Date: Tue, 06 Oct 2009 14:57:54 +0545 From: Gaurav Ghimire <gaurav@subisu.net.np> To: Kevin <k@kevinkevin.com> Cc: freebsd-pf@freebsd.org Subject: Re: Packet Filter alerting system. Message-ID: <4ACB0A16.4000806@subisu.net.np> In-Reply-To: <020001ca381e$4b8bade0$e2a309a0$@com> References: <4AADC15B.5060501@subisu.net.np> <4AAFE24A.2040602@uffner.com> <020001ca381e$4b8bade0$e2a309a0$@com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kevin wrote:
>> Gaurav Ghimire wrote:
>>> Just curious to know if we have something, some alerting system or
>> mechanism that provides the administrator with the daily reports that
>> pf itself or some other
>>> tool collects on pf's behalf.
>>>
>>> That probably reports the admin of:
>>> ~ Total connection counts matched on each rulesets.
>>> ~ Total number of counts matched on deny rules.
>> /etc/periodic/security/520.pfdenied
>>
>> it should be enabled by default if you haven't done anything unnatural
>> to
>> the /etc/periodic system
>>
>> > ~ IP/Port attack logs and relatives.
>>
>> only if you specify "log" in one or more of your pf rules, in which
>> case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and
>> /var/log/pf.{today,yesterday}
>>
>> tom
>
>
> I wrote a script that compiles a daily report on any pf table based
> threshold breaches -- something that could be modified to produce many
> different types of daily pf based reports :
>
>
> http://blog.stardothosting.com/2009/08/12/freebsd-pf-packet-filter-shell-scr
> ipt-to-report-on-hacking-attempts/
>
>
>
> Something to look at anyways.
>
>
Hi all,
Thanks for all your help.
After a few workarounds I managed to get what I required.
I wrote a script to get an easy to read report on all the traffic
matching the block rule in my pf. The script could be modified to get
reports on other specific rulesets you intend to, however, for that to
work you might have to define another logging interface using pflogd
and slap it to the rules you want to get reports on.
Here is it if you guys wanna have a look on.
http://nixify.blogspot.com/2009/10/getting-reports-on-intrusion-attempts.html
Regards,
- --
Gaurav Ghimire
System Administrator
Subisu Cablenet (P.) Ltd.
148 Thirbum Sadak
Baluwatar, Kathmandu
Nepal
http://www.subisu.net.np
(An ISO 9001:2000 Certified Company)
- --
Gaurav Ghimire
System Administrator
Subisu Cablenet (P.) Ltd.
148 Thirbum Sadak
Baluwatar, Kathmandu
Nepal
T: 00977 1 4429616/17 Ext.: 110
F: 00977 1 4430572
http://www.subisu.net.np
(An ISO 9001:2000 Certified Company)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkrLChIACgkQnfv7imVnL2tV7ACglNlu13pvAchgHAkYE5zE7cD2
KYAAnj5aDhKy2Olq3/d+i6h1hhx4DEOp
=Zs9B
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ACB0A16.4000806>