Date: Wed, 23 Jun 2010 17:10:31 -0400 From: Michael Proto <mike@jellydonut.org> To: Peter Maxwell <peter@allicient.co.uk> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: can pf block a string ? or better, to limit it ? Message-ID: <AANLkTilBWj_tA7-ECbzKLz3hkZDPwo6HmBWnRe-yiS_K@mail.gmail.com> In-Reply-To: <AANLkTinCwonuSkfbLIWfHYW53jyIC4zWNxReA4Fmn5Kh@mail.gmail.com> References: <AANLkTima26GreX5jtmdJiR2FbNiB5O4ixN92oqxktTmb@mail.gmail.com> <7114830758496124649@unknownmsgid> <AANLkTimN_9x-cQiF12bQdIjtHa7BjM6kMoEfsjcjcKLH@mail.gmail.com> <AANLkTinCwonuSkfbLIWfHYW53jyIC4zWNxReA4Fmn5Kh@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 23, 2010 at 4:15 PM, Peter Maxwell <peter@allicient.co.uk> wrote: > Hmmm, off the top of my head: I wonder if you could use Snort and have that > do full packet inspection for you. Then you should be able to script an > alert if the string is found and call pfctl to add the offending IP address > to a table that blackholes it. Just a thought. > > Or if you want to do it "properly", I'm sure you could code something along > the lines of a kernel module. > What about proxying the connection with nstreams? http://www.freshports.org/net-mgmt/nstreams -Proto
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTilBWj_tA7-ECbzKLz3hkZDPwo6HmBWnRe-yiS_K>