From owner-freebsd-pf@FreeBSD.ORG Fri Sep 18 05:10:38 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91E48106566B for ; Fri, 18 Sep 2009 05:10:38 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from mail-qy0-f188.google.com (mail-qy0-f188.google.com [209.85.221.188]) by mx1.freebsd.org (Postfix) with ESMTP id 1EBE58FC17 for ; Fri, 18 Sep 2009 05:10:37 +0000 (UTC) Received: by qyk26 with SMTP id 26so1023550qyk.7 for ; Thu, 17 Sep 2009 22:10:36 -0700 (PDT) Received: by 10.224.16.71 with SMTP id n7mr1060269qaa.162.1253250636570; Thu, 17 Sep 2009 22:10:36 -0700 (PDT) Received: from kevin (not.enough.unixsluts.com [76.10.166.187]) by mx.google.com with ESMTPS id 8sm1287719qwj.51.2009.09.17.22.10.33 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 17 Sep 2009 22:10:34 -0700 (PDT) From: "Kevin" To: "'Tom Uffner'" , References: <4AADC15B.5060501@subisu.net.np> <4AAFE24A.2040602@uffner.com> In-Reply-To: <4AAFE24A.2040602@uffner.com> Date: Fri, 18 Sep 2009 01:10:08 -0400 Message-ID: <020001ca381e$4b8bade0$e2a309a0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 thread-index: Aco2N4JCmiqdPo1ASU66p+Jb9cxIaQB5oxNA Content-Language: en-us Cc: freebsd-pf@freebsd.org Subject: RE: Packet Filter alerting system. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2009 05:10:38 -0000 > Gaurav Ghimire wrote: > > Just curious to know if we have something, some alerting system or > mechanism that provides the administrator with the daily reports that > pf itself or some other > > tool collects on pf's behalf. > > > > That probably reports the admin of: > > ~ Total connection counts matched on each rulesets. > > ~ Total number of counts matched on deny rules. > > /etc/periodic/security/520.pfdenied > > it should be enabled by default if you haven't done anything unnatural > to > the /etc/periodic system > > > ~ IP/Port attack logs and relatives. > > only if you specify "log" in one or more of your pf rules, in which > case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and > /var/log/pf.{today,yesterday} > > tom I wrote a script that compiles a daily report on any pf table based threshold breaches -- something that could be modified to produce many different types of daily pf based reports : http://blog.stardothosting.com/2009/08/12/freebsd-pf-packet-filter-shell-scr ipt-to-report-on-hacking-attempts/ Something to look at anyways.