On 2/3/2010 2:35 PM, Nathan Eisenberg wrote: > It would be incredibly handy to build a report that summarizes the number of > states open, groups by IP. That way, one could easily identify a DOS origin. > > For example, I just had an attacker attempt to open 40,000 simultaneously > HTTP sessions on one of my servers. I'd love to be able to see something > like this: > > Proto Source SRC Ports DST Ports > TCP 10.0.x.x 40,000 1 > TCP 74.1.x.x 16 1 > TCP 63.5.x.x 10 1 > TCP 152.4.x.x 4 1
That may not be too difficult to pull off, just some basic regex work and knowledge of the output of "pfctl -ss". Though the format of such a report would end up being a bit more complicated than the output you show. There are incoming connections, outgoing connections, outgoing NAT connections, incoming NAT connections (port forwards), etc, etc. And it looks like some detail is only listed in pfctl -ss while a state is active. The output you are talking about would only be a subset of the whole -- namely, outgoing NAT connections. I might see if I can make something useful out of it. It may not take long, but that depends on available time. Jim --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org