Date: Fri, 18 Sep 2009 01:10:08 -0400 From: "Kevin" <k@kevinkevin.com> To: "'Tom Uffner'" <tom@uffner.com>, <gaurav@subisu.net.np> Cc: freebsd-pf@freebsd.org Subject: RE: Packet Filter alerting system. Message-ID: <020001ca381e$4b8bade0$e2a309a0$@com> In-Reply-To: <4AAFE24A.2040602@uffner.com> References: <4AADC15B.5060501@subisu.net.np> <4AAFE24A.2040602@uffner.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Gaurav Ghimire wrote:
> > Just curious to know if we have something, some alerting system or
> mechanism that provides the administrator with the daily reports that
> pf itself or some other
> > tool collects on pf's behalf.
> >
> > That probably reports the admin of:
> > ~ Total connection counts matched on each rulesets.
> > ~ Total number of counts matched on deny rules.
>
> /etc/periodic/security/520.pfdenied
>
> it should be enabled by default if you haven't done anything unnatural
> to
> the /etc/periodic system
>
> > ~ IP/Port attack logs and relatives.
>
> only if you specify "log" in one or more of your pf rules, in which
> case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and
> /var/log/pf.{today,yesterday}
>
> tom
I wrote a script that compiles a daily report on any pf table based
threshold breaches -- something that could be modified to produce many
different types of daily pf based reports :
http://blog.stardothosting.com/2009/08/12/freebsd-pf-packet-filter-shell-scr
ipt-to-report-on-hacking-attempts/
Something to look at anyways.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?020001ca381e$4b8bade0$e2a309a0$>