Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Local Reporting #179

Open
jjobe724 opened this issue Jan 22, 2021 · 4 comments
Open

Local Reporting #179

jjobe724 opened this issue Jan 22, 2021 · 4 comments
Labels
enhancement

Comments

@jjobe724
Copy link

I have a 10.x network in each of two schools. I have setup the Raspberry Pi 4s with DShield and they appear to be working. When I open the firewall rules to allow connectivity I see in excess of 600 connection attempts from outside the school reported on DShield.

The Raspberry PIs are on a different subnet as the regular users in our schools and although the firewall and ignore rules should allow the users on other subnets to be picked up and reported it is the case that when I attack from the other subnet there is no report of it. The other network is still 10.x but a different subnet. It is looking like DShield doesn't record attacks from 10.x addresses? Is that the case. If so, can it be adjusted?

I have a lot of people bringing in devices from home as well as visitors. If they were to bring in something and it tried to connect to the honeypot for any reason I'd be tipped off that there machine was most likely carrying a bad payload of some sort and could basically deny them access to the network (they could still connect but would get no return traffic from anything so problem solved).

I'm leaning towards attacks from devices being dragged in from outside our organization is the bigger threat as compared with those trying to come in through the firewall.

Thanks,
John
@jullrich
Copy link
Contributor

I will make this a new feature request. To the central reporting, the 10.x addresses do not "mean" anything, so they are not sent to the central DShield server. But I think there may be an opportunity to report these locally better.

@jjobe724
Copy link
Author

Yeah, even just being able to pull those records locally would be great. Thank you!

@freekdk
Copy link
Contributor

freekdk commented Nov 25, 2021

When my pull request is accepted I will look into this enhancement, which should not be too difficult to implement. My idea is to make loglines for specific IP-addresses with a string other than DSHIELDINPUT, which can be collected with a config file like /etc/rsyslog.d/dshield.conf. It is up to the requestor to process the generated log file.

@freekdk freekdk mentioned this issue Jan 10, 2022
Merged
@freekdk
Copy link
Contributor

freekdk commented Jan 11, 2022

I did not implement your request in the regular packet, but made a document which describes how you can log access attempt from local addresses. In your case this would be 10.x address ranges. See the document dshield/LocalAdressLogging.md .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jullrich @freekdk @jjobe724