View Single Post
Old 11th January 2010
There0 There0 is offline
Join Date: Jul 2008
Posts: 170

I asked him for any suggestions or tips about parsing pflog and extracting IP's and if there was a way to put them into a table or whatever was possible, awaiting a reponse on that question.
Peter's reply to that question;

There is a at least deamon in the base system that reads data off
pflog interfaces already: spamlogd.

By looking at /usr/src/libexec/spamlogd/spamlogd.c and likely the
table parts of pfctl it should be feasible to hack together something
that reads a specific pflog interface (I would suggest logging each
rule you're interested in to a separate pflog interface or at least
clustering the blocks that should be treated similarly), looks for
blocks instead of passes, updates table entries. Might even be a fun
project. I'm not sure I'll have the time to do much about in the short
run though.
I actually use snort and have it drop offending IP's into /etc/hosts.deny, i am certain that snort can be configured to your specifications regarding blocking port 22 TCP requests and blocked/logged accordingly.
The more you learn, the more you realize how little you know ....
Reply With Quote