====== PFSense - Suricata - Alerts - ET DROP Dshield Block Listed Source group 1 ======

One of the main regularly updated threats and is an IP list of bad addresses.

These IP addresses can be marked bad from various sources. 

----

This signature simply alerts when any inbound traffic matches any IP from the [[https://www.dshield.org/block.txt|Drop Dshield block list]].

This list is created by ISC (Internet Storm Center) who provides threat intelligence and analysis. See [[https://dshield.org/about.html|dshield.org]] for more info.

Here's a good few sentences regarding DShield:

  * The ISC uses the DShield distributed intrusion detection system for data collection and analysis.
  * DShield collects data about malicious activity from across the Internet.
  * This data is cataloged and summarized and can be used to discover trends in activity, confirm widespread attacks, or assist in preparing better firewall rules.

This particular rule is for the top 20 block list.

If you saw this rule fire this would indicate you observed traffic from one of these deemed bad subnets.

This was likely internet recon/scanning traffic looking for open ports, vulnerabilities, etc.