Re: [pfSense Support] Ability to summarize # of states/IP
On 2/3/2010 7:57 PM, Jim Pingle wrote: > On 2/3/2010 2:35 PM, Nathan Eisenberg wrote: >> It would be incredibly handy to build a report that summarizes the number of >> states open, groups by IP. That way, one could easily identify a DOS origin. >> >> For example, I just had an attacker attempt to open 40,000 simultaneously >> HTTP sessions on one of my servers. I'd love to be able to see something >> like this: >> >> ProtoSource SRC Ports DST Ports >> TCP 10.0.x.x40,000 1 >> TCP 74.1.x.x16 1 >> TCP 63.5.x.x10 1 >> TCP 152.4.x.x 4 1 > > That may not be too difficult to pull off, just some basic regex work > and knowledge of the output of "pfctl -ss". Though the format of such a > report would end up being a bit more complicated than the output you show. > > There are incoming connections, outgoing connections, outgoing NAT > connections, incoming NAT connections (port forwards), etc, etc. And it > looks like some detail is only listed in pfctl -ss while a state is > active. The output you are talking about would only be a subset of the > whole -- namely, outgoing NAT connections. > > I might see if I can make something useful out of it. It may not take > long, but that depends on available time. I just committed a basic package that adds Diagnostics > State Summary, which has somewhat of a similar form to what you're after. It probably needs some more refinement, but the info is there. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ability to summarize # of states/IP
On 2/3/2010 2:35 PM, Nathan Eisenberg wrote: > It would be incredibly handy to build a report that summarizes the number of > states open, groups by IP. That way, one could easily identify a DOS origin. > > For example, I just had an attacker attempt to open 40,000 simultaneously > HTTP sessions on one of my servers. I'd love to be able to see something > like this: > > Proto Source SRC Ports DST Ports > TCP 10.0.x.x40,000 1 > TCP 74.1.x.x16 1 > TCP 63.5.x.x10 1 > TCP 152.4.x.x 4 1 That may not be too difficult to pull off, just some basic regex work and knowledge of the output of "pfctl -ss". Though the format of such a report would end up being a bit more complicated than the output you show. There are incoming connections, outgoing connections, outgoing NAT connections, incoming NAT connections (port forwards), etc, etc. And it looks like some detail is only listed in pfctl -ss while a state is active. The output you are talking about would only be a subset of the whole -- namely, outgoing NAT connections. I might see if I can make something useful out of it. It may not take long, but that depends on available time. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Ability to summarize # of states/IP
And, if I was capable of offering patches, I surely would! :-) Best Regards, Nathan Eisenberg
Re: [pfSense Support] Ability to summarize # of states/IP
Hello Nathan, On Wed, Feb 3, 2010 at 20:35, Nathan Eisenberg wrote: > It would be incredibly handy to build a report that summarizes the number of > states open, groups by IP. That way, one could easily identify a DOS origin. > > For example, I just had an attacker attempt to open 40,000 simultaneously > HTTP sessions on one of my servers. I'd love to be able to see something > like this: > > Proto Source SRC Ports DST Ports > TCP 10.0.x.x 40,000 1 > TCP 74.1.x.x 16 1 > TCP 63.5.x.x 10 1 > TCP 152.4.x.x 4 1 Patches to "pftop" are very welcome, I suppose. Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland
[pfSense Support] Ability to summarize # of states/IP
It would be incredibly handy to build a report that summarizes the number of states open, groups by IP. That way, one could easily identify a DOS origin. For example, I just had an attacker attempt to open 40,000 simultaneously HTTP sessions on one of my servers. I'd love to be able to see something like this: Proto Source SRC Ports DST Ports TCP 10.0.x.x40,000 1 TCP 74.1.x.x16 1 TCP 63.5.x.x10 1 TCP 152.4.x.x 4 1 Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org