From owner-freebsd-pf@FreeBSD.ORG Wed Mar 2 21:52:30 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BF0A106564A for ; Wed, 2 Mar 2011 21:52:30 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by mx1.freebsd.org (Postfix) with SMTP id C65D18FC15 for ; Wed, 2 Mar 2011 21:52:29 +0000 (UTC) Received: (qmail invoked by alias); 02 Mar 2011 21:24:26 -0000 Received: from u18-124.dslaccess.de (EHLO [172.20.1.100]) [194.231.39.124] by mail.gmx.net (mp065) with SMTP; 02 Mar 2011 22:24:26 +0100 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1/9N/Nicdr9V+DYDtqY7bW/p5rhBmEPxeEJmJTicF mOQVX4psMLTte1 Message-ID: <4D6EB5BF.5040309@gmx.de> Date: Wed, 02 Mar 2011 22:25:19 +0100 From: olli hauer User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110221 Thunderbird/3.1.8 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Richard_Brend=F6rfer?= References: In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Y-GMX-Trusted: 0 Cc: freebsd-pf@freebsd.org Subject: Re: make pf to detect and drop virus/malware packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2011 21:52:30 -0000 On 2011-03-02 21:51, Richard Brendörfer wrote: > Hi, > this is the first time when I write on mailing list. > If this subject was discussed in the past please don't shoot me, just trow > me a bone. > > I was wonder if pf can detect packets that match a signature/fingerprint of > a virus, like it makes with the OS fingerprints. > > Let's assume that I start to download eicar then pf 'see' the signature of > the pachet(s) and drop the connection. > Is this possible ? > Not direct with pf, but in combination with snort and sortsam.