[Dshield] Problems DShield Framework IPtables

Algol Tradent tradent at yahoo.com
Thu Apr 24 17:15:27 GMT 2008


Mr. Ullrich

Thank you very much for your help.

The subject line of my test message was the following:
Subject: FORMAT IPTABLES USERID 123456 TZ -05:00
VERSION DShield Framework 2002-04-25 IPTABLES
2002-03-28

I also took a look at the code of the iptables.pl and
found the comment about sending iptables logs in
original format. 

I also sent you the sample log lines off the list as
you requested.

Thank you
--- Johannes Ullrich <jullrich at sans.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
> 
> 
> DShield can parse iptables logs on the server. Does
> the "Subject" of  
> your email say "FORMAT IPTABLES"  ? If so, the logs
> are parsed on the  
> server.
> Only if the subject says "FORMAT DSHIELD" do you
> need the logs in  
> DShield format.
> 
> I can make the 'kernel:' part a configuration
> parameter (send me a  
> couple of lines off-list as they show up in your
> syslog).
> 
> 
> On Apr 23, 2008, at 4:32 PM, Algol Tradent wrote:
> 
> > Thank you for your answer.
> >
> > I guess I did not explain myself clearly enough.
> What
> > I am trying to achieve is log submissions to
> DShield.
> >
> > I'm not interested on updating the firewall rules
> > using stop lists. At least not yet ;)
> >
> > Thanks
> >
> > --- "Tomas L. Byrnes" <tomb at byrneit.net> wrote:
> >
> >> You could use ThreatSTOP to achieve the same
> result:
> >> putting the DShield
> >> block list (and others, if you like), into your
> >> firewall.
> >>
> >> The advantage is that it's DNS, so the scripts
> are
> >> simple: add the names
> >> to chains, run a cron job to update the chains.
> >>
> >>
> >>
> >>> -----Original Message-----
> >>> From: list-bounces at lists.dshield.org
> >>> [mailto:list-bounces at lists.dshield.org] On
> Behalf
> >> Of Algol Tradent
> >>> Sent: Wednesday, April 23, 2008 9:44 AM
> >>> To: list at lists.dshield.org
> >>> Subject: [Dshield] Problems DShield Framework
> >> IPtables
> >>>
> >>> Greetings,
> >>>
> >>> I have to issues with the DShield Framework
> >> IPtables parser.
> >>>
> >>> My Setup: I run Shorewall with ulogd under
> debian
> >> 4.0
> >>>
> >>> I've manually tested the logfiles and they are
> >> standard iptables logs.
> >>>
> >>>
> >>> 1. The DShield parser seems to be hardcoded to
> >> search for
> >>> "kernel:" in each log line. Since I am using
> >> shorewall, my
> >>> log lines do not contain the word "kernel:"
> >>> The documentation points out to set the
> >> line_filter if we
> >>> need to search for something different.
> >>> In my case I have setup line_filter=Shorewall:
> >>> This setting does not have the intended effect
> and
> >> no lines
> >>> are parsed.
> >>>
> >>> Workarounds:
> >>> A. Editing the iptables.pl script directly and
> >> replacing the
> >>> "kernel:" pattern by "Shorewall:" has the
> desired
> >> effect on parsing.
> >>>
> >>> B. Commenting out the line that search for
> >> "kernel:"
> >>> on iptables.pl AND setting
> line_filter=Shorewall:
> >> in the
> >>> config file also has the intended parsing
> effect.
> >>>
> >>> 2. I implemented the workaround A mentioned
> above
> >> so I can
> >>> parse my logs.
> >>> However, the e-mail message that I received on
> my
> >> test did
> >>> NOT contained the lines in DShield format. It
> had
> >> the exact
> >>> same lines as the original log file.
> >>>
> >>> Any help with this is highly appreciated.
> >>>
> >>>> From the debug file on my testing machine:
> >>>
> >>> VERSION=[DShield Framework 2002-04-25 IPTABLES
> >> 2002-03-28]
> >>> -------------------------------Processing line
> >>> 1-------------------------------
> >>> PARSING: Apr 20 06:41:11 kakarotto
> >>> Shorewall:net2fw:DROP: IN=eth1 OUT=
> >>> MAC=00:60:97:92:44:d5:00:11:88:80:cc:27:08:00  S
> >>> RC=218.10.137.142 DST=xxx.xxx.xxx.xxx LEN=485
> >> TOS=00
> >>> PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=41553
> >> DPT=1026
> >>> LEN=465
> >>> PARSE RESULT:2008-04-20 06:41:11
> >>>
> >>
> >
>
-05:00|0|1|218.10.137.142|41553|xxx.xxx.xxx.xxx|1026|UDP|
> >>> WRITTEN: Apr 20 06:41:11 kakarotto
> >>> Shorewall:net2fw:DROP: IN=eth1 OUT=
> >>> MAC=00:60:97:92:44:d5:00:11:88:80:cc:27:08:00  S
> >>> RC=218.10.137.142 DST=xxx.xxx.xxx.xxx LEN=485
> >> TOS=00
> >>> PREC=0x00 TTL=40 ID=0 DF PROTO=UDP SPT=41553
> >> DPT=1026
> >>> LEN=465
> >>> -------------------------------Processing line
> >>> 2-------------------------------
> >>>
> >>> Destination IP removed intentionally.
> >>>
> >>> Thank you for your attention and help
> >>>
> >>>
> >>>
> >>>
> >>
> >
>
______________________________________________________________
> >>> ______________________
> >>> Be a better friend, newshound, and
> >>> know-it-all with Yahoo! Mobile.  Try it now.
> >>>
> >>
> >
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> >>> _________________________________________
> >>> SANS Security 2008 in New Orleans!! January
> 11-19
> >> 2008. Why
> >>> freeze up north if you can be in New Orleans.
> >>> http://www.sans.org/info/15826
> >>>
> >>
> >> _________________________________________
> >> SANS Security 2008 in New Orleans!! January 11-19
> >> 2008. Why freeze up north if you can be in New
> >> Orleans.  http://www.sans.org/info/15826
> >>
> >
> >
> >
> >       
> >
>
____________________________________________________________________________________
> > Be a better friend, newshound, and
> > know-it-all with Yahoo! Mobile.  Try it now. 
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> > _________________________________________
> > SANS Security 2008 in New Orleans!! January 11-19
> 2008. Why freeze  
> > up north if you can be in New Orleans. 
> http://www.sans.org/info/15826
> >
> 
> - ---------
> SANSFIRE 2008 - Washington DC; 42 courses, July
> 22-31; www.sans.org/  
> info/26174
> 
> 
> 
> 
> 
> 
> 
> 
=== message truncated ===



      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ


More information about the list mailing list