Request For Syslogs!! Yes, YOURS!

IntrusDave · June 9, 2016, 1:38am

Hey guys, I’m working on a threat detection system system to go with the filter lists that I provide. The system is dependent on routers reporting what they are dropping. If you would like to join in, here is the code you need.

/system logging action
add bsd-syslog=yes name=syslog remote=172.102.241.60 remote-port=10514 syslog-facility=local0 target=remote

/system logging
set 0 topics=info,!firewall
add action=syslog topics=firewall,info

/ip firewall filter
add action=drop chain=input comment="Default Drop, Send to syslog" log=yes log-prefix=drop

You need to make sure that your “Default Drop” rule has logging enabled.

The more data I get, the safer we can make the internet!

jarda · June 9, 2016, 3:32am

Interested in this idea. I will think about it. What is your presumed algorithm, roughly?

IntrusDave · June 9, 2016, 3:38am

I’m in the VERY early stages right now.
Currently I’m just collecting the data and building analytics to understand what is really a threat and what is just noise.
I’m using Graylog as a collection / processing system, then passing the relevant hits to a proprietary app that makes the choice on banning the source. Right now it’s using a weighted system… number of source hits vs the port it’s hitting.

you can see some of the stats here: https://threat.intrustech.com/ user: guest and password: guest1234
The data isn’t clean right now - as I keep flushing the database every few hours when I make commits to the code.