Date: Wed, 23 Jun 2010 17:10:31 -0400 From: Michael Proto <mike@jellydonut.org> To: Peter Maxwell <peter@allicient.co.uk> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: can pf block a string ? or better, to limit it ? Message-ID: <AANLkTilBWj_tA7-ECbzKLz3hkZDPwo6HmBWnRe-yiS_K@mail.gmail.com> In-Reply-To: <AANLkTinCwonuSkfbLIWfHYW53jyIC4zWNxReA4Fmn5Kh@mail.gmail.com> References: <AANLkTima26GreX5jtmdJiR2FbNiB5O4ixN92oqxktTmb@mail.gmail.com> <7114830758496124649@unknownmsgid> <AANLkTimN_9x-cQiF12bQdIjtHa7BjM6kMoEfsjcjcKLH@mail.gmail.com> <AANLkTinCwonuSkfbLIWfHYW53jyIC4zWNxReA4Fmn5Kh@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 23, 2010 at 4:15 PM, Peter Maxwell <peter@allicient.co.uk> wrot= e: > Hmmm, off the top of my head: I wonder if you could use Snort and have th= at > do full packet inspection for you. =A0Then you should be able to script a= n > alert if the string is found and call pfctl to add the offending IP addre= ss > to a table that blackholes it. =A0Just a thought. > > Or if you want to do it "properly", I'm sure you could code something alo= ng > the lines of a kernel module. > What about proxying the connection with nstreams? http://www.freshports.org/net-mgmt/nstreams -Proto
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTilBWj_tA7-ECbzKLz3hkZDPwo6HmBWnRe-yiS_K>