I also have plans to write a sniffer to detect this kind of misuse without log-parsing, and the idea is to implement it at your gateway choke-point so it can detect it against any inbound connection, regardless of the ultimate source. Sorry to mention vaporware, but I'm pretty close to finishing it -- I have a sniffer that detects bittorrent traffic behind NAT and sets up rdr rules to support it.
It's also a logical step to do port knocking (a/k/a single packet authentication) by sniffing the pflog interface and capturing the full content of blocked packets. I intend to do that as well. -- "Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
