General Information On Submitting Logs To DShield

DShield provides a platform for users of firewalls to share intrusion information. DShield is a free and open service.

If you use a firewall, please submit your logs to the DShield database. Please download one of our ready to go client programs. Registration is encouraged, but is not required.

• The easiest way to submit your firewall logs to DShield is to use client software that automates the process of finding the appropriate portion of your firewall logs and automatically emails it to DShield. These are listed below.
• If none of our existing client programs will work for you, you can write your own client software.

If you have a problem getting any of our client programs to work, please write us at info@dshield.org. If you want to write your own client program, please follow our specifications (but try to use one of our pre-written programs first.)

Everybody is welcome to use the information in the DShield reports and database summaries to protect their network from intrusion attempts.

More information about how DShield works is on our home page.

First, please sign up

You don't have to sign up in order to submit firewall logs to DShield. You can submit logs anonymously. But there are benefits to registering. Registered users

• can view the the firewall logs they submitted to the DShield database (for the last 30 days.)
• can get a confirmation of their own submissions emailed to them after every submission.
• can optionally enable Fightback. We will forward selected authenticated submissions to the ISP implicated when we detect that you have been attacked. See the Fightback page for more details. Registered users can see a summary of Fightback abuse messages that have been sent on their behalf.
• will not have their submissions ignored (as anonymous submissions may be in future reports)

You register using the sign up form. You will be asked to supply your email address and your real name.

You can optionally specify if you want feedback after every submission. Feedback will be provided in the form of a brief message listing rejected lines and summarizing the submission. You will receive feedback if you

• Used a valid UserID
• Switched on 'feedback' in your user profile.

After you register you will be emailed a confirmation message. The message will contain your UserID. Use this UserID when you submit your logs.

You can make changes to your user profile on the login page. Also, please read our Privacy Statement.

Submission Hints

• Message processing can take up to an hour, or possibly several hours, depending on how busy our server is. (We batch process incoming submissions.) So don't expect an immediate confirmation email.
• Don't submit duplicates. Don't submit logs, or portions of logs that have been previously submitted. Most of the existing clients take care of this automatically. But this is a concern if you are using the Web interface, or are writing your own client.
• Each message will be confirmed via e-mail if a valid 'From' or 'Reply-To' address was used, and if you have enabled "Feedback" in your user profile.

Things To Look For When Examining Your Own Firewall Logs.

• Rejected DHCP packets (You should probably not be blocking DHCP traffic if you depend on it for your IP.)
• Rejected DNS traffic from port 53. (You shouldn't be blocking DNS traffic from port 53. You should be blocking traffic going to port 53.)
• Most of the clients have provisions for filtering out log lines that shouldn't be submitted.
• Things that should be filtered:

• Accesses from your own ISP's servers that end up in your firewall log, for whatever reason. For example, some firewalls/routers log all activity, even if it isn't blocked. In this case, your logs would contain a lot of legitimate DHCP accesses to and from your ISP.
• Security port scans from sites that you visit. Common examples would be going to a site like Shield's Up or Cable Modem Help and using their security port scanners.
• IRC servers often do security port scans. If you use IRC, then examine your firewall logs to see if there are any scans from the IRC server that should be filtered.
• Any security port scans that you do yourself.
• Rejected traffic from local network (10.x, 192.168.x) (This doesn't indicate a problem for you, but DShield rejects log entries that use this address range, so there is no need to submit log lines that contain information about this address range.)

Prewritten clients

Windows

DShield "Universal" CVTWIN Client
• 8Signs Firewall
• Agnitum Outpost
• AnalogX PortBlocker
• Asante FriendlyNET, D-Link, U.S. Robotics, and SMC Barricade routers using RouterLog
• BlackIce Defender
• eSoft Instagate Firewall
• Kerio (formerly Tiny) Personal Firewall
• Kerio (formerly Tiny) Software WinRoute Pro
• Routers and Firewalls using Kiwi Syslog Daemon
  • Asante FriendlyNet VR2004AC, VR2004C
  • Billion
  • Bintec
  • Buffalo
  • Checkpoint VPN-1 Edge
  • Cisco ACL (IOS)
  • Cisco PIX
  • Clavister Firewall
  • D-Link
  • Fortigte
  • Gentek
  • IPChains
  • IPTables
  • Level One
  • Linksys Router
  • m0n0wall Firewall
  • Netgear Router
  • Netscreen
  • Netopia
  • SMC
  • Smoothwall
  • Sonicwall
  • WatchGuard
  • Zyxel Zywall
• Linksys Etherfast Cable / DSL router
• Microsoft ISA
• McAfee Firewall
• Norton Personal Firewall
• Snort
• Sygate Personal Firewall
• Symantec VelociRaptor Firewall
• Tiny Personal Firewall 4.0 and 5.0
• Vicom Internet Gateway
• Trend Micro PC-Cillin
• VisNetic (formerlly Ambra) Firewall
• Wingate Proxy Server
• Windows XP Internet Connection Firewall (ICF)
• ZoneAlarm

Third Party Programs that submit Firewall Logs to DShield

• Cisco PX Firewall
• DIDSyslog SonicWall Syslog Daemon
• Link Logger (Linksys, Prestige/Netgear, and ZyXel ZyWall routers)
• US Robotics 8000 router
• VisualZone Report Utility for ZoneAlarm (ZoneAlarm)
• Wallwatcher (2Wire, Cisco PIX, D-Link DFL-80, DI-804HV, IPTables, Linksys, Netgear FR114P, Netscreen 5GT, Zyxel P334 routers)
• Watchguard Firebox
• ZoneLog (For ZoneAlarm)

Firewalls that send logs by email

• SonicWall (But see DIDSyslog, above.)
• Dlink DI614+

Linux and UNIX DShield Clients

DShield 'Framework' Linux and UNIX clients
• Kernel packet logs as generated by Linux 2.2.x and ipchains
• Kernel packet logs as generated by Linux 2.4.x and iptables
• Checkpoint Firewall-1 User Alerts
• Checkpoint Firewall-1 Version 4.1
• Cisco ACL
• Cisco PIX
• DLink DI-640
• Freesco
• Foundry Networks ServerIron
• Kerio (formally Tiny) Firewall Syslog
• Gauntlet firewall
• Gnatbox firewall
• Linksys Etherfast Cable / DSL router
• Netgear FR114P Cable / DSL router
• NetScreen Firewall
• Open BSD ipf logs
• Open BSD Packet Filter logs
• pfSense Firewall
• Psionic Portsentry logs
• Snort and Snort Portscan logs
• SonicWALL logs
• Zyxel Prestige 650, 310/314 and Netgear RT310/314

User contributed Linux and UNIX clients

• ipchains and iptables client written in Python
• IPCop Firewall
• LaBrea
• Compatible Systems Microrouter
• Netscreen Firewalls
• Nexland Router
• FreeBSD ipf(4) and ipmon(8) logs
• IPFW logs
• Solaris ipf logs
• Symantec Firewall/VPN Appliance
• ulogd
• Watchguard Firebox
• Cisco 837

Developing Your Own Client Software

You may prefer to develop your own client software to aid you in submitting your log files. Please refer to our Guidelines for Developing DShield Client Software page.