Best option I see here is a dup-to packets to an interface with IDS listening and give it the ability to add IP addresses to a blacklist and flush all states associated with them.
PF is a kernel space item, and you want to keep this as simple as possible to minimize bugs. Leave complex stuff like intrusion detection to the userland where it can do less harm. On Fri, Jan 25, 2013 at 3:08 PM, Andres Perera <andre...@zoho.com> wrote: > i highly doubt that they would add any sort of layer 7/string checking > capability to pf. it's completely against its design > > that's just not going to happen