From owner-freebsd-pf@freebsd.org  Fri Dec 27 21:07:42 2019
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2ED571CF3A4
 for <freebsd-pf@mailman.nyi.freebsd.org>; Fri, 27 Dec 2019 21:07:42 +0000 (UTC)
 (envelope-from SRS0=Ntx9=2R=sigsegv.be=kristof@codepro.be)
Received: from mercury.codepro.be (mercury.codepro.be
 [IPv6:2001:4b98:dc0:41:216:3eff:fe31:eda8])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "monitoring.codepro.be",
 Issuer "Let's Encrypt Authority X3" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 47kztP0RRFz4YgY
 for <freebsd-pf@freebsd.org>; Fri, 27 Dec 2019 21:07:40 +0000 (UTC)
 (envelope-from SRS0=Ntx9=2R=sigsegv.be=kristof@codepro.be)
Received: from venus.codepro.be (venus.codepro.be [5.9.86.228])
 by mercury.codepro.be (Postfix) with ESMTPS id A328390487;
 Fri, 27 Dec 2019 21:06:45 +0000 (UTC)
Received: from [172.31.118.163] (unknown [91.126.134.20])
 (Authenticated sender: kp)
 by venus.codepro.be (Postfix) with ESMTPSA id 71129F1DA;
 Fri, 27 Dec 2019 22:07:37 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigsegv.be; s=mail;
 t=1577480857; bh=Ctc4GZ+Y9L9pmwStplG3+bm2dqXjsm/+ohCpAccayOY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=VL1rtV/XeW7FNveqfJXYubm1nPMToYUtagqGBz7E/M4kIxcTNUhN3+HXqCZmO1Zay
 rLIOXK7URTfkPbKk+Jqy+DRcFvHSJ4+vBU+WJ4Nn9npOHApiF07suLG1nPmkX2b+Gi
 /9z3IaS6YKBk2OY5g0f/RB9vRMtAZxVa46YtnIAg=
From: "Kristof Provost" <kristof@sigsegv.be>
To: "Franco Fichtner" <franco@lastsummer.de>
Cc: "=?utf-8?q?=C3=96zkan?= KIRIK" <ozkan.kirik@gmail.com>,
 freebsd-pf@freebsd.org
Subject: Re: Rule last match timestamp
Date: Fri, 27 Dec 2019 22:07:36 +0100
X-Mailer: MailMate (1.13.1r5671)
Message-ID: <B0DA6658-B07B-4D7D-B13B-9094C639C98C@sigsegv.be>
In-Reply-To: <8547AD1F-2D76-449E-90DE-DC0D699D9631@lastsummer.de>
References: <CAAcX-AGFg04rD=4_rJino_CvMiU4f3a+vxhiLwV=-x2ikWfO_w@mail.gmail.com>
 <2C151498-F878-40A3-8A7C-C9C7D36CDBFF@sigsegv.be>
 <8547AD1F-2D76-449E-90DE-DC0D699D9631@lastsummer.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format=flowed; markup=markdown
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 47kztP0RRFz4YgY
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=sigsegv.be header.s=mail header.b=VL1rtV/X;
 dmarc=pass (policy=none) header.from=sigsegv.be;
 spf=pass (mx1.freebsd.org: domain of
 SRS0=Ntx9=2R=sigsegv.be=kristof@codepro.be designates
 2001:4b98:dc0:41:216:3eff:fe31:eda8 as permitted sender)
 smtp.mailfrom=SRS0=Ntx9=2R=sigsegv.be=kristof@codepro.be
X-Spamd-Result: default: False [-5.52 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[];
 R_DKIM_ALLOW(-0.20)[sigsegv.be:s=mail]; RCVD_TLS_ALL(0.00)[];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 R_SPF_ALLOW(-0.20)[+ip6:2001:4b98:dc0:41:216:3eff:fe31:eda8];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[];
 MIME_GOOD(-0.10)[text/plain]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[];
 TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 RCVD_IN_DNSWL_MED(-0.20)[8.a.d.e.1.3.e.f.f.f.e.3.6.1.2.0.1.4.0.0.0.c.d.0.8.9.b.4.1.0.0.2.list.dnswl.org
 : 127.0.9.2]; DKIM_TRACE(0.00)[sigsegv.be:+];
 DMARC_POLICY_ALLOW(-0.50)[sigsegv.be,none];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 FORGED_SENDER(0.30)[kristof@sigsegv.be,SRS0=Ntx9=2R=sigsegv.be=kristof@codepro.be];
 MIME_TRACE(0.00)[0:+];
 IP_SCORE(-2.12)[ip: (-6.23), ipnet: 2001:4b98::/32(-3.11), asn: 29169(-1.23),
 country: FR(0.00)]; 
 ASN(0.00)[asn:29169, ipnet:2001:4b98::/32, country:FR];
 FROM_NEQ_ENVFROM(0.00)[kristof@sigsegv.be,SRS0=Ntx9=2R=sigsegv.be=kristof@codepro.be];
 MID_RHS_MATCH_FROM(0.00)[]; FREEMAIL_CC(0.00)[gmail.com]
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Dec 2019 21:07:42 -0000

On 27 Dec 2019, at 21:49, Franco Fichtner wrote:
> Hi,
>
>> On 27. Dec 2019, at 6:45 PM, Kristof Provost <kristof@sigsegv.be> 
>> wrote:
>>
>> What are you trying to accomplish?
>
> Some people believe that "last match" is a great metric to audit rules 
> for
> intrusion detection and all sorts ruleset optimisation and refinement.
>
> In OPNsense the question has popped up a few times to support it, but 
> without
> doing it in pf(4) directly it makes little sense as you'd have to 
> crawl pflog
> output and even then you can't crawl non-log rules this way...
>
Would SDT probe points be useful for this?

I have a background todo item to add those where they’d be meaningful.
They have the advantage of not really having a cost when they’re not 
active, of being really easy to add, and of not imposing ABI changes.

Best regards,
Kristof