Darxus on Thu, 10 Jan 2002 06:02:28 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] DShield.org: Distributed Intrusion Detection System


On 01/10, Joe Coyle wrote:
> This could be useful for firewall design...   http://www.dshield.org/
> The general idea is that by sharing information about intrusions, that
> members can benefit in configuring their own firewalls.  DShield.org
> collects firewall log data submitted by its members.  The collected data is
> then compiled and summarized  in reports by port number, IP address, etc.  

You asked if this could be used in a firewall.  I created (and attached)
an extreemly simple script (4 lines) that grabs the list of the top 10
current port scanners and uses ipchains (kernel v2.2.x) all inbound
traffic from them.  It requires the "wget" program be installed.
It should be equally easy to do with iptables (kernel v2.4.x).

Unfortunately they don't seem to provide a larger dataset.  I'm becoming
a little concerned that this organization doesn't seem very... open.
They are collecting what could be a rather valuble dataset (everybody's
firewall logs), and not sharing them.


As we were discussing at dinner, I could see this information being useful
in preventing windows servers from being infected by new worms.  

-- 
"Blessed are they who, in the face of death, think only about the
front sight."
http://www.ChaosReigns.com
#dshield-ipchains, created by Darxus@ChaosReigns.com on 1/10/2002,
#released under the GPL.
#
#This program retrieves a list of the top 10 portscanners from dsheild.org,
#and then tells ipchains to deny all incoming traffic from them.
#
#It requires wget for the retrieval:
#http://www.gnu.org/software/wget/wget.html

wget -N http://feeds.dshield.org/top10.txt
for host in `cat top10.txt`; do 
 ipchains -l -A input -p all -s $host -j DENY;
done

Attachment: pgpipyMsmkUxJ.pgp
Description: PGP signature