I'm not agree,
Using PF, and only PF, we can feed a table using some parameters and it is
filtered on one/several ports.
PF can't detect Network scan like nmap or ... So it is why i use scanlogdb
(it is in the OpenBSD Ports).
And some people use Snort also for this kind of things.
PF is a good firewall, we can play with QoS/IP,Ports filter/NAT/ Src NAT/
Statefull/Load Balancing/scrub
But it is not a NIDS. ;-)
All the best,
Wesley M.
On Wed, 19 Oct 2011 10:05:33 +0300, Gregory Edigarov
<g...@bestnet.kharkov.ua> wrote:
> I think it is bad practice to use something that's not even in the
> base, when you have the feature in pf readily available.
>
> pass in on vr0 inet proto tcp from any to (vr0) port ssh keep state \
> (max-src-conn-rate 1/60, overload <badhosts> flush global)
>
>
> On Wed, 19 Oct 2011 10:04:09 +0400
> "Wesley M." <open...@e-solutions.re> wrote:
>
>> I added this :
>>
>> in pf.conf
>> ...
>> table <black> persist file "/etc/black"
>> ...
>> block quick from <black>
>> ...
>>
>> Added to crontab
>> pfctl -t black -T add $(cat /var/log/alert | awk '{print $6}')
>>
>> What do you think about that ?
>> Perhaps, you have easiest way to do it ?
>> Now i'm looking for a small web monitor to view alerts provided by
>> scanlogd. Any idea ?
>>
>> cheers,
>>
>> Wesley.
>>
>>
>> On Wed, 19 Oct 2011 09:31:35 +0400, "Wesley M."
>> <open...@e-solutions.re> wrote:
>> > Hi,
>> >
>> > I use OpenBSD 4.9, i'm looking for a good nids.
>> >
>> > I found
>> > "scanlogd" in ports, works very well.
>> >
>> > But is there a way to work this
>> > last one with pf ? For example add the ip-address detected by
>> > scanlogd
>> to a
>> > "Blacklist" table ?
>> >
>> > Also, is there a way to have a web monitor to view
>> > alert?
>> >
>> > Perhaps, you use something else ... what ? ;-) snort ?
>> >
>> > Thank you
>> > very much !
>> >
>> > All the best,
>> >
>> > Wesley.
