Date: Fri, 27 Dec 2019 22:07:36 +0100 From: "Kristof Provost" <kristof@sigsegv.be> To: "Franco Fichtner" <franco@lastsummer.de> Cc: "=?utf-8?q?=C3=96zkan?= KIRIK" <ozkan.kirik@gmail.com>, freebsd-pf@freebsd.org Subject: Re: Rule last match timestamp Message-ID: <B0DA6658-B07B-4D7D-B13B-9094C639C98C@sigsegv.be> In-Reply-To: <8547AD1F-2D76-449E-90DE-DC0D699D9631@lastsummer.de> References: <CAAcX-AGFg04rD=4_rJino_CvMiU4f3a%2BvxhiLwV=-x2ikWfO_w@mail.gmail.com> <2C151498-F878-40A3-8A7C-C9C7D36CDBFF@sigsegv.be> <8547AD1F-2D76-449E-90DE-DC0D699D9631@lastsummer.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 27 Dec 2019, at 21:49, Franco Fichtner wrote: > Hi, > >> On 27. Dec 2019, at 6:45 PM, Kristof Provost <kristof@sigsegv.be> >> wrote: >> >> What are you trying to accomplish? > > Some people believe that "last match" is a great metric to audit rules > for > intrusion detection and all sorts ruleset optimisation and refinement. > > In OPNsense the question has popped up a few times to support it, but > without > doing it in pf(4) directly it makes little sense as you'd have to > crawl pflog > output and even then you can't crawl non-log rules this way... > Would SDT probe points be useful for this? I have a background todo item to add those where they’d be meaningful. They have the advantage of not really having a cost when they’re not active, of being really easy to add, and of not imposing ABI changes. Best regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B0DA6658-B07B-4D7D-B13B-9094C639C98C>