Remote logging and DShield



  • In the spirit of giving back to the community,  I like to submit my firewall logs to DShield on a daily basis.  Unfortunately,  since I changed to pfSense,  I haven't been able to do this.

    Specifically,  DShield doesn't like the format of the pfSense 2.2.2 output.  I have this configured in Kiwi syslog server and DShield for pfSense, but every time the log is analyzed, every line has the error message "Rejected…Not an input block line".

    I haven't had any reply on the DShield forum.  Does anyone here have pfSense working with DShield?

    gord



  • I was hoping to find an existing discussion with instructions on how to make this work whether it be some kind of syslog server, email, or to send directly to DShield from the pfSense firewall. I am surprised this hasn't happened already.





  • Hi Firewalluser.

    I'll try your suggestion immediately, and let you know.

    Thanks



  • Hi Firewalluser:

    I've investigated the FreeBSD choices on the DShield website.

    1.  FreeBSDshield looks like what I want, but is a dead link.  When searching for it on the internet, it does show up, but again the links have gone dead.

    2.  There is a text file with some scripts from 2004, but given their age, and my lack of ability with php,  I've decided not to try them.

    DShield is aware of the problem, and one of their handlers is looking at it.  He hasn't give me any specific analysis of why the existing systems don't work.

    Thanks for your efforts.



  • @Gord:

    Hi Firewalluser:

    I've investigated the FreeBSD choices on the DShield website.

    1.  FreeBSDshield looks like what I want, but is a dead link.  When searching for it on the internet, it does show up, but again the links have gone dead.

    2.  There is a text file with some scripts from 2004, but given their age, and my lack of ability with php,  I've decided not to try them.

    DShield is aware of the problem, and one of their handlers is looking at it.  He hasn't give me any specific analysis of why the existing systems don't work.

    Thanks for your efforts.

    The version that they support on the DShield site is FreeBSD 4.2 and we are now at 10.x so it is unlikely to work. Ideally there would be a package or something available on the pfSense system itself to handle this. I may post a bounty for this as I do not have the time to write one myself. Let me know if you want to contribute to the bounty.



  • someone done some work to fixing this but seems stalled at added the package https://github.com/Robert-Nelson/dshield-sensor-pfsense hopeful Robert Nelson will get it sorted



  • I have all the work done. I fixed the dshield sensor scripts and created a pfsense package.  However after months of waiting for the package to be accepted by pfSense I gave up and closed the ticket and the pull request.



  • I'd love to be able to submit my logs to dshield to help them - they've helped me a lot in the past. I had even considered sponsoring a bounty.

    Can you share your package?



  • Unfortunately its a little more complicated than just sharing a package, you kinda have to go through the package manager which wants to talk to a package repository website.  Plus since its written in perl and pfsense doesn't have perl you need to install a pbi.


  • LAYER 8 Global Moderator

    Why can you not just send your firewall logs from pfsense to syslog server, and then send the logs from there to dshield?

    Don't they have a package that runs on windows and uses the kiwi syslog
    https://www.dshield.org/windows_clients.html



  • I run my installs on physcal hardware, and would prefer to run have to run additional boxes just for logging. Most of my pfsense boxes have plenty of spare cycles to bundle up logs and submit them to Dshield for their analysis.



  • The problem is not so much one of physically getting the data to dshield although that is part of it.  The main issue is parsing the logs and getting the information reformatted into the proper format for submission.  Remotely logging them just moves the problem to another machine, one that doesn't have the scripts builtin to pfsense to help with the parsing.



  • Any Luck getting pfsense to include it,  looked as if there was a way to manual pull down perl, or maybe just turn it in to zip or tar with perl if pfsense



  • Just bumping this back up. I think this should happen at some point.


Log in to reply