search

DShield-ISC / dshield

DShield Raspberry Pi Sensor
https://www.dshield.org
GNU General Public License v2.0
450 stars 84 forks source link

Local Reporting #179

Open jjobe724 opened 3 years ago

jjobe724 commented 3 years ago

I have a 10.x network in each of two schools. I have setup the Raspberry Pi 4s with DShield and they appear to be working. When I open the firewall rules to allow connectivity I see in excess of 600 connection attempts from outside the school reported on DShield.

The Raspberry PIs are on a different subnet as the regular users in our schools and although the firewall and ignore rules should allow the users on other subnets to be picked up and reported it is the case that when I attack from the other subnet there is no report of it. The other network is still 10.x but a different subnet. It is looking like DShield doesn't record attacks from 10.x addresses? Is that the case. If so, can it be adjusted?

I have a lot of people bringing in devices from home as well as visitors. If they were to bring in something and it tried to connect to the honeypot for any reason I'd be tipped off that there machine was most likely carrying a bad payload of some sort and could basically deny them access to the network (they could still connect but would get no return traffic from anything so problem solved).

I'm leaning towards attacks from devices being dragged in from outside our organization is the bigger threat as compared with those trying to come in through the firewall.

Thanks, John

jullrich commented 3 years ago

I will make this a new feature request. To the central reporting, the 10.x addresses do not "mean" anything, so they are not sent to the central DShield server. But I think there may be an opportunity to report these locally better.

jjobe724 commented 3 years ago

Yeah, even just being able to pull those records locally would be great. Thank you!

freekdk commented 3 years ago

When my pull request is accepted I will look into this enhancement, which should not be too difficult to implement. My idea is to make loglines for specific IP-addresses with a string other than DSHIELDINPUT, which can be collected with a config file like /etc/rsyslog.d/dshield.conf. It is up to the requestor to process the generated log file.

freekdk commented 2 years ago

I did not implement your request in the regular packet, but made a document which describes how you can log access attempt from local addresses. In your case this would be 10.x address ranges. See the document dshield/LocalAdressLogging.md .