[Dshield] Problems DShield Framework IPtables

Algol Tradent tradent at yahoo.com
Wed Apr 23 16:43:43 GMT 2008


Greetings,

I have to issues with the DShield Framework IPtables
parser.

My Setup: I run Shorewall with ulogd under debian 4.0

I've manually tested the logfiles and they are
standard iptables logs.


1. The DShield parser seems to be hardcoded to search
for "kernel:" in each log line. Since I am using
shorewall, my log lines do not contain the word
"kernel:"
The documentation points out to set the line_filter if
we need to search for something different.
In my case I have setup line_filter=Shorewall:
This setting does not have the intended effect and no
lines are parsed.

Workarounds:
A. Editing the iptables.pl script directly and
replacing the "kernel:" pattern by "Shorewall:" has
the desired effect on parsing.

B. Commenting out the line that search for "kernel:"
on iptables.pl AND setting line_filter=Shorewall: in
the config file also has the intended parsing effect.

2. I implemented the workaround A mentioned above so I
can parse my logs.
However, the e-mail message that I received on my test
did NOT contained the lines in DShield format. It had
the exact same lines as the original log file.

Any help with this is highly appreciated.

>From the debug file on my testing machine:
 
VERSION=[DShield Framework 2002-04-25 IPTABLES
2002-03-28]
-------------------------------Processing line
1-------------------------------
PARSING: Apr 20 06:41:11 kakarotto
Shorewall:net2fw:DROP: IN=eth1 OUT=
MAC=00:60:97:92:44:d5:00:11:88:80:cc:27:08:00  S
RC=218.10.137.142 DST=xxx.xxx.xxx.xxx LEN=485 TOS=00
PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=41553 DPT=1026
LEN=465 
PARSE RESULT:2008-04-20 06:41:11
-05:00|0|1|218.10.137.142|41553|xxx.xxx.xxx.xxx|1026|UDP|
WRITTEN: Apr 20 06:41:11 kakarotto
Shorewall:net2fw:DROP: IN=eth1 OUT=
MAC=00:60:97:92:44:d5:00:11:88:80:cc:27:08:00  S
RC=218.10.137.142 DST=xxx.xxx.xxx.xxx LEN=485 TOS=00
PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=41553 DPT=1026
LEN=465 
-------------------------------Processing line
2-------------------------------

Destination IP removed intentionally.

Thank you for your attention and help


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ


More information about the list mailing list