From owner-freebsd-net@FreeBSD.ORG Thu Apr 7 23:23:25 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F1A6106566B for ; Thu, 7 Apr 2011 23:23:25 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-yi0-f54.google.com (mail-yi0-f54.google.com [209.85.218.54]) by mx1.freebsd.org (Postfix) with ESMTP id 42E2F8FC17 for ; Thu, 7 Apr 2011 23:23:24 +0000 (UTC) Received: by yie12 with SMTP id 12so1417425yie.13 for ; Thu, 07 Apr 2011 16:23:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to:x-openpgp-key-id:x-openpgp-key-fingerprint :x-openpgp-key-url; bh=1F09ZDOwHtXrX+qG+FuuqUskExoOL/r/2hjroGSrnG0=; b=s5jNKk/eppCgMr8bA4iANne+H6SDPSeuZsSuBEVd1Qiu6fQIIfgKjw7tjH6mCOt8Hf 8Vg+1Kvee2nWMnBtvgS87B4gYOu7d6MkhxMzkYhZTAU/j8XgNyD9vdBTSvK535vVbbcy kIIo5i6MKvkKDMhzBjEv5tHXSa6O4PsjYTBqw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-openpgp-key-id :x-openpgp-key-fingerprint:x-openpgp-key-url; b=WdyhguBWoEzAPTOYZrmKNnTNkCzGotkZYdxhGiMXBv+vggdTQ7q4DgnRRF//JFl5eV lpVVyYTYj3M738Bt2l+CBbjrJbiwsAe0oVbofuqR6i0PJHPdUakPDbLHlwWnYyTIuu39 MU2b/OEqDeqpMthlboCPquVcEji1XW7smadzs= Received: by 10.150.31.15 with SMTP id e15mr1330974ybe.185.1302218604463; Thu, 07 Apr 2011 16:23:24 -0700 (PDT) Received: from DataIX.net (adsl-99-190-87-163.dsl.klmzmi.sbcglobal.net [99.190.87.163]) by mx.google.com with ESMTPS id p28sm1463521ybk.0.2011.04.07.16.23.21 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 07 Apr 2011 16:23:22 -0700 (PDT) Sender: "J. Hellenthal" Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.4/8.14.4) with ESMTP id p37NNIJc048093 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 7 Apr 2011 19:23:19 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.4/8.14.4/Submit) id p37NNGGX048092; Thu, 7 Apr 2011 19:23:16 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Thu, 7 Apr 2011 19:23:16 -0400 From: "J. Hellenthal" To: Ermal =?iso-8859-1?Q?Lu=E7i?= Message-ID: <20110407232315.GA33170@DataIX.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="9amGYk9869ThD9tj" Content-Disposition: inline In-Reply-To: X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E X-OpenPGP-Key-URL: http://bit.ly/0x89D8547E Cc: Quentin Narvor , nicolas.greneche@univ-orleans.fr, freebsd-net@freebsd.org Subject: Re: [PATCH] New feature in Packet Filter X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2011 23:23:25 -0000 --9amGYk9869ThD9tj Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 07, 2011 at 07:54:56PM +0200, Ermal Lu=E7i wrote: >On Thu, Apr 7, 2011 at 5:14 PM, Quentin Narvor = wrote: >> 2011/4/7 Ermal Lu=E7i >> >>> On Thu, Apr 7, 2011 at 10:21 AM, Quentin Narvor >>> wrote: >>> > Hello, >>> > >>> > My name is Quentin Narvor and I am currently working on intrusion >>> detection. >>> > I use Freebsd 8.2 and I recently needed pf to be able to dynamically = fill >>> in >>> > tables according pass rule. >>> > >>> > For performances reasons, I didn't want to do it with a script and pf= ctl. >>> > Then, with the help of Mr Nicolas Greneche, I made this patch named >>> "add". >>> > It enables pf to add src ip or dst ip in a table when a match occurs = on a >>> > pass rule. >>> > >>> >>> I cannot see, apart collecting ips in tables, anything else that >>> cannot be done through pf(4) tags! >>> Can you please describe a use case for this patch? >> >> >> Indeed, it enables pf to change its behaviour toward some hosts dynamica= lly. >> I will build a blacklist of ip which have been recognized as compromized >> (botnets, spam, etc). I build a table with thoses IP. >> >> If I match a connection between one host of my internal network and one >> blacklisted ip, there are chances that this host is infected. >> I want to do a comprehensive capture of this host connections by adding = src >> ip to a table of hosts to watch. A dup-to rule dump traffic from "host to >> watch" table to a sensor. >> >> Here are the rules : >> pass in on $int_if from any to add ipsrc >> pass in on $int_if dup-to ($sensor_if, sensor_ip) from = to >> any > >Hmm, the below should work. > >..... >pass in on $int_if from any to tag SUSPECT >pass in on $int_if dup-to ($sensor_if, sensor_ip) from all tagged SUSPECT >..... Source connection tracking would probably also work here too but unless you are planning on filling up RAM per table usage I would certainly suggest using tagging. An example of what I use for src connection tracking that overloads to a blacklist would be one for SSH logins. pass in log quick proto tcp from ! port >1023 to any port $shports label "Login/SSH:$dstport" keep state (max-src-conn 5, max-src-conn-rate 15/30 overload flush global) But this may not be exactly what your looking for even though it could be tricked out to put every IP into a table but like I said your going to be filling up some RAM fairly quickly by keeping those hosts in a table depending on how often your rule is going to match. > > >> >> Unless I miss something, I think it is not possible to make this example >> just with pf(4) tags : it would have been possible if I wanted to copy o= nly >> the traffic between my hosts and botnets. >> >> >>> > I submit this patch to your attention. Is this feature is of interest= to >>> be >>> > added in PF mainstream ? >>> > >>> > You will find the patch and its documentation in attachment. >>> > Let me know if you think that some modifications are needed. >>> > >>> > --=20 J. Hellenthal --9amGYk9869ThD9tj Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNnkdjAAoJEJBXh4mJ2FR+sBEH/2qLH9U9Y+zLl069tPpTfOWT cFVjN042wXyrwX3zRRTn3U7wNAvNXqbVc+zKe3hwEj0AmLpAtO+CH5JyaTR2P5ow pckwxdFyTnFq6les/5JHSa0YMwtd69FuKFLV/pmO9RBDP4nI6I1XlYfrQJ2VVU4p Yh3hCKBYMQj2mF8SNImtLoAjHURtQetzc3ZKEQA413HYmnRKTrOVquE11VLRE8OM ur0OChruDUOnZUpUbRBdrdzFHT7OIpjevpKpw+1BZTW2eP7bUPLQ21IVqgcRcJ99 JxgIF7dtTfMbFknCZrg/mVa8X9Z1y83MlCYE8RXFkoHlcACbuk/T2iWBjEJaYEs= =JYjs -----END PGP SIGNATURE----- --9amGYk9869ThD9tj--