Page 1 of 1

DShield

Posted: 05 Jan 2007, 04:44
by deadeye
I know csf allows you to use the DShield block list. Have you considered adding the ability to send firewall logs to DShield? I'm looking into doing this outside of csf, but it would be really nice if it were just a matter of enabling it in the configuration.

Posted: 18 Jan 2008, 10:22
by nabuhonodozor
I second this. I would be really good if there would be an easy way, even manual, to send blocked IP list from CSF to Dshield.
I am encountering daily many attacks against php and mysql which are detected by mod_security. There are also many login attempts both pop3 and ftp.
Such a list of malicious IP is valuable and should be shared amongs other people.

Jonathan, its possible to add such a feature to CSF?
I mean something like an button "send to dsheild"?
Or maybe You think it would clog dshield/server or would be unwise from other point of view?

best regards,
Piotr

Posted: 10 Feb 2008, 17:45
by wolf
i think DShield is a list of ip addresses attempting DOS (denial of service) attacks and not remote file exploit attempts which are quite commonly caught by mod_security. But you know a website which lists such attacks would be just as useful as the dshield and sorbs lists :)

Posted: 10 Feb 2008, 21:31
by deadeye
DShield refers to themselves as a distributed intrusion detection system. They are looking for reports of anything showing up in firewall logs not just DOS attacks.

Posted: 10 Feb 2008, 22:18
by wolf
i guess that does cover a wide spectrum of attacks.

just wondering, if one could create a script which submits logs to be processed by dshield or anyother ip block list, could one not create a script which would send spoofed logs rendering the end data results useless to anyone?...

Posted: 11 Feb 2008, 19:42
by deadeye
As with anything where you allow people to participate, I am sure the answer is yes- someone could submit spoofed logs.

I'm not sure that would really poison the end results enough to make them useless without a huge coordinated effort.

The dshield block list is only the top 20 attacking networks. I believe this is based more on the number of targets than the number of packets. Currently the lowest number of attacks from an ip on that list is 870.

The other reports that dshield provides as well as the ability to search the database for information on a specific ip all include the number of targets that saw attacks from that ip. I don't know how other people use the information, but I tend to not worry about ip's that show only one or two targets.

DShield log submission

Posted: 23 Jun 2008, 19:36
by Grindlay
In common with the others on this thread, I'm looking for a way to submit firewall logs to DShield. It's one of those areas where you are probably not going to make a huge difference at an individual server level because the majority of entries in your log are from your spotty Korean school boy who can't get a girlfriend, but perhaps if all the CSF installs collectively submit logs, there is a "mass effect" where genuine IP-based attacks are detected, and we contribute to DShield's effectiveness.
I had a look at "How to write a DShield client" :
https://secure.dshield.org/specs.html
and I thought it may be fun to have a go at this, but no point if someone else has already done it ?
I accept that there will be a small performance overhead to your CSF set-up, but probably not that much if log submission occurs (say) once per 24h.
Cheers
Grindlay