This program is released under GNU GPL, and provided without any warranty.
In order to use the DShield agent for the Symantec Firewall/VPN appliance, you need to send the logs to a syslog daemon. Having any type of un*x box will provide you with this tool.
The program simply parses through the logfile specified, and reformats the data to match the DShield format.
I recommend editing the three variables $logfile, $timezone, $id to include your correct information. The defaults are "/var/log/firewall.log", "-05:00" and "0". Although you can use zero as the ID, you should sign up with DShield to get your own ID number.
Before you start submitting anything to DShield, test the program. Testing the program is as simple as typing "./sfv-dshield.pl" (assuming you are in the same directory as the program). If there's been anything logged in the current hour, you'll see some output. You can also specify the "--daily" switch, which will return all entries for the current day.
Since the program doesn't actually send e-mails itself, you'll have to pipe the output to the mail program. Here's a sample line:
./sfv-dshield.pl --daily | mail -s "FORMAT DSHIELD USERID 0 TZ -05:00" firstname.lastname@example.org
That should deliver the report to your e-mail address.
To schedule the reporting, simply create a cron job. There's two options here. You can either schedule it hourly or daily. If you're getting a lot of activity on your firewall, then perhaps hourly might be the better solution for you, but I would generally recommend doing it on a daily basis. Here's two samples:
59 23 * * * sfv-dshield --daily |mail -s "FORMAT DSHIELD USERID 0 -05:00 email@example.com 59 * * * * sfv-dshield | mail -s "FORMAT DSHIELD USERID 0 -05:00" firstname.lastname@example.org
The first is for daily reporting, and it's scheduled to run at 11:59PM every day. The second runs at one minute before every hour, every day... Note that you may have to include the full path to the program in the crontab, I've omitted it here due to horizontal space constraints...
Version 1.22 includes filtering of source IP and source port. This allows you to exclude certain IP address or port numbers from the report, i.e. the IP address of any online scanning service or source port 80 (which is usually a "late" response from a web server).
Version 1.31 includes fix for a bug that caused everything to be reported as UDP, and also translates a few more protocols to TCP.
Version 1.4 includes recognition of some ICMP messages, such as destination unreachable, time exceeded and source quench. I can only add what I see, so might add more types as they become noticable.
Usage: sfv-shield.pl [options]
Your DShield user number.
Name of the logfile.
Runs report on given date.
disables ignore list filtering.
Prints out usage information and exits.
Please see www.dshield.org for more information about DShield.
© 1999-2005 Lars M. Hansen