Shield Reporting Format

Although DShield can accept the raw output generated by various pieces of software from Snort to iptables, it is helpful to submit data in a specific format in order to reduce the processing effort required by the DShield servers. This format requires that each security event be placed on a separate line as a tab-separated list containing the following fields:

• Author (the DShield user ID, which is defaulted to zero by psad if you have not registered at http://www.dshield.org)

• Date (formatted as YYYY-MM-DD HH24:MI:SS Z where Zis the time zone)

• Protocol (a numeric entry from /etc/protocols or the text equivalent, such as TCP)

Source IP address

• Source port (or ICMP type) Target IP address

TCP flags (only required for TCP alert data)

Was this article helpful?

0 0

Post a comment