Wireless Group Policy WLAN Radius Part 3 WLAN Radius Config WLAN Client Config Linksys BEFSR41 Firmware Linksys BEFSR41 101 Linksys WAP54G config More Linksys BEFSR config Security how-to Writing DNS Zonefiles Is ZoneAlarm Spyware? Linksys Wishlist Sendmail spamblock Bind Privacy Feedback

DShield client for Symantec Firewall/VPN

This program is released under GNU GPL, and provided without any warranty. 

In order to use the DShield agent for the Symantec Firewall/VPN appliance, you need to send the logs to a syslog daemon. Having any type of un*x box will provide you with this tool.

The program simply parses through the logfile specified, and reformats the data to match the DShield format. 

I recommend editing the three variables $logfile, $timezone, $id to include your correct information. The defaults are "/var/log/firewall.log", "-05:00" and "0". Although you can use zero as the ID, you should sign up with DShield to get your own ID number. 

Before you start submitting anything to DShield, test the program. Testing the program is as simple as typing "./sfv-dshield.pl" (assuming you are in the same directory as the program). If there's been anything logged in the current hour, you'll see some output. You can also specify the "--daily" switch, which will return all entries for the current day. 

Since the program doesn't actually send e-mails itself, you'll have to pipe the output to the mail program. Here's a sample line: 

./sfv-dshield.pl --daily | mail -s "FORMAT DSHIELD USERID 0 TZ -05:00" 
you@domain.com

That should deliver the report to your e-mail address.

To schedule the reporting, simply create a cron job. There's two options here. You can either schedule it hourly or daily. If you're getting a lot of activity on your firewall, then perhaps hourly might be the better solution for you, but I would generally recommend doing it on a daily basis. Here's two samples:

59 23 * * * sfv-dshield --daily |mail -s "FORMAT DSHIELD USERID 0 -05:00 
a@b.c 
59 * * * * sfv-dshield | mail -s "FORMAT DSHIELD USERID 0 -05:00" a@b.c

The first is for daily reporting, and it's scheduled to run at 11:59PM every day. The second runs at one minute before every hour, every day... Note that you may have to include the full path to the program in the crontab, I've omitted it here due to horizontal space constraints...

Version 1.22 includes filtering of source IP and source port. This allows you to exclude certain IP address or port numbers from the report, i.e. the IP address of any online scanning service or source port 80 (which is usually a "late" response from a web server). 

Version 1.31 includes fix for a bug that caused everything to be reported as UDP, and also translates a few more protocols to TCP.

Version 1.4 includes recognition of some ICMP messages, such as destination unreachable, time exceeded and source quench. I can only add what I see, so might add more types as they become noticable.

Usage: sfv-shield.pl [options]

Options:

--id <number>
Your DShield user number.

--log <file>
Name of the logfile.

--date yyyy-mm-dd
Runs report on given date.

--noignore
disables ignore list filtering.

--usage
Prints out usage information and exits.

Please see www.dshield.org for more information about DShield.

Download: sfv-dshield.pl.gz

© 1999-2005 Lars M. Hansen