Linux Firewalls - Michael Rash [76]
Many such products can submit security alerts to DShield either via email or through a web interface. A complete listing of client programs that can submit event data to DShield can be found at http://www.dshield.org/howto.php.
The DShield database is designed as a global resource; anyone can use it to learn which IP address is attacking the greatest number of arbitrary targets, the ports and protocols most commonly attacked, and so on.
The shape of event data submitted to DShield is important. Some event data logged by firewalls or intrusion detection systems is not suitable for inclusion within the DShield database because it does not indicate malicious traffic on the open Internet. Such data might include attacks between hosts on an internal network on RFC 1918 address space, or port scans that are deliberately requested from an external site such as Shield's Up (https://www.grc.com) to test local security.
Automatic email submission of scan data to DShield is supported by psad. Once you have registered at the DShield website, you can include your username in the email submissions by editing the DSHIELD_USER_ID variable in /etc/psad/psad.conf, but DShield also accepts log information from anonymous sources, so it is not necessary to register. By default, when DShield reporting is enabled, psad sends a submission email every six hours, but this interval can be controlled by tuning the DSHIELD_ALERT_INTERVAL variable. (psad is careful to not include scan data that originates from an RFC 1918 address or an address that should be ignored because of a zero danger level setting in /etc/psad/auto_dl.)
Note
Although DShield reporting is not enabled by default in psad, the psad installer install.pl asks specifically whether you would like to enable it. Unless your security policy explicitly forbids the communication of security event data to DShield, I highly recommend enabling it.
DShield Reporting Format
Although DShield can accept the raw output generated by various pieces of software from Snort to iptables, it is helpful to submit data in a specific format in order to reduce the processing effort required by the DShield servers. This format requires that each security event be placed on a separate line as a tab-separated list containing the following fields:
Author (the DShield user ID, which is defaulted to zero by psad if you have not registered at http://www.dshield.org)
Count
Date (formatted as YYYY-MM-DD HH24:MI:SS Z where Z is the time zone)
Protocol (a numeric entry from /etc/protocols or the text equivalent, such as TCP)
Source IP address
Source port (or ICMP type)
Target IP address
Target port (or ICMP code)
TCP flags (only required for TCP alert data)
Sample DShield Report
If you have configured psad to send alert data to DShield, DShield will send you a daily report that summarizes all of the alert data. Below is an excerpt from a recent DShield report that I received after psad submitted 53 lines of alert data. You can see the port numbers to the left, followed by the number of packets sent to those ports, the number of source IP addresses and target IP addresses, and the service name:
For 2007-07-17 you submitted 53 packets from 23 sources hitting 1 targets.
Port | Packets | Sources | Targets | Service | Name
------+-----------+-----------+----------+------------+-------------
1434 | 9 | 8 | 1 | ms-sql-m | Microsoft-SQL-Monitor
135 | 5 | 4 | 1 | epmap | DCE endpoint resolution
139 | 7 | 4 | 1 |netbios-ssn | NETBIOS Session Service
2100 | 3 | 2 | 1 | amiganetfs | amiganetfs
1033 | 2 | 2 | 1 | |
1521 | 2 | 1 | 1 | oracle | Oracle 8 SQL (default)
Viewing psad Status Output
Because psad stores various data within the /var/log/psad directory as it monitors iptables logs, you can rummage around in this directory to get a sense of how heavily scanned your system is.
Of course, most people don't relish manually sifting through tons of /var/log/psad/ip directories and associated files, so psad automates the process by