Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC Linux and UNIX Client Scripts


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

These scripts will automate the DShield submission process. The respective scripts should be configured to send reports to reports@dshield.org

Client Scripts

DShield.py

A Python script that parses ipchains, iptables, and snort logfiles to the DShield format and mails the report to DShield. The project page is here. Download the most recent version from here The changelog is here. Thanks to Eelco Lempsink for contributing this client.

IPCHAINS

ipchains2dshield Contributed script by Frank Josellis

IPCOP

IPCop client contributed by Tom Willett. "I have modified the ipchains2dshield script and added a perl mail routine to IPCOP (will probably work with Smoothwall) linux firewall." Download ipcop-dshield.tgz, untar and read the Dshield-install file for installation instructions.

ipcop-dshield is Tom Willett's client (above) with the installation script modified to make it easier to install. Thanks to Noah Lee.

Note: the above two clients work for the older 1.2x version of IPCop that log in ipchains format. They do not work with the newer v. 1.3x version that logs in iptables format. Because IPCop is based on Smoothwall, you should be able to use our Windows Smoothwall solution.

LaBrea

DShield support has been added to Tom Liston's LaBrea by Michael Robinton. First download LaBrea from one of the LaBrea download mirror sites and then get tarpit.dshield from the here. (This is an add-on to LaBrea. You must already have LaBrea installed.)

Netscreen

This Perl script is a D-Shield client for Netscreen Firewalls. It has been tested on Netscreen 5.x screenOS. Download Netscreen-DShield.pl. Contributed by Eric Peek

Compatible Systems Microrouter

Download microrouter.pl Microrouter logs to DShield. Thanks to Ross E. Bergman for contributing this client.

OpenBSD

Download ipf.pl Open BSD ipf client. Thanks to Ken McKinlay for this contribution.

FreeBSD

  • FreeBSD 4.2 Perl script Mar 17, 2002 "I have fixed some errors and I have updated the version of the freebsd client. The latest version is available via http://yasd.dhs.org/download/dshieldconv" -Gottfried Szing
  • Contributed Script. "ipf / ipmon for FreeBSD, OpenBSD, NetBSD and UNIX ipfilter format to dshield format converter." -Dirk-Willem van Gulik
  • dshield-freebsd.pl.txt (Updated June 28, 2004. Previous users should update to this version) is an updated version of dshield-freebsd.dat, contributed by Joe Barbish. Download and rename to be 'dshield-freebsd.pl'
  • The Proactive Probing Abuse Reporting System has 3 components. The first component is the script that creates the email that is sent to DShield. The second component builds an email containing just the source IP address belonging to the users ISP and the email is sent to the users ISP abuse department. The third component builds an email containing the log data for each abuse source IP address, does whois lookup to auto harvest the owning ISP's abuse reporting email address and sends the email to them.
    For FreeBSD, or any other *NIX system that uses IPfilter. Download ppars.tar.gz (June 29, 2004) Contributed by Joe Barbish.
  • Drunkwerks Docs FreeBSDShield FreeBSDShield is a DShield.org? reporting client for FreeBSD? and the ipfw firewall. It allows you to report attempted security breaches to the DShield cooperative firewall logging effort.

IPFW

  • Nathan Shanks has contributed a new version of the FreeBSD ipfws log reporter. Download ipfw2dshield.pl. Documentation is in ipfw2dshield.txt. It has been tested on 5.x and 6.x of FreeBSD.
  • ipfw2dshield is a contributed script by Frank Josellis. (as for all other scripts, configure it to send logs to reports@dshield.org)
    The ipfw2dshield client software has been updated to version 0.4 on June 2, 2004. It is available for download from http://www.dynamical-systems.org/ipfw/index.html.
    The former version was reported to show various problems, particularly on OS X. Therefore, it has been withdrawn from the server and is completely replaced. Aside from bugfixes the update provides improved installation and configuration features.

Solaris ipfilter

Download solaris_ips.pl to assist you submitting Solaris ipfilter logs. Thanks to Stan Sander for this contribution. Updated 8/17/2002 The script now handles log lines that have a packet count greater than 1.

SUSE Firewall2

For SUSE Firewall2. Contributed by Freek de Kruijf. Download suse.tar.gz

Symantec Firewall/VPN Appliance and Nexland Router

This a perl script by Lars M. Hansen that takes the log files from the Symantec Firewall/VPN appliance (and also Nexland routers), and formats it into DShield format for submission to Dshield.

Get sfv-dshield.pl.gz from here.

ulogd

"This is a Perl script to upload to dshield.org the probes that have been logged by iptables using the ulogd userspace packet logging facility."

Get it from here. Thanks to John W. Palmieri for this.

Watchguard Firebox

Hans Sandsdalen's Perl client that converts WatchGuard Firebox log files into DShield format and mails them to DShield. Download WG-Dshield.pl

Cisco 837

James has put together and outlined a process to submit Cisco 837 logs! Follow this link to learn how to submit Cisco 837 logs to DShield.

Configuration Hints

The general idea is that you look the scripts over and find one that best suits your needs. Download it and look through the script and change the configuration variables so they reflect your current reality.

But the first time you try the script, you might want to configure it to send a copy to yourself, instead to reports@dshield.org. Then run the script and see what it sent to you. If it is what you expected, then reconfigure the script to send to reports@dshield.org.

One possible pitfall is that several of the scripts use a file to keep track of how much of the log file has been sent. If you just did a test run, then you should look through the script and find out where the file is stored and erase it before you run the script again for real to submit your log to reports@dshield.org

Security

Even though the easiest way to run scripts like this is to run them as root, it is always dangerous to run anything as root. Consider creating a user that has just enough privileges to run the script. This can be achieved by creating a user and group called 'dshield'. The log files have to be owned by the group 'dshield' and readable by it (chmod 640). Create the cron job as this user.

Installing the script as a cron job

(You must be a user that has the appropriate privileges when doing this.)

First check to see if there are any existing cron jobs by typing rontab -l. If there are any existing jobs, make a safety backup by typing ctontab -l > mycrons.cron. This will save your current list of cron jobs in mycrons.cron.

Then edit the crontab

< crontab -e

This will load the current list of cron jobs in your default editor. (Which is specified by the VISUAL or EDITOR environment variables. Setting this is system dependent. You may be able to set this variable in your .bashrc file.)

Now add a line to start the script:

10 3 * * * /home/dshield/bin/dshield_clean.pl

This will start this program at 03:10 AM each day. Please change the time. Otherwise, we will receive all logs at the same time ;-) . Once you quit your editor, this new crontab will be installed.

Type crontab -l to display the current crontab (i.e., what we just did.)

If you want to change cron parameters, say to make the script execute more (or less) often, edit the crontab using crontab -e and then install it again.

See man cron, man crontab and man crontab -S 5 for more information.


Suggestions? Corrections? Have you written a client script? Let us know!