Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Submit Dshield ASA Logs - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Submit Dshield ASA Logs

Recently I made some small modifications to the Dshield Linux Cisco PIX submission perl script (https://www.dshield.org/clients/framework/cisco.tar.gz).  This allows anyone with an ASA or Cisco Security Manager(CSM) to submit logs to the project with ease.

 

  1. Setup the ASA or CSM to syslog to a server. (http://bit.ly/1AF6vOv)

  2. Edit the config of the dshield.cnf and place it into /etc/

    1. Note: If sending emails, you need a SMTP setup. This script does not have it built-in.

  3. Setup a cron, to submit the logs.

 

Troubleshooting

  • Initially it's best to have it cc you the logs so you can validate that everything is working via the dshield.cnf file.

 

  • If using postfix, make sure that the message size limit is very high, as this will not attach a compressed file, it’s actually has the logs in the message of the email. Default size is 10MB

    • /etc/postfix/main.cf

    • message_size_limit =

 

  • If the email goes through, check the ISC portal My Account -> My Reports. You should see when you last submitted logs. This may lag behind several hours before the website updates, so don’t worry on first submission if it takes a bit.

 

Now get submitting your logs!


--

Tom Webb

Tom

55 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!