Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC Submit Your Firewall Logs


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

General Information On Submitting Logs To DShield

DShield provides a platform for users of firewalls to share intrusion information. DShield is a free and open service.

If you use a firewall, please submit your logs to the DShield database. Please download one of our ready to go client programs. Registration is encouraged, but is not required.

  • The easiest way to submit your firewall logs to DShield is to use client software that automates the process of finding the appropriate portion of your firewall logs and automatically emails it to DShield. These are listed below.
  • If none of our existing client programs will work for you, you can write your own client software.

If you have a problem getting any of our client programs to work, please let us know. If you want to write your own client program, please follow our specifications (but try to use one of our pre-written programs first.)

Everybody is welcome to use the information in the DShield reports and database summaries to protect their network from intrusion attempts.

First, please sign up

You don't have to sign up in order to submit firewall logs to DShield. You can submit logs anonymously. But there are benefits to registering. Registered users

  • can view the the firewall logs they submitted to the DShield database (for the last 30 days.)
  • can get a confirmation of their own submissions emailed to them after every submission.
  • can optionally enable Fightback. We will forward selected authenticated submissions to the ISP implicated when we detect that you have been attacked. See the Fightback page for more details. Registered users can see a summary of Fightback abuse messages that have been sent on their behalf.
  • will not have their submissions ignored (as anonymous submissions may be in future reports)

You register using the sign up form. You will be asked to supply your email address and your real name.

You can optionally specify if you want feedback after every submission. Feedback will be provided in the form of a brief message listing rejected lines and summarizing the submission. You will receive feedback if you

  • Used a valid UserID
  • Switched on 'feedback' in your user profile.

After you register you will be emailed a confirmation message. The message will contain your UserID. Use this UserID when you submit your logs.

You can make changes to your user profile on the login page. Also, please read our Privacy Statement.

Submission Hints

  • Message processing can take up to an hour, or possibly several hours, depending on how busy our server is. (We batch process incoming submissions.) So don't expect an immediate confirmation email.
  • Don't submit duplicates. Don't submit logs, or portions of logs that have been previously submitted. Most of the existing clients take care of this automatically. But this is a concern if you are using the Web interface, or are writing your own client.
  • Each message will be confirmed via e-mail if a valid 'From' or 'Reply-To' address was used, and if you have enabled "Feedback" in your user profile.

Things To Look For When Examining Your Own Firewall Logs.

  • Rejected DHCP packets (You should probably not be blocking DHCP traffic if you depend on it for your IP.)
  • Rejected DNS traffic from port 53. (You shouldn't be blocking DNS traffic from port 53. You should be blocking traffic going to port 53.)
  • Most of the clients have provisions for filtering out log lines that shouldn't be submitted.
  • Things that should be filtered:
    • Accesses from your own ISP's servers that end up in your firewall log, for whatever reason. For example, some firewalls/routers log all activity, even if it isn't blocked. In this case, your logs would contain a lot of legitimate DHCP accesses to and from your ISP.
    • Security port scans from sites that you visit. Common examples would be going to a site like Shield's Up and using the port scanner to trigger some log entries.
    • IRC servers often do security port scans. If you use IRC, then examine your firewall logs to see if there are any scans from the IRC server that should be filtered.
    • Any security port scans that you do yourself.
    • Rejected traffic from local network (10.x, 192.168.x) (This doesn't indicate a problem for you, but DShield rejects log entries that use this address range, so there is no need to submit log lines that contain information about this address range.)

Clients

We offer DShield Sensor clients for various platforms.

Windows

We provide a universal DShield CVTWIN Client which supports most Windows applications as well as Routers and Firewalls using Kiwi Syslog Daemon.

Third Party Windows Clients

Firewalls that send logs by email

Linux and UNIX DShield Clients

We provide a Linux & Unix Client Framework which supports many applications. We also provide a slightly modified version of our framework for easy implementation on Ubuntu 12.04 LTS.

User contributed Linux & UNIX clients

Developing Your Own Client Software

You may prefer to develop your own client software to aid you in submitting your log files. Please refer to our Guidelines for Developing DShield Client Software page.