[Dshield] Problems DShield Framework IPtables

Johannes Ullrich jullrich at sans.org
Wed Apr 23 22:07:48 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


DShield can parse iptables logs on the server. Does the "Subject" of  
your email say "FORMAT IPTABLES"  ? If so, the logs are parsed on the  
server.
Only if the subject says "FORMAT DSHIELD" do you need the logs in  
DShield format.

I can make the 'kernel:' part a configuration parameter (send me a  
couple of lines off-list as they show up in your syslog).


On Apr 23, 2008, at 4:32 PM, Algol Tradent wrote:

> Thank you for your answer.
>
> I guess I did not explain myself clearly enough. What
> I am trying to achieve is log submissions to DShield.
>
> I'm not interested on updating the firewall rules
> using stop lists. At least not yet ;)
>
> Thanks
>
> --- "Tomas L. Byrnes" <tomb at byrneit.net> wrote:
>
>> You could use ThreatSTOP to achieve the same result:
>> putting the DShield
>> block list (and others, if you like), into your
>> firewall.
>>
>> The advantage is that it's DNS, so the scripts are
>> simple: add the names
>> to chains, run a cron job to update the chains.
>>
>>
>>
>>> -----Original Message-----
>>> From: list-bounces at lists.dshield.org
>>> [mailto:list-bounces at lists.dshield.org] On Behalf
>> Of Algol Tradent
>>> Sent: Wednesday, April 23, 2008 9:44 AM
>>> To: list at lists.dshield.org
>>> Subject: [Dshield] Problems DShield Framework
>> IPtables
>>>
>>> Greetings,
>>>
>>> I have to issues with the DShield Framework
>> IPtables parser.
>>>
>>> My Setup: I run Shorewall with ulogd under debian
>> 4.0
>>>
>>> I've manually tested the logfiles and they are
>> standard iptables logs.
>>>
>>>
>>> 1. The DShield parser seems to be hardcoded to
>> search for
>>> "kernel:" in each log line. Since I am using
>> shorewall, my
>>> log lines do not contain the word "kernel:"
>>> The documentation points out to set the
>> line_filter if we
>>> need to search for something different.
>>> In my case I have setup line_filter=Shorewall:
>>> This setting does not have the intended effect and
>> no lines
>>> are parsed.
>>>
>>> Workarounds:
>>> A. Editing the iptables.pl script directly and
>> replacing the
>>> "kernel:" pattern by "Shorewall:" has the desired
>> effect on parsing.
>>>
>>> B. Commenting out the line that search for
>> "kernel:"
>>> on iptables.pl AND setting line_filter=Shorewall:
>> in the
>>> config file also has the intended parsing effect.
>>>
>>> 2. I implemented the workaround A mentioned above
>> so I can
>>> parse my logs.
>>> However, the e-mail message that I received on my
>> test did
>>> NOT contained the lines in DShield format. It had
>> the exact
>>> same lines as the original log file.
>>>
>>> Any help with this is highly appreciated.
>>>
>>>> From the debug file on my testing machine:
>>>
>>> VERSION=[DShield Framework 2002-04-25 IPTABLES
>> 2002-03-28]
>>> -------------------------------Processing line
>>> 1-------------------------------
>>> PARSING: Apr 20 06:41:11 kakarotto
>>> Shorewall:net2fw:DROP: IN=eth1 OUT=
>>> MAC=00:60:97:92:44:d5:00:11:88:80:cc:27:08:00  S
>>> RC=218.10.137.142 DST=xxx.xxx.xxx.xxx LEN=485
>> TOS=00
>>> PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=41553
>> DPT=1026
>>> LEN=465
>>> PARSE RESULT:2008-04-20 06:41:11
>>>
>>
> -05:00|0|1|218.10.137.142|41553|xxx.xxx.xxx.xxx|1026|UDP|
>>> WRITTEN: Apr 20 06:41:11 kakarotto
>>> Shorewall:net2fw:DROP: IN=eth1 OUT=
>>> MAC=00:60:97:92:44:d5:00:11:88:80:cc:27:08:00  S
>>> RC=218.10.137.142 DST=xxx.xxx.xxx.xxx LEN=485
>> TOS=00
>>> PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=41553
>> DPT=1026
>>> LEN=465
>>> -------------------------------Processing line
>>> 2-------------------------------
>>>
>>> Destination IP removed intentionally.
>>>
>>> Thank you for your attention and help
>>>
>>>
>>>
>>>
>>
> ______________________________________________________________
>>> ______________________
>>> Be a better friend, newshound, and
>>> know-it-all with Yahoo! Mobile.  Try it now.
>>>
>>
> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>>> _________________________________________
>>> SANS Security 2008 in New Orleans!! January 11-19
>> 2008. Why
>>> freeze up north if you can be in New Orleans.
>>> http://www.sans.org/info/15826
>>>
>>
>> _________________________________________
>> SANS Security 2008 in New Orleans!! January 11-19
>> 2008. Why freeze up north if you can be in New
>> Orleans.  http://www.sans.org/info/15826
>>
>
>
>
>       
> ____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze  
> up north if you can be in New Orleans.  http://www.sans.org/info/15826
>

- ---------
SANSFIRE 2008 - Washington DC; 42 courses, July 22-31; www.sans.org/  
info/26174









-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD4DBQFID7M0PNuXYcm/v/0RA3rgAJdKQ2TZcG54qIG/xE7Un4GmEj6KAJ9EgbPk
d0bJl1+70fGlojfIZN0gXw==
=y4br
-----END PGP SIGNATURE-----


More information about the list mailing list