Virginia Tech DShield
Distributed Intrusion Detection System

 

 
   

What's New at DShield.cirt.vt.edu

  
   

11/25/2002 New CVTWIN converters for

  • D-Link DI-804V Router (and also the Asante FriendlyNet VR2004AC, VR2004C router)
  • Cisco ACL/IOS using Kiwi Syslog Daemon (joining the existing Cisco PIX converter)
  • Unified Kiwi "All formats" converter that will convert all supported Kiwi log formats. So you can have Kiwi collect logs from several different firewalls/routers and convert them in one CVTWIN operation.

See the CVTWIN changlog. Download CVTWIN from the Windows Clients page.

11/11/2002 More new converters in CVTWIN. New support for Microsoft ISA and Smoothwall, using Kerio Syslog Daemon. Also, a bunch of misc. fixes. Download from the Windows Clients page.

10/28/2002 Lots of changes in the CVTWIN client. New support for Norton Personal Firewall 2003, Kerio Personal Firewall version 3, Trend Micro PC-Cillin, and several Kiwi Syslog Daemon formats. Also was a major bug fix for BlackIce users. See the CVTWIN changlog. Download from the Windows Clients page.

8/20/2002 New Perl client for Watchguard Firebox on the Windows Clients and *NIX Clients page. Perl can be used on both *NIX and Windows. It is neat that way. Perl is generally already installed on *NIX systems. You can get Perl for Windows from either CYGWIN or from ActiveState.

8/19/2002 DIDSyslog is a Windows console daemon that intercepts Sonicwall syslog messages and can then submit them to DShield. Get it from our Windows Clients page.

7/28/2002 We got the attack maps fixed.

The ZoneLog ZoneAlarm log analyzer now has DShield log submission support.

7/17/2002 Mea Culpa day. The Are you cracked? page has been malfunctioning for a while and we didn't notice. The problem was that we changed our internal representation of IP addresses to be zero-padded. Then we were supposed to change the pages that queried the database to pad IP addresses before querying the database. This wasn't done properly for The "Are you cracked?" page, so it was not detecting IP addresses that are in our database. It is fixed now, so try it again....

Also, we found a problem with the Geographic Distribution of attack sources map so we deleted the existing ones that were all wrong. We are generating new maps, but this takes time. This is why the maps are missing.

6/3/2002 made some changes to the search page to deal with padded IPs. This should improve the success rate for your searches.

5/27/2002 Our ISP lost a critical piece of equipment on Sunday and due to the holiday was not able to get it fixed until late on Monday.

5/15/2002 Link Logger now supports submitting to DShield.

5/4/2002 Added new block list of IP address ranges that you might want to block. Also has a script that will automatically update iptables to use this block list.

3/10/2002 Added setup information for for ZoneAlarm Pro 3 that was released several days ago.

3/3/2002 Well not quite functioning. A user reported that Fightback Summaries aren't being displayed after you log in. We won't be able to fix this until later in the week.

3/2/2002 Our hardware is back to working normally. Login should be working. The problem with bad totals on the Top 10 Attackers page was fixed. Processing and database operations should be much faster. Please let us know at dshield@dshield.cirt.vt.edu if you still see any problems.

We have two new client additions. A converter for the current version of the McAfee Firewall is on the Windows Clients page and a user contributed parser for users of the Tiny Firewall who log to a *NIX syslog is on the Framework Client page. Thanks to Tim Rushing for contributing this parser.

2/28/2002 Belated mea culpa. We have been having system problems which caused various functions on the site to sporadically malfunction.

  • Bad totals in Top 10 Attackers page There currently is a problem with a summary table which is causing totals to display improperly on the Top 10 Attackers page. We hope to fix this shortly.

  • Log in problem For several days logging in didn't work properly, so that users would log in, but would then see no data. This is fixed now.

  • Database maintenance We had to take the database down for about 24 hours (Feb. 25-26) to rebuild the database. No database operations worked during this perion. This has been completed.

  • Slow response for database operation is because the database has grown to be very large. We have several solutions to this, but it will take several weeks to phase them in. In the meantime, rest assured that we know about the slowness situation and are dealing with it as fast as is possible.

1/17/2002. Added support for SonicWall, Asante FriendlyNET, D-Link, and SMC Barricade routers, and others. We also overhauled the Linux clients. Start the new year out right and check out our revamped selection of clients.

11/20/2001 Over the last couple days, we moved the entire DShield.cirt.vt.edu site to a brand new server. This was intended to be a slow and controlled process, but we discovered some warning signs in one disk on the old machine that caused us to accelerate this process. Sorry for some of the glitches you may have seen. Please let me know of any remaining issues. As a result, the IP address for the DShield site changed. DNS should be on a short leash and you should see the new IP address by now (12.* instead of 66.*).

10/18/2001 Added support for the Windows XP Pro Internet Connection Firewall (ICF) to the Windows Universal Firewall Client. See our instructions for setting up the Windows XP Firewall.

10/5/2001 Added support for Tiny Software WinRoute Pro to the Windows Universal Firewall Client.

9/17/2001 The Windows Universal Firewall Client now supports the McAfee Firewall.

9/10/2001 The Windows Universal Firewall Client now supports the Tiny Personal Firewall. Get it from the Windows Clients page.

9/1/2001 A new IPFW client contributed by Kevin Way is on the Linux Clients page.

8/28/2001 dbmaintenance is done. We are operating normally.

8/27/2001 db maintenence is still in progress, but we hope to be back to normal by tomorrow.

We did make progress with the new Universal Windows client. It now supports BlackIce and Linksys LogViewer, in addtion to the old Linksys SMNP Trapper and ZoneAlarm. It also now supports filtering out IP ranges that you don't want to submit to DShield. (Finally.) You can get it from the Windows Clients Page.

8/25/2001 db maintenance in progress. Normal operation will resume when this completes.

8/23/2001 New Windows client to replace the old DOS clients on the Windows Clients Page. Currently supports the Linksys Router and ZoneAlarm.

8/22/2001 I just made a few updates live:

  • My Reports: Now with more summaries and such. Let me know how it works and what is missing. It may be a bit slow at time. I am working on that...

  • Fightback: I will no longer copy you on every single fightback message sent. Instead, there is now a link at the top of the 'My Reports' page that links to a fightback summary.

In order to get to all of this, you need to have a UserID. Only reports that you submitted using this UserID will show up. On www.dshield.org, you will see a link to 'Login' (upper part of left nav bar). (If you aren't registered, the you should Sign Up first.) Once you are logged in, click on Check your reports.

Some of the summaries you are getting now:

  • Number of different attacks/attackers by date, ports, time
  • Hot links to port descriptions and IP info.
  • Sorting on each column (just click on the column header)
  • 'Severity' indicator.

... more to come...

8/8/2001 We are running in overload mode because of all the Code Red related traffic. Our processing is slower than it used to be. We are working on the problem.

On a brighter note, we now have a new Windows client for the Norton Personal firewall.

7/24/2001 We now have a client for downloading Solaris ipfilter logs. Thanks to Stan Sanders for contributing this.

And thanks to all the people who submitted Code Red logs.

7/6/2001 We are in maintenance mode. We are optimizing and rebuilding the database. The Dshield site won't be updated until later in the day. Submitted firewall logs are not lost--they just will not be processed until we are done with maintaining the database.

06/29/2001 More clients (thanks to Ken McKinlay): Checkpoint FW-1 and a new OpenBSD ipf client. See our Linux Clients page for details.

06/19/2001 We have a number of updates released today:

  1. New Client: Windows Cisco PIX Firewall

    Thanks to Richard Wheeler for this one. For details, see
    http://dshield.cirt.vt.edu/clients/win32pix.zip

  2. New Client: Linux (Perl) Cisco Router

    This client uses our new 'framework' with lots of features. expect some bugs :-(... And please report them! The new framework allows for target obfuscation, source and target filtering and more.
    http://dshield.cirt.vt.edu/clients/cisco_new.pl

  3. New Report: Finally I got the 'subnet report' finished Tim Rushing asked for. See
    http://dshield.cirt.vt.edu/subnet.php
    It can be slow for larger results. Be patient.

6/15/2001 Client for Snort Portscan logs.

6/12/2001 Client for Norton Firewall software.

6/11/2001 10 Million lines! Thanks everyone for helping us get to this big milestone!

6/7/2001 New Client. Thanks to Ross Bergman we now have a client for Compatible Systems MicroRouters.

6/4/2001 New dynamic banner. This banner will turn red whenever someone that is listed as an attacker in DShield looks at it. This is a great tool to let all the people know that have trojans running (and there ISP never told them about our fightback message). For details, see the linkback page.

5/29/2001 CISCO client. See the Howto page for details.

5/24/2001 Linux Linksys Router client. See our Linux Clients page for details.

5/22/2001 Timestamp page. This page will leave a 'mark' in your firewall log which can be used to test your clock later as you submit the log. Important: Only use this page from your firewall machine. Click here to sync your log.

5/20/2001 New snort client. Important: Please update as this client fixes a date parsing problem

5/18/2001 New country level data. Just click on any of the 'pies' on our homepage map image

5/12/2001 our new server is new and fast, but the motherboard only lasted a week and decided to self destruct. Sorry for the interruption in service.

5/9/2001 complete home page redesign. Enjoy!. We also added an annimation showing the geographic distribution of attacks over the last few days.

5/6/2001 new and faster server. We switched over to the new machine this weekend. Thanks to SANS for donating the new server.

4/30/2001 Client updates: We updated a number of clients. Please download them again if you are having problems. Most importantly, the snort client should now be complete

4/29/2001 IPtables: Linux Kernel 2.4 users can now submit logs "as is". We added it as a new supported format. Use the format "IPTABLES" in your subject line. For more details and a new client, see our Linux Client page for details.

4/11/2001 Snort client: We now support Snort logs. Download our client that will parse the logs and convert them into DShield format. We also belatedly documented PortSentry and Raptor submissions.

Improved Fightback: We have a new and improved FightBack system to forward more logs to ISPs. Nothing has changed in the way users submit logs. However, the new system greatly improves our ability to send out reports to ISPs. So you will see a lot more FightBack emails. (But only if you signed up for FightBack.) See the FightBack page for more information.

Reminder: We have some nice buttons/banners you can use on your personal web page to point to DShield. Most notably, a dynamic banner that will automatically show the #1 scanned port and the #1 attacking IP.

http://dshield.cirt.vt.edu/
Instructions are on the Link Back page.

IMPORTANT: There is a size limit for log submissions. Submissions that exceed 1 MByte will be cut off! In case you are submitting larger log files, let us know for special arrangements or break them down. (Even better: filter out noise....)

4/8/2001 In order to help debugging log parser issues, we have setup a parser-test page: http://dshield.cirt.vt.edu/testparser.php.

Just copy & paste a line from a log file, select the format and see what you get. Please let us know if you have any problems. Use this tool if you wonder why your logs are rejected.

4/7/2001 For selected report formats, we will now parse TCP flags and store them. This does not require any immediate action by you. For log formats that already include the information (Linux for example), nothing has to change on the client side. However, if you wrote your own client and are submitting in DShield format, you may want to consider to change the client.

Flags are added as an additional column. Either use just the first letter (e.g. SA in case the SYN and ACK flags are set), or just use the common three letter abbreviation separated by comma (e.g. SYN,ACK).

We will add flag information to various reports over the next few days.

Please double check your submissions to make sure nothing else got messed up during the update. Send any problems to dshield@dshield.cirt.vt.edu .

2/16/2001 We get graphic! Our Top 10 Port Report now includes little graphs showing the history for each port for the last 30 days. This is the upside.

The downside is that we had server problems today. The server was down for part of the day. No data was lost, but you may have gotten some bounced mail and refused connections. Everything should now be back to normal. Also, some of the data displayed was just plain wrong. There is nothing wrong with the database, the only problem was in our display routines. Fixed now.

We are currently trying to make these reports more meaningful and telling by excluding some ports. Port 137 is excluded from the list, because most accesses to port 137 are not attacks but are based on a Windows name lookup fluke. 'Pings' are also excluded. However, port 137 and pings are still kept in the database and can be searched for. Also, we experimented using different time frames for our top 10 ranking. So far, we settled on the last 5 days to rank ports and attacking IPs.

02/08/2001 New Banners which include the #1 attacking IP address and the most scanned port. Use it to spread the word about Dshield.cirt.vt.edu or just to add a cool feature to your web site.

Matt Fearnow at SANS launched the Consensus Intrusion Database. DShield.org is contributing its Griffin Feed to the project.

02/06/2001 ONE MILLION REPORTS !

Thanks everyone! We achieved a great milestone by adding the one millionth line of firewall logs to our database yesterday.

To take a closer look at this years submissions, we plotted this neat 3D graph.

The 30 day Port Report now includes a histogram on top. More visualization to make it easier to spot patterns. Port Report is now linked from Top Ports so you can get a 30 day history by clicking on the port number.

02/01/2001 The Rise (and Fall?) of the Ramen Worm. The image shows activity on ports commonly probed by the Ramen worm during January. Also see the earlier image of port 111 scans.

02/01/2001 Activity by Port. See how ports come in and out of favor.

01/29/2001 The Top Ten IP Addresses report now includes the number of attacked hosts and the number of submitted reports that were affected, so you can get a better idea of how widespread the "attacks" are.

01/27/2001 Lots of new stuff today

  • We added color coding to the "Check your reports" feature to indicate levels of "dangerousness" in your own firewall logs. Login to see how your firewall logs rate. Assuming that you have been submitting your firewall logs to DShield.

  • We now support PGP authentication with DShield log submissions. See How to use PGP to sign your DShield submission. Authentication is a good thing.

  • The Griffin List lists the first 100 "top attacker" summary records that we are submitting to the Griffin Project. (We'll have more information when the Griffin site goes live.)

  • New Port of the Day. Port 1080 - Proxy Servers.

  • We optimized the data base accesses so data base searchs should be much faster.

  • We belatedly realized that the "top 10" lists were really only displaying the top nine records, and had been all along. Fixed now.

  • We changed the RSS feed so that it is more RSS compliant.

01/23/2001 DShield passed 500,000 records! Thanks! Keep up with your submissions.

FEEDS! If you have a security related web site, or if you just want to add a cool feature to your family's home page, check out our data feeds. Full information is on the Using DShield's Data Feeds page. Want something special? Let us know and we will consider it.

01/17/2001 First fightback results

01/13/2001 Color coded "My Reports". We started color coding your reports based on severity. Feedback is welcome!

01/11/2001 Improved "My Reports" page. See the number of reports for each source IP you reported and the number of diffrent targets attacked by it. You need to be a registered user to review your reports.

01/08/2001 New Windows Clients:

  • Linksys Etherfast Cable/DSL router
  • Network Ice BlackIce Defender

see the Windows Clients page for details.

01/06/2001 We now accept SonicWall logs. See the How to submit your firewall logs to DShield page for details.

01/05/2001 New Windows Clients. We now have clients for the Linksys Etherfast Cable / DSL router and for Network Ice BlackIce Defender. On the Windows Clients page.

01/02/2001 To start the new year out right we did some database cleanup and cleaning up of the import scripts. As a result, the number of database entries shown on the frontpage decreased. This is mostly due to deleting incomplete entries and summarizing duplicate entries.

12/23/2000 Windows Clients!

As a special Christmas present, we offer now a client to help submitting ZoneAlarm logs

12/23/2000 We now start keeping track of times and timezones

12/18/2000 Port of the Day

Todays featured port is '137'.

12/16/2000 Two new features for registered users:

  • Check your Submissions: Now you can Login to review the last 50 log lines you submitted.
  • Fight Back: We will forward selected authenticated submissions to the ISP implicated when we detect that you have been attacked. However, we will only do so if we have your permission. Login to change your preferences. The user who submitted the report will be copied on all communications. For details see the FightBack page.

12/15/2000 New Port of the Day page which covers trends that stick out in recent submissions to DShield.

12/14/2000 New moderated mailing list. The only posts accepted are posts that directly relate to DShield. Talk about

  • DShield bugs (Are there any?)
  • DShield expansions. (What features should we add? Or delete?)
  • Log submission clients / formats. (Problems? What additional firewalls should we support?)
  • Top 10 rankings ... (Find anything interesting?)

The following topics will be rejected:

  • Firewall configurations.
  • Security problems / questions.
  • Trojan warnings.
  • Everything else not DShield related. (Use the General DShield unmoderated discussion list.)

List of DShield mailing lists and subscription/unsubscription information.

Rob Casey's DShield client is now on Freshmeat. Thanks again, Rob.

12/13/2000 Two new user contributed Linux scripts. Thanks guys.

12/12/2000 We changed the way the 'top 10' list is generated.

  • Only recent submissions are used (currently 12/01 or later.)
  • IPs that attack more than one target are ranked higher. Our previous report just added up submissions, even if they reported attacks against the same port.
  • IPs that attack more than one port are ranked higher.

12/09/2000 New articles on the DShield Press Clippings page. Also information on how to do languge translation.

We now have a client script for FreeBSD on the Clients page, thanks to Gottfried Szing

 
 

[ Home | Login | What's New | Intro | Submit | Clients | Web Submission | All Reports | Links | About | Privacy ]
  last update: 07/Nov/2009 07:25
DShield is a Servicemark of Euclidian Consulting