The Internet Storm Center relies heavily on firewall data, to obtain an accurate measure of current Internet threats. It is in particular important to collect data from very diverse submitters, not just from a few large submitters. If you are not already submitting data, here a few tips on how to get started:
First of all: No submitter is too small. In particular cable modem / DSL user data is frequently the most interesting. We can always use more home users submitting data.
If you are able to submit from a large network, try to pick a few IP addresses and only send data from these IP addresses (e.g. a /24). A simple 'grep' may be all thats needed to filter the data, and our prewritten clients can help you with that.
We are interested in rejected packets from the outermost firewall you have access to. All rejected packets that originate from outside of your network are of interest.
We do accept logs via e-mail. It is recommended that you submit your logs about once an hour, but not less then once a day. We do provide a number of scripts to automated the process.
The best reference to get you started is http://www.dshield.org/howto.php. As a quick summary:
The most popular script for Windows users is 'cvtwin'. This little taskbar application can collect logs from many sources. It also supports the Kiwi syslog daemon if you are using an appliance which sends logs via SNMP.
For unix users, we do have a little perl script "framework.pl". This script parses your log (e.g. from /var/log/messages) and can be configured to filter and anonymize records. It comes with a number of "parser functions" for different log formats.
We started to support a few appliances which are able to send logs via e-mail directly. Please see see the howto page for details. This part is still experimental.
You may also write your own script. Our format is a very simple tab delimited text file. For details, see http://www.dshield.org/specs.php.
We do provide a number of customized analysis features for submitters, which are accessible via DShield.org. For a Demo, see our demo-account.I will be teaching next: Intrusion Detection In-Depth - SANS Las Vegas Spring 2020
Sep 18th 2005
1 decade ago