|

»

Packet Filter alerting system.

View: New views

5 Messages — Rating Filter: Alert me

	Packet Filter alerting system. by Gaurav Ghimire :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi all, Just curious to know if we have something, some alerting system or mechanism that provides the administrator with the daily reports that pf itself or some other tool collects on pf's behalf. That probably reports the admin of: ~ Total connection counts matched on each rulesets. ~ Total number of counts matched on deny rules. ~ IP/Port attack logs and relatives. I would really appreciate if there are any mechanisms, or am provided with any pointers on achieving this. Regards, -- Gaurav Ghimire System Administrator Subisu Cablenet (P.) Ltd. 148 Thirbum Sadak Baluwatar, Kathmandu Nepal T: 00977 1 4429616/17 Ext.: 110 F: 00977 1 4430572 http://www.subisu.net.np (An ISO 9001:2000 Certified Company) _______________________________________________ freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..."
	Re: Packet Filter alerting system. by Tom Uffner :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Gaurav Ghimire wrote: > Just curious to know if we have something, some alerting system or mechanism that provides the administrator with the daily reports that pf itself or some other > tool collects on pf's behalf. > > That probably reports the admin of: > ~ Total connection counts matched on each rulesets. > ~ Total number of counts matched on deny rules. /etc/periodic/security/520.pfdenied it should be enabled by default if you haven't done anything unnatural to the /etc/periodic system > ~ IP/Port attack logs and relatives. only if you specify "log" in one or more of your pf rules, in which case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and /var/log/pf.{today,yesterday} tom _______________________________________________ freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..."
	Re: Packet Filter alerting system. by Tim Hogan :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Tom Uffner wrote: > Gaurav Ghimire wrote: >> Just curious to know if we have something, some alerting system or >> mechanism that provides the administrator with the daily reports that >> pf itself or some other >> tool collects on pf's behalf. >> >> That probably reports the admin of: >> ~ Total connection counts matched on each rulesets. >> ~ Total number of counts matched on deny rules. > > /etc/periodic/security/520.pfdenied > > it should be enabled by default if you haven't done anything unnatural to > the /etc/periodic system > > > ~ IP/Port attack logs and relatives. > > only if you specify "log" in one or more of your pf rules, in which > case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and > /var/log/pf.{today,yesterday} > > tom > Not sure if this will help but I have added the following line to /etc/periodic/security/520.pfdenied pfctl -sr -v \| grep -v "Inserted:" \| awk '/^[apb]/ { printf "\n%s\n", $0 } $0 !~ /^[apb]/' \| mailx -s "Daily PF Hit Report" root This will produce something like the following for each rule that you have; pass in quick on vr0 inet proto udp from 10.0.0.1 to 10.0.0.2 port = syslog keep state [ Evaluations: 560355 Packets: 46 Bytes: 4058 States: 0 ] The down side is that the numbers will increment from the last time PF was restarted, not from the previous day. Regards, Tim smime.p7s (5K) Download Attachment
	RE: Packet Filter alerting system. by Kevin-206 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message > Gaurav Ghimire wrote: > > Just curious to know if we have something, some alerting system or > mechanism that provides the administrator with the daily reports that > pf itself or some other > > tool collects on pf's behalf. > > > > That probably reports the admin of: > > ~ Total connection counts matched on each rulesets. > > ~ Total number of counts matched on deny rules. > > /etc/periodic/security/520.pfdenied > > it should be enabled by default if you haven't done anything unnatural > to > the /etc/periodic system > > > ~ IP/Port attack logs and relatives. > > only if you specify "log" in one or more of your pf rules, in which > case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and > /var/log/pf.{today,yesterday} > > tom I wrote a script that compiles a daily report on any pf table based threshold breaches -- something that could be modified to produce many different types of daily pf based reports : http://blog.stardothosting.com/2009/08/12/freebsd-pf-packet-filter-shell-scr ipt-to-report-on-hacking-attempts/ Something to look at anyways. _______________________________________________ freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..."
	Re: Packet Filter alerting system. by Gaurav Ghimire :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin wrote: >> Gaurav Ghimire wrote: >>> Just curious to know if we have something, some alerting system or >> mechanism that provides the administrator with the daily reports that >> pf itself or some other >>> tool collects on pf's behalf. >>> >>> That probably reports the admin of: >>> ~ Total connection counts matched on each rulesets. >>> ~ Total number of counts matched on deny rules. >> /etc/periodic/security/520.pfdenied >> >> it should be enabled by default if you haven't done anything unnatural >> to >> the /etc/periodic system >> >> > ~ IP/Port attack logs and relatives. >> >> only if you specify "log" in one or more of your pf rules, in which >> case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and >> /var/log/pf.{today,yesterday} >> >> tom > > > I wrote a script that compiles a daily report on any pf table based > threshold breaches -- something that could be modified to produce many > different types of daily pf based reports : > > > http://blog.stardothosting.com/2009/08/12/freebsd-pf-packet-filter-shell-scr > ipt-to-report-on-hacking-attempts/ > > > > Something to look at anyways. > > Hi all, Thanks for all your help. After a few workarounds I managed to get what I required. I wrote a script to get an easy to read report on all the traffic matching the block rule in my pf. The script could be modified to get reports on other specific rulesets you intend to, however, for that to work you might have to define another logging interface using pflogd and slap it to the rules you want to get reports on. Here is it if you guys wanna have a look on. http://nixify.blogspot.com/2009/10/getting-reports-on-intrusion-attempts.html Regards, - -- Gaurav Ghimire System Administrator Subisu Cablenet (P.) Ltd. 148 Thirbum Sadak Baluwatar, Kathmandu Nepal http://www.subisu.net.np (An ISO 9001:2000 Certified Company) - -- Gaurav Ghimire System Administrator Subisu Cablenet (P.) Ltd. 148 Thirbum Sadak Baluwatar, Kathmandu Nepal T: 00977 1 4429616/17 Ext.: 110 F: 00977 1 4430572 http://www.subisu.net.np (An ISO 9001:2000 Certified Company) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrLChIACgkQnfv7imVnL2tV7ACglNlu13pvAchgHAkYE5zE7cD2 KYAAnj5aDhKy2Olq3/d+i6h1hhx4DEOp =Zs9B -----END PGP SIGNATURE----- _______________________________________________ freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..."