DShield Sensor Update

Published: 2023-05-14. Last Updated: 2023-05-14 16:51:43 UTC
by Guy Bruneau (Version: 1)
4 comment(s)

This week I was reminded the web logs stored in DShield sensor were no longer using the correct location and configuration. If like me you installed your DShield sensor several months ago, it is important to regularly check our DShield-ISC Github [2] site to check for any update. Last month, some of the scripts were updated. You can update the sensor by following these steps.

Inside your "dshield" directory (the directory created above when you run git clone), run

  • cd install/dshield
  • sudo git pull
  • sudo bin/install.sh --update

An important change in the lastest update is the weblog location and new naming convention:

Old Weblog Location - /srv/www/DB/webserver.sqlite
New Weblog Location - /srv/db/isc-agent.sqlite

DShield sensor Status and Configuration

Honeypot status: sudo /srv/dshield/status.sh
Honeypot configuration: sudo cat /etc/dshield.ini

[1] https://isc.sans.edu/tools/honeypot/
[2] https://github.com/DShield-ISC/dshield
[3] https://isc.sans.edu/diary/22680/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Keywords: DShield Sensor Honeypot Logs
4 comment(s)

Comments

After the update I get <ERROR: isc-agent not running>. The directory (/srv/db) is there, but it's empty. A reinstall/reboot doesn't fix the problem. I can't find any recent info on this on-line.

rikster010

May 15th 2023
1 year ago

Ok, a re-install fixed this. Ah well: a fresh start is never bad. ;-)

rikster010

May 15th 2023
1 year ago

I know of someone else had a similar issue where the update failed to start the agent. It is also a good idea to update the OS by running:

sudo apt-get update
sudo apt-get upgrade

Guy

May 15th 2023
1 year ago

Enter comment herHey was running this same script with Debian 11 when I updated
to Debian 12 now your Dshield.py (Dshield Sensor) won't work.

https://www.dshield.org/linux_clients/

https://sourceforge.net/projects/dshieldpy/

This is the offical client linked on your page.

This same script worked with Python 2.7 I believe

Now that i am running Debian 12 and it is running
Python 3.11.2

python --version
Python 3.11.2

The script won't work.


I am running the latest version of the script too
https://sourceforge.net/projects/dshieldpy/files/latest/download
which is dshieldpy-3.2.tar.gz

python dshield.py
File "/opt/DShield.py/dshield.py", line 104
fp = os.open(options['file'], os.O_CREAT, 0600)
^
SyntaxError: leading zeros in decimal integer literals are not permitted; use an 0o prefix for octal integers


More errors showing up in my email for the crontab that
runs each night

File "/opt/DShield.py/dshield.py", line 103
fp = os.open(options['file'], os.O_CREAT, 0600)
^
SyntaxError: leading zeros in decimal integer literals are not permitted; use an 0o prefix for octal integers

It never did this in python 2.7 only once I updated to python 3.x
and Debian 12. Script worked perfectly previous to that.

I believe that something has changed in Python 3 and this
script needs to be updated.

Now the issue is that the page that you link to says the
project was last updated Last Update: 2013-03-22 it looks
like it isn't being maintained.

I believe that your script needs to be updated a bit here.
I thought I would let you know.

uname -a
Linux server1.homenet.darkshado.local 6.1.0-9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.27-1 (2023-05-08) x86_64 GNU/Linux

Can you please look into this please.

Thank you,

Jamie (she / her)

Jamie

Jul 19th 2023
1 year ago

Login here to join the discussion.


Top of page
Diary Archives