General Information On Submitting Logs To DShield
DShield provides a platform for users of firewalls to share intrusion information. DShield is a free and open service.
If you use a firewall, please submit your logs to the DShield database. We recently culled our list of supported firewalls as most uses use our honeypot. But if you have a firewall you would like to see supported, contact us here. You will need to register for a free account to submit data.
Everybody is welcome to use the information collected by us and desimminated via this site to protect their network from intrusion attempts. Let us know how it helps you or how we can improve the data.
First, please sign up
- can view the the firewall logs they submitted to the DShield database (for the last 30 days.)
- can get a confirmation of their own submissions emailed to them after every submission.
You register using the sign up form. You will be asked to supply your email address and a name.
You can optionally specify if you want feedback after every submission. Feedback will be provided in the form of a brief message listing rejected lines and summarizing the submission. You will receive feedback if you
- Used a valid UserID
- Switched on 'feedback' in your user profile.
After you register you will be emailed a confirmation message. The message will contain your UserID. Use this UserID when you submit your logs.
- Message processing can take up to an hour, or possibly several hours, depending on how busy our server is. (We batch process incoming submissions.) So don't expect an immediate confirmation email.
- Don't submit duplicates. Don't submit logs, or portions of logs that have been previously submitted. Most of the existing clients take care of this automatically.
- Each message will be confirmed via e-mail if a valid 'From' or 'Reply-To' address was used, and if you have enabled "Feedback" in your user profile.
Things To Look For When Examining Your Own Firewall Logs.
- Rejected DHCP packets (You should probably not be blocking DHCP traffic if you depend on it for your IP.)
- Rejected DNS traffic from/to port 53.
- Things that should not be submitted to DShield:
- Accesses from your own ISP's servers that end up in your firewall log, for whatever reason. For example, some firewalls/routers log all activity, even if it isn't blocked. In this case, your logs would contain a lot of legitimate DHCP accesses to and from your ISP.
- Authorized port scans used to test your firewall rules (for example if you visit a site testing your firewall).
- Any security port scans that you do yourself.
- Rejected traffic from local network (10.x, 192.168.x) (This doesn't indicate a problem for you, but DShield rejects log entries that use this address range, so there is no need to submit log lines that contain information about this address range.)
- Some BSD based firewalls (pfsense, opnsense for example) will log the last packets of closed connections (FIN-ACKs).
Developing Your Own Client Software
You may prefer to develop your own client software to aid you in submitting your log files. Please refer to our Guidelines for Developing DShield Client Software page.