While pf has no syntax for intrusion detection, it has some nice features that aid in intrusion detection.
scrub: makes sure that the intrusion detection system inside the firewall cannot be fooled by fragments and similiar other tricks that would cause hosts and the ids see different packet streams. binary logs: complete packets (within the given snaplength) are logged which can give you more information about the nature of the attacker (eg. passive os detection) and the attack/scan. dup-to: you can redirect packets to a different interface (where IDS listens ?) anchor rules and tables: your IDS can interact with PF to selctively block the attacking hosts. you can find many other creative uses ... Can On Wed, Jan 22, 2003 at 02:35:05PM -0800, Bryan Irvine wrote: > Does pf have a syntax for intrusion detection? > > Id not what do you guys recommend? Nessus? Snort? Prelude? > > --Bryan >
