ISC DSheild & pfSense
-
I am reading "Cyberattack, Cybercrime, Cyberware" by Mark Osborne. There is a section that talks about ISC and ISPs using home routers as a distributed IDS collecting and feeding information back to a C2. I was wondering if anyone knows if psSense has some sort of participation in something like this.
Here is the excerpt.
Storm Center
The Internet Storm Center (ISC) is run by the SANS Institute and was formed in 2001
following SANS’s work on the “Lion Worm.” Today, the ISC provides a free analysis and
warning service to thousands of Internet users and organizations, and it is actively working
with Internet Service Providers to fight back against the most malicious attackers. The ISC
relies on an all-volunteer effort to detect problems and disseminate information to the
general public.
DShield builds on thousands of firewalls and home broadband devices to constantly
collect information about unwanted traffic arriving from the Internet and hitting a deny
rule. The logs generated from these devices are sucked into DSHIELD.
DShield turns these fairly dumb devices into a large network of distributed sensors
(distributed IDS). Additionally, ISC provides analysts to process these feeds into
conclusions that can be sent back to the community. -
There is script you can run…
https://forum.pfsense.org/index.php?topic=138717.0
-
I got it all set up and thought I would share for ppl down the line.
Download: dshield.php & dsheild.sample from: https://github.com/jullrich/dshieldpfsense
Create an account at: https://www.dshield.org/
Edit dshield.sample with your dshield.org information. Rename dshield.ini
Transfer php and ini to a directory on your pfsense; connect with Putty.
Make sure you enable SSH in the GUI.
transfer : pscp dshield.ini user@192.168.1.2:e\ admin@192.168.1.1:/root/bin
chmod +x /root/bin/dshield.ini - .ini
In psSense GUI set up email notifications.
cd /etc. crontab -e 11,41 * * * * /root/bin/dsheild.php -
Thanks! I use to run this, but had yet to get it moved over to the sg-4860 once I switched to that from my vm setup.
The summary emails from dshield were nice to get. I will have set this back up soon.