Protocol filter capabilities
Travis H.
solinym at gmail.com
Thu Dec 1 09:19:07 GMT 2005
Specifically, here are my goals for the listener:
GOALS:
python-based sniffer that runs on OpenBSD
should be able to sniff pflog device or any other interface
should detect port knocking a la fwknop
should detect port scanning a la psad
should duplicate functionality of arpwatch
should detect use of protocols that require port forwarding
should detect p2p protocols like edonkey or beep and block them
NOTE: all can be done by monitoring the WAN interface alone
should interface to dfd_keeper to trigger rule changes
ideally any module we use should exploit full features of libpcap
ideally any module we use should be OO
ideally any module we use should be written at as high a level as possible
ideally any module we use should be thread-safe
should use publisher-subscriber design pattern for efficiency
each consumer (psad, fwknop, port fwd) should specify BPF filter ORed together
each consumer is en/disabled via command line options
And I've already done the analysis of python pcap interfaces and I'll
be using pcapy/impacket, perhaps with some minor modifications which
will be sent back to the authors. I evaluated pycap, pylibcap, and
pynetlibs and found them to be inferior to pcapy/impacket.
--
http://www.lightconsulting.com/~travis/ -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
More information about the freebsd-pf
mailing list