DShield Analyzer Version 0.1
What is this?
This is the DShieldAnalyzer README file. If you don't know why you're reading this, then you're probably reading the wrong file!
What does DShieldAnalyzer do?
DShieldAnalyzer is a java application for parsing firewall log files that are formatted in the DShield format. More information on DShield and the DShield format can be found at http://www.dshield.org
The application uses the Linux services description file (usually stored as /etc/services) to determine the services associated with particular ports/protocols.
What do I need to run the application?
You need to have the java runtime installed somewhere. If you don't have it installed then get it from http://java.sun.com
How do I run the application?
DShieldAnalyzer takes the following mandatory parameters:
-d [dshield log file]
-s [services file]
-c [class name]
An additional parameter can also be supplied to instruct the application to run quietly- This is configured using -q true.
The application is run from the command line as follows:
%> java -classpath DShieldAnalyzer.jar -d /var/log/logfile -s /etc/services -c com.bpm.dshield.analyzer.report.GroupedCommandLineReport
What's with the class name?
The class name is the fully qualified class name of the java class that produces the report. By allowing the report class to be specified when the report is run the type of report can be varied. New types of report can be written - see "how do I write my own report?".
What are the .ksh script files distributed with the application?
I've included the korn shell scripts that I use to run the application on my Linux box. analyzer.ksh is a wrapper around the java command line. cron.ksh is the script that I use for calling the application from cron.
How do I write my own report?
It's simple. Take a look at the javadocs and write a class that implements the Report interface (com.bpm.dshield.analyzer.report.Report). This interface defines a single generate method which takes provides access to Sources and Services collections that contain the data from the input files. The best thing is to look at the source code for the com.bpm.dshield.analyzer.report.GroupedCommandLineReport report class.
What if none of this makes sense?
That's probably because I've missed something out of this document. Why not drop me an email at email@example.com and I'll try to help.
What if I've found a bug?
Please send bug reports to me and I'll try and fix them in the next release.