Remote logging and DShield

firewalluser · May 26, 2015, 4:02 PM

No joy with this then? https://www.dshield.org/linux_clients.html#freebsd

telserv · May 26, 2015, 4:26 PM

Hi Firewalluser.

I'll try your suggestion immediately, and let you know.

Thanks

telserv · May 26, 2015, 4:36 PM

Hi Firewalluser:

I've investigated the FreeBSD choices on the DShield website.

1. FreeBSDshield looks like what I want, but is a dead link. When searching for it on the internet, it does show up, but again the links have gone dead.

2. There is a text file with some scripts from 2004, but given their age, and my lack of ability with php, I've decided not to try them.

DShield is aware of the problem, and one of their handlers is looking at it. He hasn't give me any specific analysis of why the existing systems don't work.

Thanks for your efforts.

zerodamage · May 26, 2015, 4:52 PM

@Gord:

Hi Firewalluser:

I've investigated the FreeBSD choices on the DShield website.

1. FreeBSDshield looks like what I want, but is a dead link. When searching for it on the internet, it does show up, but again the links have gone dead.

2. There is a text file with some scripts from 2004, but given their age, and my lack of ability with php, I've decided not to try them.

DShield is aware of the problem, and one of their handlers is looking at it. He hasn't give me any specific analysis of why the existing systems don't work.

Thanks for your efforts.

The version that they support on the DShield site is FreeBSD 4.2 and we are now at 10.x so it is unlikely to work. Ideally there would be a package or something available on the pfSense system itself to handle this. I may post a bounty for this as I do not have the time to write one myself. Let me know if you want to contribute to the bounty.

iced · Jun 10, 2015, 2:17 PM

someone done some work to fixing this but seems stalled at added the package https://github.com/Robert-Nelson/dshield-sensor-pfsense hopeful Robert Nelson will get it sorted

robertn · Jun 10, 2015, 2:51 PM

I have all the work done. I fixed the dshield sensor scripts and created a pfsense package. However after months of waiting for the package to be accepted by pfSense I gave up and closed the ticket and the pull request.

va176thunderbolt · Jun 13, 2015, 12:11 PM

I'd love to be able to submit my logs to dshield to help them - they've helped me a lot in the past. I had even considered sponsoring a bounty.

Can you share your package?

robertn · Jun 16, 2015, 5:33 AM

Unfortunately its a little more complicated than just sharing a package, you kinda have to go through the package manager which wants to talk to a package repository website. Plus since its written in perl and pfsense doesn't have perl you need to install a pbi.

johnpoz · Jun 16, 2015, 11:37 AM

Why can you not just send your firewall logs from pfsense to syslog server, and then send the logs from there to dshield?

Don't they have a package that runs on windows and uses the kiwi syslog
https://www.dshield.org/windows_clients.html

va176thunderbolt · Jun 17, 2015, 2:46 AM

I run my installs on physcal hardware, and would prefer to run have to run additional boxes just for logging. Most of my pfsense boxes have plenty of spare cycles to bundle up logs and submit them to Dshield for their analysis.

robertn · Jun 17, 2015, 5:58 AM

The problem is not so much one of physically getting the data to dshield although that is part of it. The main issue is parsing the logs and getting the information reformatted into the proper format for submission. Remotely logging them just moves the problem to another machine, one that doesn't have the scripts builtin to pfsense to help with the parsing.

iced · Sep 4, 2015, 9:55 AM

Any Luck getting pfsense to include it, looked as if there was a way to manual pull down perl, or maybe just turn it in to zip or tar with perl if pfsense

zerodamage · Mar 20, 2016, 10:37 PM

Just bumping this back up. I think this should happen at some point.