Date: Thu, 7 Apr 2011 19:54:56 +0200 From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> To: Quentin Narvor <quentin.narvor@gmail.com> Cc: freebsd-net@freebsd.org, nicolas.greneche@univ-orleans.fr Subject: Re: [PATCH] New feature in Packet Filter Message-ID: <BANLkTimLFg-BbUE5f5s=BhEp2h-ispRUyw@mail.gmail.com> In-Reply-To: <BANLkTim71WDHb5fSTkCPP%2B1Xf9-KnpbGtg@mail.gmail.com> References: <BANLkTi=fMCfzJrTavK3Pe0zUXHbQgpPE=Q@mail.gmail.com> <BANLkTimVE9KX20PX8VGe%2BpZ3URYHqiNP8g@mail.gmail.com> <BANLkTim71WDHb5fSTkCPP%2B1Xf9-KnpbGtg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 7, 2011 at 5:14 PM, Quentin Narvor <quentin.narvor@gmail.com> w= rote: > 2011/4/7 Ermal Lu=E7i <eri@freebsd.org> > >> On Thu, Apr 7, 2011 at 10:21 AM, Quentin Narvor >> <quentin.narvor@gmail.com> wrote: >> > Hello, >> > >> > My name is Quentin Narvor and I am currently working on intrusion >> detection. >> > I use Freebsd 8.2 and I recently needed pf to be able to dynamically f= ill >> in >> > tables according pass rule. >> > >> > For performances reasons, I didn't want to do it with a script and pfc= tl. >> > Then, with the help of Mr Nicolas Greneche, I made this patch named >> "add". >> > It enables pf to add src ip or dst ip in a table when a match occurs o= n a >> > pass rule. >> > >> >> I cannot see, apart collecting ips in tables, anything else that >> cannot be done through pf(4) tags! >> Can you please describe a use case for this patch? > > > Indeed, it enables pf to change its behaviour toward some hosts dynamical= ly. > I will build a blacklist of ip which have been recognized as compromized > (botnets, spam, etc). I build a table with thoses IP. > > If I match a connection between one host of my internal network and one > blacklisted ip, there are chances that this host is infected. > I want to do a comprehensive capture of this host connections by adding s= rc > ip to a table of hosts to watch. A dup-to rule dump traffic from "host to > watch" table to a sensor. > > Here are the rules : > pass in on $int_if from any to <blacklist> add ipsrc <infected_hosts> > pass in on $int_if dup-to ($sensor_if, sensor_ip) from <infected_hosts> t= o > any Hmm, the below should work. ..... pass in on $int_if from any to <blacklist> tag SUSPECT pass in on $int_if dup-to ($sensor_if, sensor_ip) from all tagged SUSPECT ..... > > Unless I miss something, I think it is not possible to make this example > just with pf(4) tags : it would have been possible if I wanted to copy on= ly > the traffic between my hosts and botnets. > > >> > I submit this patch to your attention. Is this feature is of interest = to >> be >> > added in PF mainstream ? >> > >> > You will find the patch and its documentation in attachment. >> > Let me know if you think that some modifications are needed. >> > >> > Best regards, >> > >> > Quentin Narvor >> > >> > _______________________________________________ >> > freebsd-net@freebsd.org mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-net >> > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> > >> >> >> >> -- >> Ermal >> > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > --=20 Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTimLFg-BbUE5f5s=BhEp2h-ispRUyw>