DShieldUp is a FREE utility to upload log information to DShield.org:
DShield provides a platform for users of firewalls to share
intrusion information. DShield is a free and open service.
DShield.org is an attempt to collect data about cracker
activity from all over the internet. This data will be catalogued and summarized. It can be used to discover trends in activity and
prepare better firewall rules.
DShield.org also has what they call their Fightback feature:
DShield.org is now helping users to fight back against
attackers. We will analyze submitted log reports and pick a number
of strong cases to forward them to the ISP from which the attack
originated. A copy of the abuse report will be forwarded to the
You have to sign up for 'Fightback'. We will not forward any
of your log submissions unless you agree to by using the fightback
The user that submitted the log report will be copied on all
correspondence. The ISP will receive all relevant log excerpts and
we will include the e-mail address registered with DShield.org, in
order to allow the ISP to contact the victim directly.
We hope other reporting organizations will be interested in the
data captured by Link Logger users all around the world. We
are willing to send the source code (written in Delphi 5) for
DShieldUp to anyone wishing to improve it or modify it for other log
collection or reporting services. We do ask however that all
changes or new versions be sent back to us, such that other Link
Logger users can benefit.
How To Use DShieldUp
DShieldUp works with on Windows 98, 98SE, ME, NT, Windows 2000,
XP, and 2003. While it is not an officially supported product if you
have comments/suggestions or find bugs please send an email to DShieldUp@LinkLogger.com.
When trying DShieldUp for the first couple of times enter your
own email address in the 'Send to' field so you can see what is
being sent by DShieldUp to DShield.org. We also recommend that
you turn off descriptions in the drag and drop (user configuration)
as it speeds up drag and drop up hugely.
In Link Logger build a search list of events that you would like
to send, then drag and drop them onto DShieldUp. You can
uncheck items in DShieldUp that you don't want to send. Scrub
removes any unchecked items, but the send process checks that they
are checked before sending an event as well, so it just nice to be
able get them off your display if your working through a long list.
Note the columns are sortable.
About the only thing you need to setup for DShieldUp is the SMTP email host
from your ISP (check your email setting for the SMTP address). You
can put the DShieldUp.exe anywhere, but we suggest putting it in the
Link Logger directory and adding a link to wherever you like.
The Author ID is from DShield.org when you register. Anonymous
users can enter 0 for their Author ID.
DShieldUp has a couple of features
which are handy. First if you don't want to send NetBIOS name
lookups then you can enable the 'NETBIOS Nameservice' filter such
that those events are filtered out on the drop. Also
DShieldUp remembers the event date and time of the last event sent
and will warn you if you add events which occurred before that event
in subsequent usages of DShieldUp.
A sample of how one person uses DShieldUp.
I have my display filters set to green inbound, and blue
outbound. This means that I see all inbound traffic, and all
alerts, so I sort the traffic list by alerts in a descending
order. Since Outbound alerts are a 'higher' alert they
appear at the top of the list (if there are any), and inbound
alerts appear next and non alert inbound traffic at the bottom of
the list. Typically I review Link Logger a couple of times a
day (or not), but when I do, I review the inbound alerts and
highlight them (click on the first event to highlight it, and then
shift click on the last event which highlight the whole range, and
then unselecting alerts that I know to be false positives by Ctl-clicking
on them), and then drag and drop them onto DShieldUp, and send
them. After sending the alerts, I clear the traffic list in
Link Logger and repeat the process again next time I check Link
Logger. Since I have Fightback enabled at DShield.org the
idea is hopefully a notification email is sent out to respective
ISP's concerning the probes and scans such that these systems can
be cleaned up.
Since each router has slightly different logging capabilities there
are three versions of DShieldUp. Please select the version for
While we have extensively beta tested DShieldUp we must
include the following disclaimer. NOTE DShieldUp is provided
'as is' without any official support or warranty. If you do
find any problems or have some suggestions please let us know at DShieldUp@LinkLogger.com.
NOTE the difference between the two versions is
the inclusion of Protocol in the information sent to DShield as
typically all Linksys router/firewalls except the BEFSX41 do not log
protocol information. All other routers/firewalls supported by
Link Logger log protocol information.
If you encounter any problems please email Link Logger support at support@LinkLogger.com.