Joining D4 communities
D4 servers can be operated by communities of security researchers and practitioners to collect and analyze data at a bigger scale that one could operate on its own. CIRCL operates several D4 servers among which one (crq.circl.lu) is open to anyone interested in sharing data publicly under the realm of D4-project. D4-project intends to share publicly the results of the analyses performed on the submitted data through a MISP instance.
What kind of data
crq.circl.lu accepts the following data types:
|1||pcap (libpcap 2.4)|
|2 - ja3-jl||sensor-d4-tls-fingerprinting json output|
|2 - suricata-eve||suricata eve json output|
|3||generic log lines, in particular ssh authentication logs|
|8||passivedns CSV stream|
D4 sensor generator
crq.circl.lu hosts a d4-sensor-generator instance at the following location: https://sensor.d4-project.org/. The sensor generator eases user on-boarding by automating the sensor configuration and part of its registration on crq. Adding a sensor to crq using the generator is a 7-step process:
- Specify whehter you prefer configuring a C or a Golang Client:
- Specify for which OS and architecture you want this client:
- Select which type of data this client should send:
- Select what is the destination server:
- Optionally give contact information:
- Download the resulting archive:
The archive contains the client compiled for the os/architecture (as well as the source code), and a
configs folder containing the preconfigured settings for your sensor.
approval and D4-MISP access
Once the sensor is generated, its uuid is registered on the server but it still needs to be manually approved for the server to accept the data sent. In order to be able to send data, you need to send an email to email@example.com containing: the sensor uuid (located in configs/uuid) and your PGP public key. Following this:
- we will approve the sensor and send you back a passphrase for this sensor,
- we set up a MISP account on D4-MISP for you to have access to the analysis results,
- we set up pdns / pssl API access for your to use.