On 2/3/2010 7:57 PM, Jim Pingle wrote: > On 2/3/2010 2:35 PM, Nathan Eisenberg wrote: >> It would be incredibly handy to build a report that summarizes the number of >> states open, groups by IP. That way, one could easily identify a DOS origin. >> >> For example, I just had an attacker attempt to open 40,000 simultaneously >> HTTP sessions on one of my servers. I'd love to be able to see something >> like this: >> >> Proto Source SRC Ports DST Ports >> TCP 10.0.x.x 40,000 1 >> TCP 74.1.x.x 16 1 >> TCP 63.5.x.x 10 1 >> TCP 152.4.x.x 4 1 > > That may not be too difficult to pull off, just some basic regex work > and knowledge of the output of "pfctl -ss". Though the format of such a > report would end up being a bit more complicated than the output you show. > > There are incoming connections, outgoing connections, outgoing NAT > connections, incoming NAT connections (port forwards), etc, etc. And it > looks like some detail is only listed in pfctl -ss while a state is > active. The output you are talking about would only be a subset of the > whole -- namely, outgoing NAT connections. > > I might see if I can make something useful out of it. It may not take > long, but that depends on available time.
I just committed a basic package that adds Diagnostics > State Summary, which has somewhat of a similar form to what you're after. It probably needs some more refinement, but the info is there. --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
