|
Virginia Tech DShield |
|
DShield Linux and UNIX Client Scripts
These scripts will automate the DShield submission process.
- IPChains and IPTables client written in Python
- IPChains
- IPCop Firewall
- LaBrea
- Compatible Systems 'Microrouter
- OpenBSD
- FreeBSD
- IPFW logs
- Solaris ipfilter
- Watchguard Firebox
DShield.py
A Python script that parses ipchains, iptables, and snort logfiles to the DShield format and mails the report to DShield. The project page is here. Download the most recent version from here The changelog is here. Thanks to Eelco Lempsink for contributing this client.
IPCHAINS
ipchains2dshield Contributed script by Frank Josellis
IPCOP
IPCop
client contributed by Tom Willett. "I have modified the
ipchains2dshield script and added a perl mail routine to
IPCOP (will probably work with Smoothwall) linux firewall." Download ipcop-dshield.tgz, untar and read the
Dshield-install file for installation instructions.
LaBrea
DShield support has been added to Tom Liston's LaBrea by Michael Robinton.
First download LaBrea from one of the
LaBrea download
mirror sites and then get tarpit.dshield from the
here. (This is an add-on to LaBrea. You must already have
LaBrea installed.)
Compatible Systems Microrouter
Download microrouter.pl Microrouter logs to DShield. Thanks to Ross E. Bergman for contributing this client.
OpenBSD
Download ipf.pl Open BSD ipf client. Thanks to Ken McKinlay for this contribution.
FreeBSD
- FreeBSD 4.2 Perl script Mar 17, 2002 "I have fixed some errors and I have updated the version of the freebsd client. The latest version is available via http://yasd.dhs.org/download/dshieldconv" -Gottfried Szing
- Contributed Script. "ipf / ipmon for FreeBSD, OpenBSD, NetBSD and UNIX ipfilter format to dshield format converter." -Dirk-Willem van Gulik
IPFW
- Contributed Script IPFW logs from Kevin Way.
- ipfw2dshield Contributed script by Frank Josellis
Solaris ipfilter
Download solaris_ips.pl to assist you submitting Solaris ipfilter logs. Thanks to Stan Sander for this contribution. Updated 8/17/2002 The script now handles log lines that have a packet count greater than 1.
Watchguard Firebox
Hans Sandsdalen's Perl client that converts WatchGuard Firebox log files into DShield format and mails them to DShield. Download WG-Dshield.pl
Configuration Hints
The general idea is that you look the scripts over and find one that best suits your needs. Download it and look through the script and change the configuration variables so they reflect your current reality.
But the first time you try the script, you might want to configure it to send a copy to yourself, instead to dshield@dshield.cirt.vt.edu. Then run the script and see what it sent to you. If it is what you expected, then reconfigure the script to send to dshield@dshield.cirt.vt.edu.
One possible pitfall is that several of the scripts use a file to keep track of how much of the log file has been sent. If you just did a test run, then you should look through the script and find out where the file is stored and erase it before you run the script again for real to submit your log to dshield@dshield.cirt.vt.edu
Security
Even though the easiest way to run scripts like this is to run them as root, it is always dangerous to run anything as root. Consider creating a user that has just enough privileges to run the script. This can be achieved by creating a user and group called 'dshield'. The log files have to be owned by the group 'dshield' and readable by it (chmod 640). Create the cron job as this user.
Installing the script as a cron job
(You must be a user that has the appropriate privileges when doing this.)
First check to see if there are any existing cron jobs by typing crontab -l. If there are any existing jobs, make a safety backup by typing ctontab -l > mycrons.cron. This will save your current list of cron jobs in mycrons.cron.
Then edit the crontab
< crontab -e
This will load the current list of cron jobs in your default editor. (Which is specified by the VISUAL or EDITOR environment variables. Setting this is system dependent. You may be able to set this variable in your .bashrc file.)
Now add a line to start the script:
10 3 * * * /home/dshield/bin/dshield_clean.pl
This will start this program at 03:10 AM each day. Please change the time. Otherwise, we will receive all logs at the same time ;-) . Once you quit your editor, this new crontab will be installed.
Type crontab -l to display the current crontab (i.e., what we just did.)
If you want to change cron parameters, say to make the script execute more (or less) often, edit the crontab using crontab -e and then install it again.
See man cron, man crontab and man crontab -S 5 for more information.
Suggestions? Corrections? Have you written a client script? Send them to dshield@dshield.cirt.vt.edu.
[ Home | Login | What's New | Intro | Submit | Clients | Web Submission | All Reports | Links | About | Privacy ]