All clients here are built using a common framework. The only difference is the actual log parser subroutine. The clients are written in Perl. A minimum Perl installation should work for each of them. No extra modules are required
Ready to run clients
Download the appropriate client:
- Linux 2.2x (ipchains)
- Linux 2.4x 2.6x 3.x (iptables) incl. IPv6 Support
- Ubuntu 12.04 LTS using the "ufw" firewall configuration tool.
- Checkpoint FW-1 User Alerts
- Checkpoint FW-1 Version 4.1 (Updated 2002-05-23)
- Cisco ACL and PIX
- DLink DI-604
- DLink DI-655
- Foundry Networks ServerIron
- Gauntlet firewall
- Gnatbox firewall
- Kerio (formerly Tiny) Firewall syslog
- Linksys Router
- Netgear FR114P Router
- Netscreen Firewall
- OpenBSD ipf
- OpenBSD Packet Filter
- pfSense firewall
- Psionic Portsentry
- Snort Portscan
- Snort 1.8
- Zyxel Prestige 650, 310/314, Netgear RT310/314
If your firewall isn't supported or if you have a problem with any of the Framework scripts, please let us know!
Framework Development Kit
If you want to develop a new client for a different firewall, or submit a bug fix for one of the existing framework clients, please download and use our Framework Development Kit. This contains a few simple scripts that we use to assemble the above clients. Life will go a lot smoother if you use this, rather then working from a modified version of one of the above scripts. Please.
Even though the easiest way to run scripts like this is to run them as root, it is always dangerous to run anything as root. Consider creating a user that has just enough privileges to run the script. This can be achieved by creating a user and group called 'dshield'. The log files have to be owned by the group 'dshield' and readable by it (chmod 640). Create the cron job as this user.
Installing the script as a cron job
- you have already read README.txt
- you put dshield.cnf.txt and the dshield*exclude.lst exclusion files in /etc
- you set 'whereto=MAIL' and the other mail variables in /etc/dshield.cnf
- you set 'verbose=y' and 'debug=Y' in /etc/dshield.cnf
- the script is named 'iptables.pl' and is in /home/dshield/bin. (Adjust as necessary.)
(You must be a user that has the appropriate privileges to read the system log file that contains the firewall logging information when doing this.)
First check to see if there are any existing cron jobs by typing
crontab -l. If there are any
existing jobs, make a safety backup by typing
crontab -l > mycrons.cron. This will
save your current list of cron jobs in
Then edit the crontab
This will load the current list of cron jobs in your default editor. (Which is specified by the VISUAL or EDITOR
environment variables. Setting this is system dependent. You may be able to set this variable in your
Now add a line to start the script:
10 3 * * * cd /home/dshield/bin; ./iptables.pl > /home/dshield/bin/iptables_debug.txt
(Substitute the name of the script you are running in place of
iptables.pl. And please change the
time. Otherwise, we will receive all logs at the same time ;-)
Once you quit your editor, this new crontab will be installed.) When this is loaded into cron, cron will execute this job at 3:10 am. This job will run the /home/dshield/bin/iptables.pl script. /home/dshield/bin/iptables.pl will read /etc/dshield.cnf for configuration information.
The output(i.e., verbose and debug) will be redirected to /home/dshield/bin/iptables_debug.txt. You can examine this in your editor. (Note that /home/dshield/bin/ipdables_debug.txt will be overwritten each time the cron job runs this job.)
crontab -l to display the current crontab (i.e., what we just did.)
If you want to change cron parameters, say to make the script execute more (or less) often, edit the crontab using
crontab -e and then install it again.
man cron, man crontab and
man crontab -S 5 for more information.