Hi Stephan, hi list, I rewrote snort2pf-3.4 and brought a number of changes that might be of interest for some of us. I didn't really know where to announce it but given snort2pf is only used by pf users by definition, I deemed this would be the best place for it.
A few improvements that are worth noting for users: - works on alert_fast as well as alert_full files (I'm not a Snort expert so the regex requires an experienced review, but I think it's simple enough to work in all cases); - take over blocked hosts from previous instance; - kill states associated to the offending host along with blocking it; - extend amnesty when a new alert affects an already blocked host; - handle alert file rotation; - log everything to syslog (using LOG_DAEMON facility); - store pid in /var/run/snort2pf.pid; - improve amnesty processing from 0(n) to O(1); - idpsinfo can now run without /usr and the auto-refresh behaviour is optional (much as systat(1)); also rename it to snort2pfmon for consistency. Other improvements that I think interesting for Stephan: - improve mdoc(7) format for manpages; - use Getopt::Std instead of hand-rolled command-line parsing; - don't use sudo(8) inside snort2pfmon(2), let the user choose if he needs to. You can find it on this URL. I would be glad if you accepted my changes. http://tataz.chchile.org/~tataz/snort2pf/ Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
