I don't agree with you either. My opinion, is that if you have a good default deny firewall ruleset, you can eliminate most of the threats. Again, scans are (mostly) harmless. Deploying a NIDS could give you false sence of security.
On Wed, 19 Oct 2011 11:52:36 +0400 "Wesley M." <[email protected]> wrote: > I'm not agree, > > Using PF, and only PF, we can feed a table using some parameters and > it is filtered on one/several ports. > > PF can't detect Network scan like nmap or ... So it is why i use > scanlogdb (it is in the OpenBSD Ports). > And some people use Snort also for this kind of things. > > PF is a good firewall, we can play with QoS/IP,Ports filter/NAT/ Src > NAT/ Statefull/Load Balancing/scrub > But it is not a NIDS. ;-) > > All the best, > > Wesley M. > > On Wed, 19 Oct 2011 10:05:33 +0300, Gregory Edigarov > <[email protected]> wrote: > > I think it is bad practice to use something that's not even in the > > base, when you have the feature in pf readily available. > > > > pass in on vr0 inet proto tcp from any to (vr0) port ssh keep state > > \ (max-src-conn-rate 1/60, overload <badhosts> flush global) > > > > > > On Wed, 19 Oct 2011 10:04:09 +0400 > > "Wesley M." <[email protected]> wrote: > > > >> I added this : > >> > >> in pf.conf > >> ... > >> table <black> persist file "/etc/black" > >> ... > >> block quick from <black> > >> ... > >> > >> Added to crontab > >> pfctl -t black -T add $(cat /var/log/alert | awk '{print $6}') > >> > >> What do you think about that ? > >> Perhaps, you have easiest way to do it ? > >> Now i'm looking for a small web monitor to view alerts provided by > >> scanlogd. Any idea ? > >> > >> cheers, > >> > >> Wesley. > >> > >> > >> On Wed, 19 Oct 2011 09:31:35 +0400, "Wesley M." > >> <[email protected]> wrote: > >> > Hi, > >> > > >> > I use OpenBSD 4.9, i'm looking for a good nids. > >> > > >> > I found > >> > "scanlogd" in ports, works very well. > >> > > >> > But is there a way to work this > >> > last one with pf ? For example add the ip-address detected by > >> > scanlogd > >> to a > >> > "Blacklist" table ? > >> > > >> > Also, is there a way to have a web monitor to view > >> > alert? > >> > > >> > Perhaps, you use something else ... what ? ;-) snort ? > >> > > >> > Thank you > >> > very much ! > >> > > >> > All the best, > >> > > >> > Wesley.
