Most recent edit on 2007-02-20 21:22:33 by ShaunC [Add known issue]
Additions:
Known Issues
- 2007-02-20: A large number of incidents can cause the script to exceed the default memory_limit setting in PHP (8m). This is most likely to occur the first time that you run FreeBSDShield if you have lots of log files to scan. Workaround: temporarily or permanently raise the memory ceiling for PHP in /etc/php.ini. Planned fix: serialize incidents to a temporary file, and purge memory after parsing each log file. Thanks Martijn for the report!
Edited on 2007-02-18 22:47:39 by ShaunC [Cleanup]
Additions:
Last run: 1171746161 (Feb 17 15:02:41)
Processing /var/log/security.2.gz...
12051 incidents noted.
Report sent to reports@dshield.org.
Deletions:
Last run: 1171571834 (Feb 15 14:37:14)
4197 incidents noted.
Report sent to reports@dshield.org.
Edited on 2007-02-17 16:55:18 by ShaunC [Download links are live, adding cron job suggestion]
Additions:
FreeBSDShield is free software! It is available for download in a variety of formats:
It is suggested that you create a cron job to run FreeBSDShield automatically. The periodicity of your cron job depends upon the volume of intrusion attempts made against the machine(s) under your control. For most home users, a once-daily execution should be fine; enterprise or high-profile users may wish to run FreeBSDShield more frequently to reduce processing time and report size. DShield.org asks that you do not submit a report more than once per hour; please don't inundate them with reports.
Deletions:
FreeBSDShield is free software! It is (soon going to be) available for download in a variety of formats (for which the following links do not yet work):
Edited on 2007-02-17 15:27:29 by ShaunC [Remove auto self referential links]
Additions:
~- FreeBSD and the ipfw firewall, or some other environment that generates identical logs
Prior to writing FreeBSDShield, I'd been using Frank W. Josellis' utility called ipfw2dshield∞. The huge upside to Frank's client is that it's done entirely in shell script and builtins, so it will run on a bare bones FreeBSD install with no third party requirements. The disadvantage is that it's very slow to run. After nearly a year of submitting to DShield with this client, I decided that there's no good reason to spend 15 or 20 minutes to parse a few log files and send an email; thus was born FreeBSDShield, which tends to do the same amount of work in 15 or 20 seconds. Many thanks to Frank for the inspiration.
FreeBSDShield's author is crazy and just plain stupid. He is frequently drunk as well. Donations in lieu of flowers may be sent to his bank account, and are not tax deductible.
Deletions:
~- FreeBSD and the ipfw firewall, or some other environment that generates identical logs
Prior to writing FreeBSDShield, I'd been using Frank W. Josellis' utility called ipfw2dshield∞. The huge upside to Frank's client is that it's done entirely in shell script and builtins, so it will run on a bare bones FreeBSD install with no third party requirements. The disadvantage is that it's very slow to run. After nearly a year of submitting to DShield with this client, I decided that there's no good reason to spend 15 or 20 minutes to parse a few log files and send an email; thus was born FreeBSDShield, which tends to do the same amount of work in 15 or 20 seconds. Many thanks to Frank for the inspiration.
FreeBSDShield's author is crazy and just plain stupid. He is frequently drunk as well. Donations in lieu of flowers may be sent to his bank account, and are not tax deductible.
Edited on 2007-02-17 01:52:12 by ShaunC [Release preparation - download links are inactive!]
Additions:
FreeBSDShield is a DShield.org∞ reporting client for FreeBSD∞ and the ipfw firewall. It allows you to report attempted security breaches to the DShield cooperative firewall logging effort, which in turn helps the Internet Storm Center∞ (and netizens at large) track trends in network security and catch emerging vulnerabilities.
The current revision of FreeBSDShield is 0.1, released on February 17th, 2007. This is the initial release and testers are wanted. You can view the changelog for detailed release information.
Download
FreeBSDShield is free software! It is (soon going to be) available for download in a variety of formats (for which the following links do not yet work):
- ZIP∞ - freebsdshield-0.1.zip
- TGZ∞ - freebsdshield-0.1.tar.gz
- 7z∞ - freebsdshield-0.1.7z
- Browse Source∞ with syntax highlighting
Features
- Written in PHP5 for fast execution
- Parses ipfw-style /var/log/security logs
- Formats incident reports and submits to DShield.org
Please note: FreeBSDShield is not a firewall and does not interact with ipfw. This script parses your existing firewall logs and reports security incidents to a worldwide collaborative intrusion logging effort.
Requirements
Usage
To use FreeBSDShield, first extract the archive and then edit the freebsdshield.php file. Set the configuration options at the top of the script as desired. To execute the script, run php freebsdshield.php in the working directory. You should see output similar to this:
[root@agaliarept freebsdshield]# php freebsdshield.php
Last run: 1171571834 (Feb 15 14:37:14)
Processing /var/log/security.1.gz...
Processing /var/log/security.0.gz...
Processing /var/log/security...
4197 incidents noted.
Report sent to reports@dshield.org.
Changelog
For a complete revision history, please see the FreeBSDShieldChangelog document.
License
FreeBSDShield is distributed under the BSD License∞. In other words, do whatever the heck you want with it. If you have fun, or if llamas are involved, send us pictures. If you redistribute it, include our original copyright notice. That's pretty much it. Ain't simplicity grand?
Contact
To report bugs, request features, or say thank-you, please send email to freebsdshield {at} drunkwerks {dot} com. A response is not guaranteed but (nearly) all messages will be read.
Background
Prior to writing FreeBSDShield, I'd been using Frank W. Josellis' utility called ipfw2dshield∞. The huge upside to Frank's client is that it's done entirely in shell script and builtins, so it will run on a bare bones FreeBSD install with no third party requirements. The disadvantage is that it's very slow to run. After nearly a year of submitting to DShield with this client, I decided that there's no good reason to spend 15 or 20 minutes to parse a few log files and send an email; thus was born FreeBSDShield, which tends to do the same amount of work in 15 or 20 seconds. Many thanks to Frank for the inspiration.
FreeBSDShield's author is crazy and just plain stupid. He is frequently drunk as well. Donations in lieu of flowers may be sent to his bank account, and are not tax deductible.
Deletions:
FreeBSDShield is a DShield.org reporting client for FreeBSD and the IPFW firewall. It is adapted from Frank W. Josellis' ipfw2dshield utility.
FreeBSDShield is currently in testing to ensure that it creates properly formed reports. Source and documentation are coming soon.
--ShaunC
Oldest known version of this page was edited on 2007-01-14 23:22:18 by ShaunC [Initial document]
Page view:
FreeBSDShield is a DShield.org reporting client for FreeBSD and the IPFW firewall. It is adapted from Frank W. Josellis' ipfw2dshield utility.
FreeBSDShield is currently in testing to ensure that it creates properly formed reports. Source and documentation are coming soon.
--
ShaunC