Date: Thu, 17 Sep 2009 13:14:02 -0600 From: Tim Hogan <tim@hoganzoo.com> To: Tom Uffner <tom@uffner.com> Cc: freebsd-pf@freebsd.org Subject: Re: Packet Filter alerting system. Message-ID: <4AB28A7A.2060206@hoganzoo.com> In-Reply-To: <4AAFE24A.2040602@uffner.com> References: <4AADC15B.5060501@subisu.net.np> <4AAFE24A.2040602@uffner.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Tom Uffner wrote:
> Gaurav Ghimire wrote:
>> Just curious to know if we have something, some alerting system or
>> mechanism that provides the administrator with the daily reports that
>> pf itself or some other
>> tool collects on pf's behalf.
>>
>> That probably reports the admin of:
>> ~ Total connection counts matched on each rulesets.
>> ~ Total number of counts matched on deny rules.
>
> /etc/periodic/security/520.pfdenied
>
> it should be enabled by default if you haven't done anything unnatural to
> the /etc/periodic system
>
> > ~ IP/Port attack logs and relatives.
>
> only if you specify "log" in one or more of your pf rules, in which
> case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and
> /var/log/pf.{today,yesterday}
>
> tom
>
Not sure if this will help but I have added the following line to
/etc/periodic/security/520.pfdenied
pfctl -sr -v | grep -v "Inserted:" | awk '/^[apb]/ { printf "\n%s\n", $0
} $0 !~ /^[apb]/' | mailx -s "Daily PF Hit Report" root
This will produce something like the following for each rule that you have;
pass in quick on vr0 inet proto udp from 10.0.0.1 to 10.0.0.2 port =
syslog keep state
[ Evaluations: 560355 Packets: 46 Bytes: 4058 States:
0 ]
The down side is that the numbers will increment from the last time PF
was restarted, not from the previous day.
Regards,
Tim
[-- Attachment #2 --]
0 *H
01
0 +�0 *H
��
0q0Y{0
*H
�0y10U
Root CA1
0
U
http://www.cacert.org1"0 UCA Cert Signing Authority1!0 *H
support@cacert.org0
090629145919Z
091226145919Z0c10UCAcert WoT User1 0
*H
tim@hoganzoo.com1&0$ *H
tim@reflectivesight.com0"0
*H
��0
�Ht@qsߜڸ}3<o_
QV@YԐo5fdv`
mB$B
k`둄>3rN? Z
3]aѾ9u%
KP}C{ �~x31j5f҃'y0OTO
fv-G5#o}>p/XGXV!=!]$@*
R۷aZ
�cNVInbbAFAb+j;t]Oxpz�00
U
0�0V `HB
IGTo get your own certificate for FREE head over to http://www.CAcert.org0@U
%907++
+7
+7
`HB02+&0$0"+0http://ocsp.cacert.org04U
-0+tim@hoganzoo.comtim@reflectivesight.com0
*H
��3-R"8授�;ߗ`t]OeSV,
PMHuuӎAԶ5l
3"j)pFȱ4㶜`~d`5tױ 8
c
ۙ|rӓfk_1*
~ HXgi5'iIh-
l$!G)\;
Zm0{m~;2I$LTYvp5NEL):ļ V]KoLT&f\O C `".U$?b|
a4=w;!ij8 gclUi!&~%([Tr |rė |MNT
Ј
ߡӤb
Y`.Q0Pgk~+9/@PD=+\yT0~&yp?"*LFL�-IVHgtZpbqx3
pɍ#4@II #T
m7?1
q/0q0Y{0
*H
�0y10U
Root CA1
0
U
http://www.cacert.org1"0 UCA Cert Signing Authority1!0 *H
support@cacert.org0
090629145919Z
091226145919Z0c10UCAcert WoT User1 0
*H
tim@hoganzoo.com1&0$ *H
tim@reflectivesight.com0"0
*H
��0
�Ht@qsߜڸ}3<o_
QV@YԐo5fdv`
mB$B
k`둄>3rN? Z
3]aѾ9u%
KP}C{ �~x31j5f҃'y0OTO
fv-G5#o}>p/XGXV!=!]$@*
R۷aZ
�cNVInbbAFAb+j;t]Oxpz�00
U
0�0V `HB
IGTo get your own certificate for FREE head over to http://www.CAcert.org0@U
%907++
+7
+7
`HB02+&0$0"+0http://ocsp.cacert.org04U
-0+tim@hoganzoo.comtim@reflectivesight.com0
*H
��3-R"8授�;ߗ`t]OeSV,
PMHuuӎAԶ5l
3"j)pFȱ4㶜`~d`5tױ 8
c
ۙ|rӓfk_1*
~ HXgi5'iIh-
l$!G)\;
Zm0{m~;2I$LTYvp5NEL):ļ V]KoLT&f\O C `".U$?b|
a4=w;!ij8 gclUi!&~%([Tr |rė |MNT
Ј
ߡӤb
Y`.Q0Pgk~+9/@PD=+\yT0~&yp?"*LFL�-IVHgtZpbqx3
pɍ#4@II #T
m7?1
q/1000y10U
Root CA1
0
U
http://www.cacert.org1"0 UCA Cert Signing Authority1!0 *H
support@cacert.org{0 +�0 *H
1
*H
0
*H
1
090917191402Z0# *H
1 G?Bҗk
0_ *H
1R0P0
`He0
*H
0*H
�0
*H
@0+0
*H
(0 +7100y10U
Root CA1
0
U
http://www.cacert.org1"0 UCA Cert Signing Authority1!0 *H
support@cacert.org{0
*H
10y10U
Root CA1
0
U
http://www.cacert.org1"0 UCA Cert Signing Authority1!0 *H
support@cacert.org{0
*H
��ocфٿQJU2WIܹ|iz*<n_Թ uYtڍ̹mqH0cqkKQ
G~+U}=2L.
Lo%ȍ$Ü,ݍ-^&=Y"./qCUq4 YF9(R
]5Nqw,&QŖ
Kp6e^aq&a =r-iq#THhƝo\û
I>)Q_l������
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AB28A7A.2060206>