From owner-freebsd-pf@FreeBSD.ORG  Wed Mar  2 21:14:54 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8B705106564A
	for <freebsd-pf@freebsd.org>; Wed,  2 Mar 2011 21:14:54 +0000 (UTC)
	(envelope-from neamtu@gmail.com)
Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com
	[209.85.161.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 48D8C8FC08
	for <freebsd-pf@freebsd.org>; Wed,  2 Mar 2011 21:14:54 +0000 (UTC)
Received: by gxk7 with SMTP id 7so153414gxk.13
	for <freebsd-pf@freebsd.org>; Wed, 02 Mar 2011 13:14:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:date:message-id:subject:from:to
	:content-type; bh=2MfC70vVbzdMjAAuHFXQXp2Sy866E++m0GcEDbTCr4s=;
	b=k+2/OpB4Z5/+n5IKcTRZiaIpURs87m++LqI58CM25kIedZIziij4ZEJj/ZvwScgdfP
	FjPpzxrjXTnmIZSOznvJ1gqFzl6s3ZvbHtcyRZoxD9Ir59aQuONBiguSWtEwZniBDOs7
	130qYeB2P1YSn+ZV/5WgrntyiwYwdDUOsLMa4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	b=lXMbviWMqk48tTzKr0G5X8NYOo0Cy5l6kjGPOzj4/Zo13PHXmdbrpDrAS3H+X8iC+5
	PtwBOlpH13SkppVxKlxANC4IZHkIFuuAQi5gQjSduc0eGn9hdmuiyJe5mmSdOg6OI7cn
	qyGWT8KX/UTSZlVyx5DQfbFJs9ymOQkiWHC9I=
MIME-Version: 1.0
Received: by 10.91.21.35 with SMTP id y35mr799227agi.120.1299099065133; Wed,
	02 Mar 2011 12:51:05 -0800 (PST)
Received: by 10.90.70.11 with HTTP; Wed, 2 Mar 2011 12:51:05 -0800 (PST)
Date: Wed, 2 Mar 2011 22:51:05 +0200
Message-ID: <AANLkTinZk0zAXzp+13LknpZeQbAUbrC2gKEHVuzGcSFm@mail.gmail.com>
From: =?ISO-8859-1?Q?Richard_Brend=F6rfer?= <neamtu@gmail.com>
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: make pf to detect and drop virus/malware packets
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Mar 2011 21:14:54 -0000

Hi,
this is the first time when I write on mailing list.
If this subject was discussed in the past please don't shoot me, just trow
me a bone.

I was wonder if pf can detect packets that match a signature/fingerprint of
a virus, like it makes with the OS fingerprints.

Let's assume that I start to download eicar then pf 'see' the signature of
the pachet(s) and drop the connection.
Is this possible ?

PS. excuse my English