the Iptables parser at dshield that needs the
patch. :)

Don

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Johannes B. Ullrich
Sent: Friday, June 10, 2005 7:16 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Iptables parsing


> 
> Correct me if I'm wrong folks but Dshield excludes ICMP.
> 

We stopped accepting ICMP as Nachi came out and ICMP traffic went through
the roof. I guess I should try to turn it on again. Not sure how much ICMP
we get these days. Some of the ICMP traffic is usefully to us (e.g. ICMP
other then echo request / reply, and echo request to broadcast ips and
such).



> 
>>None of this shows up as being reported in my database. The reports I 
>>get back (when I get one back) always show 0 lines imported. Whereas
> 
> 
>>Where as the output from my Dlink router does get entered into the
database:
> 
> 
>>Jun/08/2005 14:59:37
>> Drop UDP packet from WAN src:61.152.158.126:58033 
>>dst:68.106.147.232:1029
>>Rule: Default deny
>>Jun/08/2005 14:59:37
>> Drop UDP packet from WAN src:61.152.158.126:58033 
>>dst:68.106.147.232:1026
>>Rule: Default deny
>>Jun/08/2005 14:58:35
>> Drop UDP packet from WAN src:204.253.46.76:20148 
>>dst:68.106.147.232:1026
>>Rule: Default deny
> 
> 
>>Lines written to database (up to 10):
>>Dec 28 21:24:46 gw kernel: Bogon Drop IN= OUT=eth0 SRC=10.0.0.53
>>DST=224.0.0.251 LEN=114 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP
>>SPT=5353 DPT=5353 LEN=94
>>
>>Dec 28 21:24:46 gw kernel: Bogon Drop IN= OUT=eth0 SRC=10.0.0.53
>>DST=224.0.0.251 LEN=132 TOS=0x00 PREC=0x00 TTL=255 ID=1 DF PROTO=UDP
>>SPT=5353 DPT=5353 LEN=112
>>
> 
> You have an inconsistency - UDP vs ICMP.
> 

-------------- Sponsor Message ------------------------------------
Join us at SANSFIRE 2005 in Atlanta!
The Internet Storm Center Conference.
Details: http://www.sans.org/sansfire2005

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list