Although DShield can accept the raw output generated by various pieces of software from Snort to iptables, it is helpful to submit data in a specific format in order to reduce the processing effort required by the DShield servers. This format requires that each security event be placed on a separate line as a tab-separated list containing the following fields:
• Author (the DShield user ID, which is defaulted to zero by psad if you have not registered at http://www.dshield.org)
• Date (formatted as YYYY-MM-DD HH24:MI:SS Z where Zis the time zone)
• Protocol (a numeric entry from /etc/protocols or the text equivalent, such as TCP)
Source IP address
• Source port (or ICMP type) Target IP address
TCP flags (only required for TCP alert data)
Was this article helpful?