Saturday, February 25, 2012


DShield is an extension of the SANS Internet Storm Center and is a "distributed intrusion detection system for data collection and analysis", to quote their site. What this means, quite simply, is that DShield aggregates firewall logs submitted from all over the world, analyzes them, and makes the information available to anyone to use. What you'll find on the site is trending information on what ports are being probed and attacked and who the top attackers are. What makes it really interesting (and useful) is that if you are a contributor, you can see what IP addresses have been targeting you (via the My Reports page and if you so elect, daily summary emails.
To participate, which benefits not only yourself, but the NetSec community at large by increasing the pool of knowledge, you would do the following:

  1. Download and install a syslog server (for Windows, Kiwi from Solarwinds works well and is free).
  2. Point your broadband router firewall at it.
  3. Install the Dshield client and configure it and point it at your syslog file.
  4. Use Task Scheduler to run the client at least once a day and no more than once an hour. 
I left out a whole lot of niggling details there, but it's not that difficult to get up and running, there is documentation, and help is available by sending an email to the address provided if you can't get it going. Of course, if you're using some other type of firewall (like a Linux box and iptables) or want to send anonymized logs from a commercial firewall, you'll need to do a little more to get things set up.

The client, called cvtwin, has built in support for most of the major manufacturers of broadband equipment formats. My current router is a Buffalo, and cvtwin parses the logs nicely with no tweaking needed.

You can find the information and the client for download at You'll not only get some impressive insight into who's thumping your door (without all that manual log inspection), but you'll be helping the overall security of the Internet as well. What a bargain! =-)

Monday, February 13, 2012

Using Filter Files

tcpdump will read BPF's from a file, using the -F switch, making it easy to reuse long, complex or just difficult to remember filters. Unfortunately, there is no way to use a multi-line file, so you must create one file for one filter. To make this a little easier you can create a directory and put all your filter files in it and then set a environment variable for it, like bpf=/home/jeff/netsec/bpf_filters. They you can use the $bpf variable in your command. Tab completion will let you choose between similarly named filters like "syn_only" and "syn-ack_only". You'll probably want to make your filter names as intuitive as possible, but if you find yourself constructing filters to string four or five or more conditions, giving it an (accurate) name that isn't almost as long as the filter itself can be problematic. So, another way to do this is to create a text file with a list of of all your filters, giving each file a number as a name. Then, to use that filter to check for source routing, all you need to do is specify -F . Much easier than typing out a BPF like:
'ip[0] & 0x0F > 5 and (ip[20] = 0x89 or ip[20] = 0x83)'.

Blog Archive