pfcoll - pf log collector
My firewall doesn't have the horsepower for Snort. And I don't really
care about the vast majority of traffic I block (although I do summarize
my pflog daily). But I do want quick notification of certain traffic:
especially suspicious outbound traffic. So this is my solution for
myself: listen to what pf logs, and mail me a note when it logs
- pfcoll is an OpenBSD program to listen on pflog0 and collect events,
which it then logs with syslog, and optionally, sends email.
- It has rate-limiting, it accumulates events so that it will not log
messages more than once every 10 seconds, or send mail more than once
a minute (these timings can be considered experimental and subject to change.)
- It uses tcpdump to actually collect the data from pflog0, and
tcpdump expressions can be passed on to tcpdump from pfcoll.
- It can optionally call tcpdump to listen on other interfaces, or
read lines of input from standard input.
- Bugs still not found.
- Alogrithms still have a bunch of tweaks that can be done to them.
- Logging levels etc. need to be a bit more sophisticated.
Run as a daemon; send mail to root for events:
pfcoll -m root
Run as a daemon; send mail to root for outbound packets that are
pfcoll -m root outbound and action block
Run as a daemon; listen to the fxp0 interface for traffic on port 443, and send mail to root about it:
pfcoll -i fxp0 -m root port 443
Run in the foreground, verbose logging to stderr, report events that
match pf rule number 5 on the interface ep1:
pfcoll -D rulenum 5 and on ep1
Run pfcoll as user _pfcoll:
pfcoll -u _pfcoll -m root outbound and action block
Run pfcoll as a general log reporter:
tail -f /var/log/authlog | grep 'sshd.*Failed' | pfcoll -s -m root &