General Information On Submitting Logs To DShield
DShield provides a platform for users of firewalls to share intrusion information. DShield is a free and open service.
- The easiest way to submit your firewall logs to DShield is to use client software that automates the process of finding the appropriate portion of your firewall logs and automatically emails it to DShield. These are listed below.
- If none of our existing client programs will work for you, you can write your own client software.
If you have a problem getting any of our client programs to work, please let us know. If you want to write your own client program, please follow our specifications (but try to use one of our pre-written programs first.)
Everybody is welcome to use the information in the DShield reports and database summaries to protect their network from intrusion attempts.
First, please sign up
You don't have to sign up in order to submit firewall logs to DShield. You can submit logs anonymously. But there are benefits to registering. Registered users
- can view the the firewall logs they submitted to the DShield database (for the last 30 days.)
- can get a confirmation of their own submissions emailed to them after every submission.
- can optionally enable Fightback. We will forward selected authenticated submissions to the ISP implicated when we detect that you have been attacked. See the Fightback page for more details. Registered users can see a summary of Fightback abuse messages that have been sent on their behalf.
- will not have their submissions ignored (as anonymous submissions may be in future reports)
You register using the sign up form. You will be asked to supply your email address and your real name.
You can optionally specify if you want feedback after every submission. Feedback will be provided in the form of a brief message listing rejected lines and summarizing the submission. You will receive feedback if you
- Used a valid UserID
- Switched on 'feedback' in your user profile.
After you register you will be emailed a confirmation message. The message will contain your UserID. Use this UserID when you submit your logs.
- Message processing can take up to an hour, or possibly several hours, depending on how busy our server is. (We batch process incoming submissions.) So don't expect an immediate confirmation email.
- Don't submit duplicates. Don't submit logs, or portions of logs that have been previously submitted. Most of the existing clients take care of this automatically. But this is a concern if you are using the Web interface, or are writing your own client.
- Each message will be confirmed via e-mail if a valid 'From' or 'Reply-To' address was used, and if you have enabled "Feedback" in your user profile.
Things To Look For When Examining Your Own Firewall Logs.
- Rejected DHCP packets (You should probably not be blocking DHCP traffic if you depend on it for your IP.)
- Rejected DNS traffic from port 53. (You shouldn't be blocking DNS traffic from port 53. You should be blocking traffic going to port 53.)
- Most of the clients have provisions for filtering out log lines that shouldn't be submitted.
- Things that should be filtered:
- Accesses from your own ISP's servers that end up in your firewall log, for whatever reason. For example, some firewalls/routers log all activity, even if it isn't blocked. In this case, your logs would contain a lot of legitimate DHCP accesses to and from your ISP.
- Security port scans from sites that you visit. Common examples would be going to a site like Shield's Up and using the port scanner to trigger some log entries.
- IRC servers often do security port scans. If you use IRC, then examine your firewall logs to see if there are any scans from the IRC server that should be filtered.
- Any security port scans that you do yourself.
- Rejected traffic from local network (10.x, 192.168.x) (This doesn't indicate a problem for you, but DShield rejects log entries that use this address range, so there is no need to submit log lines that contain information about this address range.)
We offer DShield Sensor clients for various platforms. If your platform is not supported, or if you are looking for a more comprehensive solution, then please check our Raspberry Pi honeypot project for details.
We provide a universal DShield CVTWIN Client which supports most Windows applications as well as Routers and Firewalls using Kiwi Syslog Daemon.
Third Party Windows Clients
- Cisco PX Firewall
- DIDSyslog SonicWall Syslog Daemon
- Link Logger (Linksys, Prestige/Netgear, and ZyXel ZyWall routers)
- US Robotics 8000 router
- VisualZone Report Utility for ZoneAlarm (ZoneAlarm)
- Watchguard Firebox
- ZoneLog (For ZoneAlarm)
Firewalls that send logs by email
Linux and UNIX DShield Clients
User contributed Linux & UNIX clients
- ipchains and iptables client written in Python
- Feeding DShield with OSSEC Logs
- PSAD for iptables based firewall
- IPCop Firewall
- Compatible Systems Microrouter
- Netscreen Firewalls
- Nexland Router
- FreeBSD ipf(4) and ipmon(8) logs
- IPFW logs
- Solaris ipf logs
- Symantec Firewall/VPN Appliance
- Watchguard Firebox
- Cisco 837
Developing Your Own Client Software
You may prefer to develop your own client software to aid you in submitting your log files. Please refer to our Guidelines for Developing DShield Client Software page.