DShield Sensor Update

Published: 2023-05-14
Last Updated: 2023-05-14 16:51:43 UTC
by Guy Bruneau (Version: 1)
3 comment(s)

This week I was reminded the web logs stored in DShield sensor were no longer using the correct location and configuration. If like me you installed your DShield sensor several months ago, it is important to regularly check our DShield-ISC Github [2] site to check for any update. Last month, some of the scripts were updated. You can update the sensor by following these steps.

Inside your "dshield" directory (the directory created above when you run git clone), run

  • cd install/dshield
  • sudo git pull
  • sudo bin/install.sh --update

An important change in the lastest update is the weblog location and new naming convention:

Old Weblog Location - /srv/www/DB/webserver.sqlite
New Weblog Location - /srv/db/isc-agent.sqlite

DShield sensor Status and Configuration

Honeypot status: sudo /srv/dshield/status.sh
Honeypot configuration: sudo cat /etc/dshield.ini

[1] https://isc.sans.edu/tools/honeypot/
[2] https://github.com/DShield-ISC/dshield
[3] https://isc.sans.edu/diary/22680/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Keywords: DShield Sensor Honeypot Logs
3 comment(s)

Comments

After the update I get <ERROR: isc-agent not running>. The directory (/srv/db) is there, but it's empty. A reinstall/reboot doesn't fix the problem. I can't find any recent info on this on-line.

rikster010

May 15th 2023
3 weeks ago

Ok, a re-install fixed this. Ah well: a fresh start is never bad. ;-)

rikster010

May 15th 2023
3 weeks ago

I know of someone else had a similar issue where the update failed to start the agent. It is also a good idea to update the OS by running:

sudo apt-get update
sudo apt-get upgrade

Guy

May 15th 2023
3 weeks ago

Login here to join the discussion.


Top of page
Diary Archives