ISC DSheild & pfSense



  • I am reading "Cyberattack, Cybercrime, Cyberware" by Mark Osborne. There is a section that talks about ISC and ISPs using home routers as a distributed IDS collecting and  feeding information back to a C2. I was wondering if anyone knows if psSense has some sort of participation in something like this.

    Here is the excerpt.

    Storm Center
    The Internet Storm Center (ISC) is run by the SANS Institute and was formed in 2001
    following SANS’s work on the “Lion Worm.” Today, the ISC provides a free analysis and
    warning service to thousands of Internet users and organizations, and it is actively working
    with Internet Service Providers to fight back against the most malicious attackers. The ISC
    relies on an all-volunteer effort to detect problems and disseminate information to the
    general public.
    DShield builds on thousands of firewalls and home broadband devices to constantly
    collect information about unwanted traffic arriving from the Internet and hitting a deny
    rule. The logs generated from these devices are sucked into DSHIELD.
    DShield turns these fairly dumb devices into a large network of distributed sensors
    (distributed IDS). Additionally, ISC provides analysts to process these feeds into
    conclusions that can be sent back to the community.


  • LAYER 8 Global Moderator



  • I got it all set up and thought I would share for ppl down the line.
    Download: dshield.php & dsheild.sample from: https://github.com/jullrich/dshieldpfsense
    Create an account at: https://www.dshield.org/
    Edit dshield.sample with your dshield.org information. Rename dshield.ini
    Transfer php and ini to a directory on your pfsense; connect with Putty.
    Make sure you enable SSH in the GUI.
    transfer : pscp dshield.ini user@192.168.1.2:e\ admin@192.168.1.1:/root/bin
    chmod +x /root/bin/dshield.ini - .ini
    In psSense GUI set up email notifications.
    cd /etc.  crontab -e  11,41 * * * * /root/bin/dsheild.php


  • LAYER 8 Global Moderator

    Thanks!  I use to run this, but had yet to get it moved over to the sg-4860 once I switched to that from my vm setup.

    The summary emails from dshield were nice to get.  I will have set this back up soon.


Log in to reply