The DShield distributed intrusion detection system (http://www.dshield.org) is an important instrument for the collection and reporting of security event data. It serves as a centralized depot for data provided by various software from both the open source and commercial worlds, including intrusion detection systems, routers, and firewalls.
Many such products can submit security alerts to DShield either via email or through a web interface. A complete listing of client programs that can submit event data to DShield can be found at http://www.dshield.org/howto.php.
The DShield database is designed as a global resource; anyone can use it to learn which IP address is attacking the greatest number of arbitrary targets, the ports and protocols most commonly attacked, and so on.
The shape of event data submitted to DShield is important. Some event data logged by firewalls or intrusion detection systems is not suitable for inclusion within the DShield database because it does not indicate malicious traffic on the open Internet. Such data might include attacks between hosts on an internal network on RFC 1918 address space, or port scans that are deliberately requested from an external site such as Shield's Up (https:// www.grc.com) to test local security.
Automatic email submission of scan data to DShield is supported by psad. Once you have registered at the DShield website, you can include your username in the email submissions by editing the DSHIELD_USER_ID variable in /etc/psad/psad.conf, but DShield also accepts log information from anonymous sources, so it is not necessary to register. By default, when DShield reporting is enabled, psad sends a submission email every six hours, but this interval can be controlled by tuning the DSHIELD_ALERT_INTERVAL variable. (psad is careful to not include scan data that originates from an RFC 1918 address or an address that should be ignored because of a zero danger level setting in /etc/psad/auto_dl.)
NOTE Although DShield reporting is not enabled by default in psad, the psad installer install.pl asks specifically whether you would like to enable it. Unless your security policy explicitly forbids the communication of security event data to DShield, I highly recommend enabling it.
Was this article helpful?