General Information On Submitting Logs To DShield
DShield provides a platform for users of firewalls to share intrusion information. DShield is a free and open service.
- The easiest way to submit your firewall logs to DShield is to use client software that automates the process of finding the appropriate portion of your firewall logs and automatically emails it to DShield. These are listed below.
- If none of our existing client programs will work for you, you can write your own client software.
If you have a problem getting any of our client programs to work, please write us at firstname.lastname@example.org. If you want to write your own client program, please follow our specifications (but try to use one of our pre-written programs first.)
Everybody is welcome to use the information in the DShield reports and database summaries to protect their network from intrusion attempts.
More information about how DShield works is on our home page.
First, please sign up
You don't have to sign up in order to submit firewall logs to DShield. You can submit logs anonymously. But there are benefits to registering. Registered users
- can view the the firewall logs they submitted to the DShield database (for the last 30 days.)
- can get a confirmation of their own submissions emailed to them after every submission.
- can optionally enable Fightback. We will forward selected authenticated submissions to the ISP implicated when we detect that you have been attacked. See the Fightback page for more details. Registered users can see a summary of Fightback abuse messages that have been sent on their behalf.
- will not have their submissions ignored (as anonymous submissions may be in future reports)
You register using the sign up form. You will be asked to supply your email address and your real name.
You can optionally specify if you want feedback after every submission. Feedback will be provided in the form of a brief message listing rejected lines and summarizing the submission. You will receive feedback if you
- Used a valid UserID
- Switched on 'feedback' in your user profile.
After you register you will be emailed a confirmation message. The message will contain your UserID. Use this UserID when you submit your logs.
- Message processing can take up to an hour, or possibly several hours, depending on how busy our server is. (We batch process incoming submissions.) So don't expect an immediate confirmation email.
- Don't submit duplicates. Don't submit logs, or portions of logs that have been previously submitted. Most of the existing clients take care of this automatically. But this is a concern if you are using the Web interface, or are writing your own client.
- Each message will be confirmed via e-mail if a valid 'From' or 'Reply-To' address was used, and if you have enabled "Feedback" in your user profile.
Things To Look For When Examining Your Own Firewall Logs.
- Rejected DHCP packets (You should probably not be blocking DHCP traffic if you depend on it for your IP.)
- Rejected DNS traffic from port 53. (You shouldn't be blocking DNS traffic from port 53. You should be blocking traffic going to port 53.)
- Most of the clients have provisions for filtering out log lines that shouldn't be submitted.
- Things that should be filtered:
- Accesses from your own ISP's servers that end up in your firewall log, for whatever reason. For example, some firewalls/routers log all activity, even if it isn't blocked. In this case, your logs would contain a lot of legitimate DHCP accesses to and from your ISP.
- Security port scans from sites that you visit. Common examples would be going to a site like Shield's Up and using the port scanner to trigger some log entries.
- IRC servers often do security port scans. If you use IRC, then examine your firewall logs to see if there are any scans from the IRC server that should be filtered.
- Any security port scans that you do yourself.
- Rejected traffic from local network (10.x, 192.168.x) (This doesn't indicate a problem for you, but DShield rejects log entries that use this address range, so there is no need to submit log lines that contain information about this address range.)
- 8Signs Firewall
- Agnitum Outpost
- AnalogX PortBlocker
- Asante FriendlyNET, D-Link, U.S. Robotics, and SMC Barricade routers using RouterLog
- BlackIce Defender
- eSoft Instagate Firewall
- Kerio (formerly Tiny) Personal Firewall
- Kerio (formerly Tiny) Software WinRoute Pro
- Routers and Firewalls using Kiwi Syslog Daemon
- Linksys Etherfast Cable / DSL router
- Microsoft ISA
- McAfee Firewall
- Norton Personal Firewall
- Sygate Personal Firewall
- Symantec VelociRaptor Firewall
- Tiny Personal Firewall 4.0 and 5.0
- Vicom Internet Gateway
- Trend Micro PC-Cillin
- VisNetic (formerlly Ambra) Firewall
- Wingate Proxy Server
- Windows XP Internet Connection Firewall (ICF)
- Cisco PX Firewall
- DIDSyslog SonicWall Syslog Daemon
- Link Logger (Linksys, Prestige/Netgear, and ZyXel ZyWall routers)
- US Robotics 8000 router
- VisualZone Report Utility for ZoneAlarm (ZoneAlarm)
- Wallwatcher (2Wire, Cisco PIX, D-Link DFL-80, DI-804HV, IPTables, Linksys, Netgear FR114P, Netscreen 5GT, Zyxel P334 routers)
- Watchguard Firebox
- ZoneLog (For ZoneAlarm)
- Kernel packet logs as generated by Linux 2.2.x and ipchains
- Kernel packet logs as generated by Linux 2.4.x and iptables
- Ubuntu 12.04 LTS and UFW client
- Checkpoint Firewall-1 User Alerts
- Checkpoint Firewall-1 Version 4.1
- Cisco ACL
- Cisco PIX
- DLink DI-640
- Foundry Networks ServerIron
- Kerio (formally Tiny) Firewall Syslog
- Gauntlet firewall
- Gnatbox firewall
- Linksys Etherfast Cable / DSL router
- Netgear FR114P Cable / DSL router
- NetScreen Firewall
- Open BSD ipf logs
- Open BSD Packet Filter logs
- pfSense Firewall
- Psionic Portsentry logs
- Snort and Snort Portscan logs
- SonicWALL logs
- Zyxel Prestige 650, 310/314 and Netgear RT310/314
- ipchains and iptables client written in Python
- Feeding DShield with OSSEC Logs
- PSAD for iptables based firewall
- IPCop Firewall
- Compatible Systems Microrouter
- Netscreen Firewalls
- Nexland Router
- FreeBSD ipf(4) and ipmon(8) logs
- IPFW logs
- Solaris ipf logs
- Symantec Firewall/VPN Appliance
- Watchguard Firebox
- Cisco 837
DShield "Universal" CVTWIN Client
Firewalls that send logs by email
Linux and UNIX DShield Clients
DShield 'Framework' Linux and UNIX clients
Developing Your Own Client Software
You may prefer to develop your own client software to aid you in submitting your log files. Please refer to our Guidelines for Developing DShield Client Software page.