Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC Windows Clients


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Universal Client

This program allows you to configure your computer to automatically send your firewall log submissions to DShield. The client supports:

  • 8Signs Firewall
  • Agnitum Outpost
  • AnalogX PortBlocker
  • Asante FriendlyNET, D-Link, U.S. Robotics, and SMC routers using RouterLog (See Kiwi section for newer Asante and D-Link routers)
  • BlackIce PC Protection (formerly BlackIce Defender)
  • eSoft Instagate Firewall
  • Kerio (formerly Tiny) Personal Firewall
  • Kerio (formerly Tiny) Software WinRoute Pro
  • Routers and Firewalls using Kiwi Syslog Daemon
    • Asante FriendlyNet VR2004AC, VR2004C
    • Billion
    • Bintec
    • Buffalo
    • Checkpoint VPN-1 Edge
    • Cisco ACL/IOS
    • Cisco PIX
    • Clavister Firewall
    • D-Link Router
    • Fortigate
    • Gentek Router
    • IPChains
    • IPTables
    • Linksys Router
    • Level One
    • Netgear Router
    • Netscreen
    • Netopia Router
    • SMC Router
    • Smoothwall
    • Sonicwall
    • WatchGuard
    • Zyxel XyWall Router
  • Linksys Etherfast Cable/DSL Router
  • Microsoft ISA
  • McAfee Firewall
  • Norton Personal Firewall
  • Snort
  • Sygate Personal Firewall
  • Symantec VelociRaptor Firewall
  • Tiny Personal Firewall 4.0
  • Vicom Internet Gateway
  • VisNetic (formerly Ambra) Firewall
  • Watchguard Firebox (using Kiwi Syslog Daemon)
  • Wingate Proxy Server
  • Windows XP Internet Connection Firewall (ICF)
  • ZoneAlarm

Latest version:  2.0.22 January 14, 2014 08:24 pm UTC   CVTWIN Changelog

Download

CVTWIN-SETUP.EXE (2.2 megabytes) if you have never installed CVTWIN.
MD5SUM: 79c279f429124f2c720213085db02175 cvtwin-setup.exe
Installation instructions.

or

CVTWIN-UPDATE.ZIP (333 kilobytes) if you already have CVTWIN installed.
MD5SUM: 86c92e690848ce24473b9f53e5d3930e cvtwin-update.zip
Update instructions.

Important! Be sure to set your computer's time before you go any further!

Warning! People have been reporting problems with incomplete downloads when downloading with Internet Explorer. Use md5sum to verify that your download is complete. Alternately, try using another browser, such as Mozilla Firefox.

CVTWIN-SETUP.EXE is currently about 2.2 megabytes in size. If Internet Explorer reports a download size of 100-200 kilobytes, you know that you have a problem.

If you have problems downloading, try clearing your browser's cache.

Third Party Programs that Submit Firewall Logs to DShield

  • Cisco PIX firewall
    Download win32pix.zip (Error determining file creation time.) and unzip it. Further instructions can be found in README.TXT after unzipping the file.
  • DIDSyslog is a Windows console daemon that intercepts Sonicwall syslog messages and can then submit them to DShield. Get it from here.
    View the DIDSyslog-README.txt file.
  • Link Logger now supports submitting to DShield.
    Link Logger users can download the DShieldUp module from here. Link Logger supports Linksys, Prestige/Netgear, and ZyXel ZyWall routers.
  • Client to submit logs that are produced by the US Robotics 8000 Broadband Router.
    Download usrobotics.zip (Error determining file creation time.) and unzip it. Further instructions can be found in README.TXT after unzipping the file.
  • VisualZone Report Utility "is an intrusion analyser and report utility for ZoneAlarm and ZoneAlarm Pro." VisualZone has integrated support for DShield log submission.
  • The WallWatcher log viewer supports:
    • 2Wire 1800HW (apparently, all 2Wire routers look like this)
    • Cisco PIX
    • D-Link DFL-80, DI-804HV
    • IPTables (generic to all routers that use it)
    • Linksys (most of the ones that support external logging)
    • Netgear FR114P
    • Netscreen 5GT
    • Zyxel P334
    And maybe similar routers, too. (Updated July 15, 2004) WallWatcher has it's own DShield submission module, so you don't need a separate client.
  • Watchguard users have three choices. You can use our CVTWIN, above, or you can use Peter Faltham's AWK client, or you can use Hans Sandsdalen's Perl script that was based on Peter's AWK client. The CVTWIN solution can be "set and forget" More info. But the AWK and Perl scripts can work either on *NIX or Windows. Perl and AWK are usually already installed on *NIX systems. You can get Perl for Windows from either CYGWIN or from ActiveState. Peter's client includes instructions for obtaining and installing AWK for Windows.
  • Peter Feltham's AWK client that converts WatchGuard Firebox log files into DShield format and mails them to DShield.
    Download firebox.zip (Error determining file creation time.), unzip and read AWKsystem-readme.txt for instructions.
  • Hans Sandsdalen's Perl client that converts WatchGuard Firebox log files into DShield format and mails them to DShield.
    Download WG-Dshield.pl (Error determining file creation time.) Instructions are included for configuring for a *NIX cron job. You probably can do the same thing with Window's Task Manager.
  • ZoneAlarm users can use ZoneLog to analyze their logs, which has DShield submission support built in.

Set Your Time

It is important for logging purposes that the clock on your machine be set as accurately as possible. ISPs need accurate time information in log lines that are sent as abuse reports so that they can identify exactly when a suspected attacker was logged in.

Configure your machine Check your machine to see that its time settings are configured properly.

Windows XP

  • Open Control Panel -> Date/Time

    Windows time/date configuration dialog

    This much is easy enough. Do a sanity check to make sure it looks OK.

    Now make sure that the Time Zone is set correctly

    Windows time zone configuration dialog

    The Time Zone is an offset from Greenwich Mean Time. The offset is the amount of time that needs to be added (or subtracted) from your local time to equal GMT.

    • One area of possible confusion is that Windows considers the time zone offset to be the same the year around and then internally compensates for Daylight Savings Time. GMT never changes for Daylight Savings Time. So Eastern time (shown) in Windows shows -05:00 as the offset all year long. But our logs use the actual TZ offset. So, for Eastern time, our logs will show the TZ as '-04:00' when you are in Daylight Savings Time and will show it as '-05:00' for Standard Time.

      Please verify that this is working correctly and that the time and time zone information in the logs you send is correct.

    Automatically setting your time. Windows XP can automatically syncronize your computer's time with an external time server.

    Windows time setting dialog

    Make sure that "Automatically syncronize with an Internet time server" is checked. The drop down box allows you to choose from several time servers. If one doesn't work, then try another. Test this by clicking on the "Update Now" button. It should access the time server and reset your clock to match.

    Then it will automatically do this time syncronization so you don't need to worry about this.

    Synchronize to DShield For maximum accuracy use this special page to synchronize your machine's clock to DShield's clock. This page will leave a 'mark' in your firewall log which will be used to test your clock later as you submit the log. Important: Only access this page from your firewall machine. Click here to sync your log. (You only need to do this right after you have configured and set your clock. You don't need to do this every day.)

Windows 98, ME, NT, 2000

  • Open Control Panel -> Date/Time

    Windows time/date configuration dialog

    This much is easy enough. Do a sanity check to make sure it looks OK.

    Now make sure that the Time Zone is set correctly

    Windows time zone configuration dialog

    The Time Zone is an offset from Greenwich Mean Time. The offset is the amount of time that needs to be added (or subtracted) from your local time to equal GMT.

    • One area of possible confusion is that Windows considers the time zone offset to be the same the year around and then internally compensates for Daylight Savings Time. GMT never changes for Daylight Savings Time. So Eastern time (shown) in Windows shows -05:00 as the offset all year long. But our logs use the actual TZ offset. So, for Eastern time, our logs will show the TZ as '-04:00' when you are in Daylight Savings Time and will show it as '-05:00' for Standard Time.

      Please verify that this is working correctly and that the time and time zone information in the logs you send is correct.

  • Set your clock Your version of Windows doesn't have a built in program to syncronize your time with an external time standard, so you need to get a time setting utility to syncronize your machine's clock with an external time server. I've had good luck with AboutTime, which is available from here. Use AboutTime's docs to configure it. To maintain your clock's accuracy, configure AboutTime to run from the taskbar and to periodically set the time.

    Configure AboutTime

    Put AboutTime in your Startup folder so it will be loaded when you boot. The AboutTime icon should appear in your System Tray.

    Synchronize to DShield For maximum accuracy use this special page to synchronize your machine's clock to DShield's clock. This page will leave a 'mark' in your firewall log which will be used to test your clock later as you submit the log. Important: Only access this page from your firewall machine. Click here to sync your log. (You only need to do this right after you have configured and set your clock. You don't need to do this every day.)