[Dshield] Problems DShield Framework IPtables

Tomas L. Byrnes tomb at byrneit.net
Wed Apr 23 18:17:25 GMT 2008


You could use ThreatSTOP to achieve the same result: putting the DShield
block list (and others, if you like), into your firewall.

The advantage is that it's DNS, so the scripts are simple: add the names
to chains, run a cron job to update the chains.

 

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Algol Tradent
> Sent: Wednesday, April 23, 2008 9:44 AM
> To: list at lists.dshield.org
> Subject: [Dshield] Problems DShield Framework IPtables
> 
> Greetings,
> 
> I have to issues with the DShield Framework IPtables parser.
> 
> My Setup: I run Shorewall with ulogd under debian 4.0
> 
> I've manually tested the logfiles and they are standard iptables logs.
> 
> 
> 1. The DShield parser seems to be hardcoded to search for 
> "kernel:" in each log line. Since I am using shorewall, my 
> log lines do not contain the word "kernel:"
> The documentation points out to set the line_filter if we 
> need to search for something different.
> In my case I have setup line_filter=Shorewall:
> This setting does not have the intended effect and no lines 
> are parsed.
> 
> Workarounds:
> A. Editing the iptables.pl script directly and replacing the 
> "kernel:" pattern by "Shorewall:" has the desired effect on parsing.
> 
> B. Commenting out the line that search for "kernel:"
> on iptables.pl AND setting line_filter=Shorewall: in the 
> config file also has the intended parsing effect.
> 
> 2. I implemented the workaround A mentioned above so I can 
> parse my logs.
> However, the e-mail message that I received on my test did 
> NOT contained the lines in DShield format. It had the exact 
> same lines as the original log file.
> 
> Any help with this is highly appreciated.
> 
> >From the debug file on my testing machine:
>  
> VERSION=[DShield Framework 2002-04-25 IPTABLES 2002-03-28] 
> -------------------------------Processing line
> 1-------------------------------
> PARSING: Apr 20 06:41:11 kakarotto
> Shorewall:net2fw:DROP: IN=eth1 OUT=
> MAC=00:60:97:92:44:d5:00:11:88:80:cc:27:08:00  S
> RC=218.10.137.142 DST=xxx.xxx.xxx.xxx LEN=485 TOS=00 
> PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=41553 DPT=1026
> LEN=465
> PARSE RESULT:2008-04-20 06:41:11
> -05:00|0|1|218.10.137.142|41553|xxx.xxx.xxx.xxx|1026|UDP|
> WRITTEN: Apr 20 06:41:11 kakarotto
> Shorewall:net2fw:DROP: IN=eth1 OUT=
> MAC=00:60:97:92:44:d5:00:11:88:80:cc:27:08:00  S
> RC=218.10.137.142 DST=xxx.xxx.xxx.xxx LEN=485 TOS=00 
> PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=41553 DPT=1026
> LEN=465
> -------------------------------Processing line
> 2-------------------------------
> 
> Destination IP removed intentionally.
> 
> Thank you for your attention and help
> 
> 
>       
> ______________________________________________________________
> ______________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile.  Try it now.  
> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why 
> freeze up north if you can be in New Orleans.  
> http://www.sans.org/info/15826
> 



More information about the list mailing list