From owner-freebsd-net@FreeBSD.ORG  Thu Apr  7 17:54:58 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E6746106564A
	for <freebsd-net@freebsd.org>; Thu,  7 Apr 2011 17:54:57 +0000 (UTC)
	(envelope-from ermal.luci@gmail.com)
Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com
	[209.85.214.182])
	by mx1.freebsd.org (Postfix) with ESMTP id AB1EF8FC0A
	for <freebsd-net@freebsd.org>; Thu,  7 Apr 2011 17:54:57 +0000 (UTC)
Received: by iwn33 with SMTP id 33so3251947iwn.13
	for <freebsd-net@freebsd.org>; Thu, 07 Apr 2011 10:54:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:sender:in-reply-to:references:date
	:x-google-sender-auth:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	bh=QuVBy2UKWaiZbp8gO16ggqiNyhUt30OedGk3dFMq3sE=;
	b=mCTDW0rnzb05e4uAVp8ZwpG50XFh760CruX8YXW2xZz8rw44AiGqztOsLDxriYixGJ
	vUTRY4vgqiGGSHTmU91WFxNwEqkL+KiLKFPRjWzIVHcK9NKYZM9l8M6kbmnPuGVtjvhZ
	d2blRD09QonGXAEH2ANWTH96w7oPYuvJ2TrEo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:sender:in-reply-to:references:date
	:x-google-sender-auth:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	b=BqakgmbjH0tNZVCChAJWNc7+L/THPegLmnc/Sdia0EBli+uIh7bUnOT+IFFRN5v8Az
	OitPGqRwyjgYO7LtzSP7PuLH24ppYyibh5EjLi0Z9fJPb1GsKjM/O6+Odd12RXj6bEtl
	I9Xb2BERIF2JBYjXWvmc04ITijNTfpijVHFWU=
MIME-Version: 1.0
Received: by 10.231.3.142 with SMTP id 14mr1225586ibn.84.1302198896245; Thu,
	07 Apr 2011 10:54:56 -0700 (PDT)
Sender: ermal.luci@gmail.com
Received: by 10.231.160.75 with HTTP; Thu, 7 Apr 2011 10:54:56 -0700 (PDT)
In-Reply-To: <BANLkTim71WDHb5fSTkCPP+1Xf9-KnpbGtg@mail.gmail.com>
References: <BANLkTi=fMCfzJrTavK3Pe0zUXHbQgpPE=Q@mail.gmail.com>
	<BANLkTimVE9KX20PX8VGe+pZ3URYHqiNP8g@mail.gmail.com>
	<BANLkTim71WDHb5fSTkCPP+1Xf9-KnpbGtg@mail.gmail.com>
Date: Thu, 7 Apr 2011 19:54:56 +0200
X-Google-Sender-Auth: epASFMriw4NKiTxFqR9oCejf0W4
Message-ID: <BANLkTimLFg-BbUE5f5s=BhEp2h-ispRUyw@mail.gmail.com>
From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org>
To: Quentin Narvor <quentin.narvor@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-net@freebsd.org, nicolas.greneche@univ-orleans.fr
Subject: Re: [PATCH] New feature in Packet Filter
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2011 17:54:58 -0000

On Thu, Apr 7, 2011 at 5:14 PM, Quentin Narvor <quentin.narvor@gmail.com> w=
rote:
> 2011/4/7 Ermal Lu=E7i <eri@freebsd.org>
>
>> On Thu, Apr 7, 2011 at 10:21 AM, Quentin Narvor
>> <quentin.narvor@gmail.com> wrote:
>> > Hello,
>> >
>> > My name is Quentin Narvor and I am currently working on intrusion
>> detection.
>> > I use Freebsd 8.2 and I recently needed pf to be able to dynamically f=
ill
>> in
>> > tables according pass rule.
>> >
>> > For performances reasons, I didn't want to do it with a script and pfc=
tl.
>> > Then, with the help of Mr Nicolas Greneche, I made this patch named
>> "add".
>> > It enables pf to add src ip or dst ip in a table when a match occurs o=
n a
>> > pass rule.
>> >
>>
>> I cannot see, apart collecting ips in tables, anything else that
>> cannot be done through pf(4) tags!
>> Can you please describe a use case for this patch?
>
>
> Indeed, it enables pf to change its behaviour toward some hosts dynamical=
ly.
> I will build a blacklist of ip which have been recognized as compromized
> (botnets, spam, etc). I build a table with thoses IP.
>
> If I match a connection between one host of my internal network and one
> blacklisted ip, there are chances that this host is infected.
> I want to do a comprehensive capture of this host connections by adding s=
rc
> ip to a table of hosts to watch. A dup-to rule dump traffic from "host to
> watch" table to a sensor.
>
> Here are the rules :
> pass in on $int_if from any to <blacklist> add ipsrc <infected_hosts>
> pass in on $int_if dup-to ($sensor_if, sensor_ip) from <infected_hosts> t=
o
> any

Hmm, the below should work.

.....
pass in on $int_if from any to <blacklist> tag SUSPECT
pass in on $int_if dup-to ($sensor_if, sensor_ip) from all tagged SUSPECT
.....


>
> Unless I miss something, I think it is not possible to make this example
> just with pf(4) tags : it would have been possible if I wanted to copy on=
ly
> the traffic between my hosts and botnets.
>
>
>> > I submit this patch to your attention. Is this feature is of interest =
to
>> be
>> > added in PF mainstream ?
>> >
>> > You will find the patch and its documentation in attachment.
>> > Let me know if you think that some modifications are needed.
>> >
>> > Best regards,
>> >
>> > Quentin Narvor
>> >
>> > _______________________________________________
>> > freebsd-net@freebsd.org mailing list
>> > http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>> >
>>
>>
>>
>> --
>> Ermal
>>
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>



--=20
Ermal