Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-06-01 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Submit Dshield ASA Logs

Published: 2015-06-01
Last Updated: 2015-06-01 11:34:36 UTC
by Tom Webb (Version: 1)
0 comment(s)

Recently I made some small modifications to the Dshield Linux Cisco PIX submission perl script (https://www.dshield.org/clients/framework/cisco.tar.gz).  This allows anyone with an ASA or Cisco Security Manager(CSM) to submit logs to the project with ease.

 

  1. Setup the ASA or CSM to syslog to a server. (http://bit.ly/1AF6vOv)

  2. Edit the config of the dshield.cnf and place it into /etc/

    1. Note: If sending emails, you need a SMTP setup. This script does not have it built-in.

  3. Setup a cron, to submit the logs.

 

Troubleshooting

  • Initially it's best to have it cc you the logs so you can validate that everything is working via the dshield.cnf file.

 

  • If using postfix, make sure that the message size limit is very high, as this will not attach a compressed file, it’s actually has the logs in the message of the email. Default size is 10MB

    • /etc/postfix/main.cf

    • message_size_limit =

 

  • If the email goes through, check the ISC portal My Account -> My Reports. You should see when you last submitted logs. This may lag behind several hours before the website updates, so don’t worry on first submission if it takes a bit.

 

Now get submitting your logs!


--

Tom Webb

Keywords: ASA Dshield Logging
0 comment(s)
Diary Archives