If you need some 'hardcore' pf rule, you can do something like this:
pass in log quick proto tcp from $ext_if to any port 80 \
flags S/SA keep state (max-src-conn 50, max-src-conn-rate 10/8, \
overload <shit> flush global)
Adjust (max-src-conn and max-src-conn-rate) to your needs.
2009/11/3 David Taveras <[email protected]>:
> Hello,
>
> We have a site with about 2000 visits per day, and now the logging is
> getting extremely hard to review, as security is number one the ideal
> situation for me would be to be able to classify the output into
> groups so that I as a sysadmin can be aware of all, know if there is a
> increase of hits for a particular rule, and most important is to know
> when Iam getting (or tried to) getting SQL/PHP injected.
>
> Is there a way without using commercial add-ons to classify all this
> output and actually make sense of it, possibly by sending important
> alerts? How do other people do this?
>
> Sure: best practice is to have secure PHP code.. but in an environment
> where you cannot trust the code. This is my only path.
>
>
> Thank you.
>
> David Taveras
>
>
