From owner-freebsd-net@FreeBSD.ORG Fri Apr 8 09:36:31 2011 Return-Path: <owner-freebsd-net@FreeBSD.ORG> Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A361106566B; Fri, 8 Apr 2011 09:36:31 +0000 (UTC) (envelope-from quentin.narvor@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 83CA78FC0C; Fri, 8 Apr 2011 09:36:30 +0000 (UTC) Received: by bwz12 with SMTP id 12so3403767bwz.13 for <multiple recipients>; Fri, 08 Apr 2011 02:36:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=oqnAacMutUT6De8puexDDnf9VNbQCRTbu7X7OGcKWR0=; b=PB/50WU4aNv9vj+ij8NSQHK9jHlwJ3H9JoM20t9xryiJJowX/PoihJeaY6ud+dCSKW +KaodG/YnZcpsPZL4uLQJPsvi8K6BmjnW8qanapZ+RDLFK/QtBNSuMQpZ4WWEkYRGgYn VkENd1NUXUozaoG6wt9+qXMVp+n/a8K5MxreI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=jRs+nQdirXKS/mg2mdwlqkQZsvUEGCMf+tkFfvDSDtUtM3lCJMWXNA9QpLTwHbGQQp 3Kd7cTHxwzR8AzO1pTOhENSv9C1f1D4enUV3qqJWfaA9FTZw0p1qQ/jlK+m7US6UR18p 3LnD6fWIUp7FDgUa1drsGORdBZVheP2Xy4Wr0= MIME-Version: 1.0 Received: by 10.204.126.152 with SMTP id c24mr1698922bks.4.1302255389371; Fri, 08 Apr 2011 02:36:29 -0700 (PDT) Received: by 10.204.59.193 with HTTP; Fri, 8 Apr 2011 02:36:29 -0700 (PDT) In-Reply-To: <20110407232315.GA33170@DataIX.net> References: <BANLkTi=fMCfzJrTavK3Pe0zUXHbQgpPE=Q@mail.gmail.com> <BANLkTimVE9KX20PX8VGe+pZ3URYHqiNP8g@mail.gmail.com> <BANLkTim71WDHb5fSTkCPP+1Xf9-KnpbGtg@mail.gmail.com> <BANLkTimLFg-BbUE5f5s=BhEp2h-ispRUyw@mail.gmail.com> <20110407232315.GA33170@DataIX.net> Date: Fri, 8 Apr 2011 11:36:29 +0200 Message-ID: <BANLkTinU8fAVNfqSYeTCVwzFqjV18rQWwg@mail.gmail.com> From: Quentin Narvor <quentin.narvor@gmail.com> To: "J. Hellenthal" <jhell@dataix.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org>, freebsd-net@freebsd.org, nicolas.greneche@univ-orleans.fr Subject: Re: [PATCH] New feature in Packet Filter X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>, <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net> List-Post: <mailto:freebsd-net@freebsd.org> List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>, <mailto:freebsd-net-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 08 Apr 2011 09:36:31 -0000 2011/4/8 J. Hellenthal <jhell@dataix.net> > On Thu, Apr 07, 2011 at 07:54:56PM +0200, Ermal Lu=E7i wrote: > >On Thu, Apr 7, 2011 at 5:14 PM, Quentin Narvor <quentin.narvor@gmail.com= > > wrote: > >> 2011/4/7 Ermal Lu=E7i <eri@freebsd.org> > >> > >>> On Thu, Apr 7, 2011 at 10:21 AM, Quentin Narvor > >>> <quentin.narvor@gmail.com> wrote: > >>> > Hello, > >>> > > >>> > My name is Quentin Narvor and I am currently working on intrusion > >>> detection. > >>> > I use Freebsd 8.2 and I recently needed pf to be able to dynamicall= y > fill > >>> in > >>> > tables according pass rule. > >>> > > >>> > For performances reasons, I didn't want to do it with a script and > pfctl. > >>> > Then, with the help of Mr Nicolas Greneche, I made this patch named > >>> "add". > >>> > It enables pf to add src ip or dst ip in a table when a match occur= s > on a > >>> > pass rule. > >>> > > >>> > >>> I cannot see, apart collecting ips in tables, anything else that > >>> cannot be done through pf(4) tags! > >>> Can you please describe a use case for this patch? > >> > >> > >> Indeed, it enables pf to change its behaviour toward some hosts > dynamically. > >> I will build a blacklist of ip which have been recognized as compromiz= ed > >> (botnets, spam, etc). I build a table with thoses IP. > >> > >> If I match a connection between one host of my internal network and on= e > >> blacklisted ip, there are chances that this host is infected. > >> I want to do a comprehensive capture of this host connections by addin= g > src > >> ip to a table of hosts to watch. A dup-to rule dump traffic from "host > to > >> watch" table to a sensor. > >> > >> Here are the rules : > >> pass in on $int_if from any to <blacklist> add ipsrc <infected_hosts> > >> pass in on $int_if dup-to ($sensor_if, sensor_ip) from <infected_hosts= > > to > >> any > > > >Hmm, the below should work. > > > >..... > >pass in on $int_if from any to <blacklist> tag SUSPECT > >pass in on $int_if dup-to ($sensor_if, sensor_ip) from all tagged SUSPEC= T > >..... > > This won't work in my case. It would work if I want to capture only connections from my host to a blacklisted one. But I want to capture all the traffic of my host (not only the one to any blacklisted host) after a connection of this host to a blacklisted one occurs. Source connection tracking would probably also work here too but unless > you are planning on filling up RAM per table usage I would certainly > suggest using tagging. > > An example of what I use for src connection tracking that overloads to a > blacklist would be one for SSH logins. > > pass in log quick proto tcp from !<trusted> port >1023 to any port > $shports label "Login/SSH:$dstport" keep state (max-src-conn 5, > max-src-conn-rate 15/30 overload <blacklist> flush global) > > But this may not be exactly what your looking for even though it could > be tricked out to put every IP into a table but like I said your going > to be filling up some RAM fairly quickly by keeping those hosts in a > table depending on how often your rule is going to match. > > I have seen the option overload. I could have used it if it was possible = to set max_src_conn to 0 : overload table would have been filled in as soon as a connection to a blacklisted host occurs. In my case, hosts which will be added to the table are the one on my internal network. Although this is a university, number of ip addresses which will be added in a table is limited, I don't worry about RAM usage.