Date: Thu, 17 Sep 2009 13:14:02 -0600 From: Tim Hogan <tim@hoganzoo.com> To: Tom Uffner <tom@uffner.com> Cc: freebsd-pf@freebsd.org Subject: Re: Packet Filter alerting system. Message-ID: <4AB28A7A.2060206@hoganzoo.com> In-Reply-To: <4AAFE24A.2040602@uffner.com> References: <4AADC15B.5060501@subisu.net.np> <4AAFE24A.2040602@uffner.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format.
--------------ms050806040209080301030403
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Tom Uffner wrote:
> Gaurav Ghimire wrote:
>> Just curious to know if we have something, some alerting system or
>> mechanism that provides the administrator with the daily reports that
>> pf itself or some other
>> tool collects on pf's behalf.
>>
>> That probably reports the admin of:
>> ~ Total connection counts matched on each rulesets.
>> ~ Total number of counts matched on deny rules.
>
> /etc/periodic/security/520.pfdenied
>
> it should be enabled by default if you haven't done anything unnatural to
> the /etc/periodic system
>
> > ~ IP/Port attack logs and relatives.
>
> only if you specify "log" in one or more of your pf rules, in which
> case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and
> /var/log/pf.{today,yesterday}
>
> tom
>
Not sure if this will help but I have added the following line to
/etc/periodic/security/520.pfdenied
pfctl -sr -v | grep -v "Inserted:" | awk '/^[apb]/ { printf "\n%s\n", $0
} $0 !~ /^[apb]/' | mailx -s "Daily PF Hit Report" root
This will produce something like the following for each rule that you have;
pass in quick on vr0 inet proto udp from 10.0.0.1 to 10.0.0.2 port =
syslog keep state
[ Evaluations: 560355 Packets: 46 Bytes: 4058 States:
0 ]
The down side is that the numbers will increment from the last time PF
was restarted, not from the previous day.
Regards,
Tim
--------------ms050806040209080301030403
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIK6jCC
BXEwggNZoAMCAQICAwcTezANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w
HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu
ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wOTA2
MjkxNDU5MTlaFw0wOTEyMjYxNDU5MTlaMGMxGDAWBgNVBAMTD0NBY2VydCBXb1QgVXNlcjEf
MB0GCSqGSIb3DQEJARYQdGltQGhvZ2Fuem9vLmNvbTEmMCQGCSqGSIb3DQEJARYXdGltQHJl
ZmxlY3RpdmVzaWdodC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPSBR0
GkAbcXOe35zauH3SM+c8EKinb1+CrwpRubJW30AQWajUkJoEvrqxjm81ZhJkdtFggwvwbYeQ
lUIkQh5r0GDrkYQ+M4FyToQ/EhofWh25M10H7IPaYeHRvpvpOXUlDcVLUIWsfbDWQ7R7CQB+
lpN4M9Hq1QeLMf1qNZdmwInSg5MYJ3kwkE+X0VTfT4wMzWamdi1HlzUUmYXygO+gI4maBG+A
1n0+cKecL1ipR5jxWFacIRc9xyFd4fskQLMquKgdgBrf/VL+27dhWgoFA9rnAL2mY+0Y/E6h
vlZJbt1iEWLomkFGQeik3WKsK6sQatQ7dP5dzU8QeHD2evrJAgMBAAGjggEWMIIBEjAMBgNV
HRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUg
Zm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzBABgNVHSUEOTA3
BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCGSAGG+EIE
ATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5vcmcw
NAYDVR0RBC0wK4EQdGltQGhvZ2Fuem9vLmNvbYEXdGltQHJlZmxlY3RpdmVzaWdodC5jb20w
DQYJKoZIhvcNAQEFBQADggIBADMtUgMi0xH+uzjmjogAiOeUO9+XYBV0vMxdTw+IiWVTViy4
vu6yDYRQTd/oSHV1045B/v8UodS2mTX4bL8djjMiahQpitXuDnBGvcix0DTt47acD2AYEH5k
BhnAYO/sNZ90stexCfsSEziPDbxjrcAN4duZfOyF8HKl85fTk/4Cnxtma8vNX9jyMSodqX7T
IIygSFhnhLBpnOU1yidpSaZoLdEcsWwkIeGxE0cp9lzex9vSBzsMWqeJg20we47Ibdt+O38y
SRIZhrkkTLihw8lUWXZwq6M1uhCSuaib0uq+TvZF+Ewpi9M6B8S88CCc81bJ611L529MEt9U
uSZmXE+PCYaCQ83CoGB/1w8iLqmWBlW2JD+0YnwK7e0YYa00/pjfwT13O/Uh+PLXuLCYB8QX
aZbJavc4H4258mdjG5Zsnv4BtVWAaRYhJqQBfiWJup0oW6JUchgJ6Hylz3LEl6zz+q0guLh8
Ta1OVAMd0Ijk/B3fodOkYvrjgPGTAwpZ3xFgLlH7F4Mwu1Bna34UqPGjKznvry9AUIlEPYeH
givVXAG1eVQwrPyREqx+JnmGcD/FFr4iKvJMu0b8heNMmfq+AC1JVkhnifKLdFrrD6xwYnF4
Mw1w1smNuBQj7hE0gOHr5kDySUmFoBoJ6CO9x+lUuAgdbTc/BzEV/QriCXEvMIIFcTCCA1mg
AwIBAgIDBxN7MA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsT
FWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhv
cml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTA5MDYyOTE0NTkx
OVoXDTA5MTIyNjE0NTkxOVowYzEYMBYGA1UEAxMPQ0FjZXJ0IFdvVCBVc2VyMR8wHQYJKoZI
hvcNAQkBFhB0aW1AaG9nYW56b28uY29tMSYwJAYJKoZIhvcNAQkBFhd0aW1AcmVmbGVjdGl2
ZXNpZ2h0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM9IFHQaQBtxc57f
nNq4fdIz5zwQqKdvX4KvClG5slbfQBBZqNSQmgS+urGObzVmEmR20WCDC/Bth5CVQiRCHmvQ
YOuRhD4zgXJOhD8SGh9aHbkzXQfsg9ph4dG+m+k5dSUNxUtQhax9sNZDtHsJAH6Wk3gz0erV
B4sx/Wo1l2bAidKDkxgneTCQT5fRVN9PjAzNZqZ2LUeXNRSZhfKA76AjiZoEb4DWfT5wp5wv
WKlHmPFYVpwhFz3HIV3h+yRAsyq4qB2AGt/9Uv7bt2FaCgUD2ucAvaZj7Rj8TqG+Vklu3WIR
YuiaQUZB6KTdYqwrqxBq1Dt0/l3NTxB4cPZ6+skCAwEAAaOCARYwggESMAwGA1UdEwEB/wQC
MAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJF
RSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMEAGA1UdJQQ5MDcGCCsGAQUF
BwMEBggrBgEFBQcDAgYKKwYBBAGCNwoDBAYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsG
AQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzA0BgNVHREE
LTArgRB0aW1AaG9nYW56b28uY29tgRd0aW1AcmVmbGVjdGl2ZXNpZ2h0LmNvbTANBgkqhkiG
9w0BAQUFAAOCAgEAMy1SAyLTEf67OOaOiACI55Q735dgFXS8zF1PD4iJZVNWLLi+7rINhFBN
3+hIdXXTjkH+/xSh1LaZNfhsvx2OMyJqFCmK1e4OcEa9yLHQNO3jtpwPYBgQfmQGGcBg7+w1
n3Sy17EJ+xITOI8NvGOtwA3h25l87IXwcqXzl9OT/gKfG2Zry81f2PIxKh2pftMgjKBIWGeE
sGmc5TXKJ2lJpmgt0RyxbCQh4bETRyn2XN7H29IHOwxap4mDbTB7jsht2347fzJJEhmGuSRM
uKHDyVRZdnCrozW6EJK5qJvS6r5O9kX4TCmL0zoHxLzwIJzzVsnrXUvnb0wS31S5JmZcT48J
hoJDzcKgYH/XDyIuqZYGVbYkP7RifArt7RhhrTT+mN/BPXc79SH48te4sJgHxBdplslq9zgf
jbnyZ2Mblmye/gG1VYBpFiEmpAF+JYm6nShbolRyGAnofKXPcsSXrPP6rSC4uHxNrU5UAx3Q
iOT8Hd+h06Ri+uOA8ZMDClnfEWAuUfsXgzC7UGdrfhSo8aMrOe+vL0BQiUQ9h4eCK9VcAbV5
VDCs/JESrH4meYZwP8UWviIq8ky7RvyF40yZ+r4ALUlWSGeJ8ot0WusPrHBicXgzDXDWyY24
FCPuETSA4evmQPJJSYWgGgnoI73H6VS4CB1tNz8HMRX9CuIJcS8xggOUMIIDkAIBATCBgDB5
MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAg
BgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBv
cnRAY2FjZXJ0Lm9yZwIDBxN7MAkGBSsOAwIaBQCgggHoMBgGCSqGSIb3DQEJAzELBgkqhkiG
9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA5MDkxNzE5MTQwMlowIwYJKoZIhvcNAQkEMRYEFO+Z
IBi1R9Tk4QS2P0LSl5sF72scMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoGCCqG
SIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG
9w0DAgIBKDCBkQYJKwYBBAGCNxAEMYGDMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNV
BAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1
dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMHE3swgZMGCyqG
SIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93
d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8G
CSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMHE3swDQYJKoZIhvcNAQEBBQAEggEA
bwNj0YSnGfrZv1FKVTLjV0ncucrr/Hxp6ah6698qrTyIbl+n1LkJdVnvdNqN5dDMucRtj4/n
FMT1cUgwY3HKa8nwSwJR7fKTEB5HkH7NK1XlfT25jzLQTN/5/i4cTNP0byWausiNJPfDnAcF
kCyD3Y3/LYdeJpkEjpk9WSIEEJYR/sp/2MQGzPH5LgHoL3FDj6+iVfS/4HHHNBT5BQmFWUY5
KJXm1dUFUg1dNfpOsHF3+oXkLMHRJs9RxZaSiNvbDOdLcDZll4/znsz4XhRhcaYmG5xhiB/Y
PXItaXEjyVSr98kWi0horMadb1y/w7sf6x1Jzz7mKeFRXwiiyWyY5gAAAAAAAA==
--------------ms050806040209080301030403--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AB28A7A.2060206>