Date: Thu, 7 Apr 2011 19:23:16 -0400 From: "J. Hellenthal" <jhell@DataIX.net> To: Ermal =?iso-8859-1?Q?Lu=E7i?= <eri@freebsd.org> Cc: Quentin Narvor <quentin.narvor@gmail.com>, nicolas.greneche@univ-orleans.fr, freebsd-net@freebsd.org Subject: Re: [PATCH] New feature in Packet Filter Message-ID: <20110407232315.GA33170@DataIX.net> In-Reply-To: <BANLkTimLFg-BbUE5f5s=BhEp2h-ispRUyw@mail.gmail.com> References: <BANLkTi=fMCfzJrTavK3Pe0zUXHbQgpPE=Q@mail.gmail.com> <BANLkTimVE9KX20PX8VGe%2BpZ3URYHqiNP8g@mail.gmail.com> <BANLkTim71WDHb5fSTkCPP%2B1Xf9-KnpbGtg@mail.gmail.com> <BANLkTimLFg-BbUE5f5s=BhEp2h-ispRUyw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--9amGYk9869ThD9tj Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 07, 2011 at 07:54:56PM +0200, Ermal Lu=E7i wrote: >On Thu, Apr 7, 2011 at 5:14 PM, Quentin Narvor <quentin.narvor@gmail.com> = wrote: >> 2011/4/7 Ermal Lu=E7i <eri@freebsd.org> >> >>> On Thu, Apr 7, 2011 at 10:21 AM, Quentin Narvor >>> <quentin.narvor@gmail.com> wrote: >>> > Hello, >>> > >>> > My name is Quentin Narvor and I am currently working on intrusion >>> detection. >>> > I use Freebsd 8.2 and I recently needed pf to be able to dynamically = fill >>> in >>> > tables according pass rule. >>> > >>> > For performances reasons, I didn't want to do it with a script and pf= ctl. >>> > Then, with the help of Mr Nicolas Greneche, I made this patch named >>> "add". >>> > It enables pf to add src ip or dst ip in a table when a match occurs = on a >>> > pass rule. >>> > >>> >>> I cannot see, apart collecting ips in tables, anything else that >>> cannot be done through pf(4) tags! >>> Can you please describe a use case for this patch? >> >> >> Indeed, it enables pf to change its behaviour toward some hosts dynamica= lly. >> I will build a blacklist of ip which have been recognized as compromized >> (botnets, spam, etc). I build a table with thoses IP. >> >> If I match a connection between one host of my internal network and one >> blacklisted ip, there are chances that this host is infected. >> I want to do a comprehensive capture of this host connections by adding = src >> ip to a table of hosts to watch. A dup-to rule dump traffic from "host to >> watch" table to a sensor. >> >> Here are the rules : >> pass in on $int_if from any to <blacklist> add ipsrc <infected_hosts> >> pass in on $int_if dup-to ($sensor_if, sensor_ip) from <infected_hosts> = to >> any > >Hmm, the below should work. > >..... >pass in on $int_if from any to <blacklist> tag SUSPECT >pass in on $int_if dup-to ($sensor_if, sensor_ip) from all tagged SUSPECT >..... Source connection tracking would probably also work here too but unless you are planning on filling up RAM per table usage I would certainly suggest using tagging. An example of what I use for src connection tracking that overloads to a blacklist would be one for SSH logins. pass in log quick proto tcp from !<trusted> port >1023 to any port $shports label "Login/SSH:$dstport" keep state (max-src-conn 5, max-src-conn-rate 15/30 overload <blacklist> flush global) But this may not be exactly what your looking for even though it could be tricked out to put every IP into a table but like I said your going to be filling up some RAM fairly quickly by keeping those hosts in a table depending on how often your rule is going to match. > > >> >> Unless I miss something, I think it is not possible to make this example >> just with pf(4) tags : it would have been possible if I wanted to copy o= nly >> the traffic between my hosts and botnets. >> >> >>> > I submit this patch to your attention. Is this feature is of interest= to >>> be >>> > added in PF mainstream ? >>> > >>> > You will find the patch and its documentation in attachment. >>> > Let me know if you think that some modifications are needed. >>> > >>> > --=20 J. Hellenthal --9amGYk9869ThD9tj Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNnkdjAAoJEJBXh4mJ2FR+sBEH/2qLH9U9Y+zLl069tPpTfOWT cFVjN042wXyrwX3zRRTn3U7wNAvNXqbVc+zKe3hwEj0AmLpAtO+CH5JyaTR2P5ow pckwxdFyTnFq6les/5JHSa0YMwtd69FuKFLV/pmO9RBDP4nI6I1XlYfrQJ2VVU4p Yh3hCKBYMQj2mF8SNImtLoAjHURtQetzc3ZKEQA413HYmnRKTrOVquE11VLRE8OM ur0OChruDUOnZUpUbRBdrdzFHT7OIpjevpKpw+1BZTW2eP7bUPLQ21IVqgcRcJ99 JxgIF7dtTfMbFknCZrg/mVa8X9Z1y83MlCYE8RXFkoHlcACbuk/T2iWBjEJaYEs= =JYjs -----END PGP SIGNATURE----- --9amGYk9869ThD9tj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110407232315.GA33170>