Rule last match timestamp
Kristof Provost
kristof at sigsegv.be
Fri Dec 27 21:07:42 UTC 2019
On 27 Dec 2019, at 21:49, Franco Fichtner wrote:
> Hi,
>
>> On 27. Dec 2019, at 6:45 PM, Kristof Provost <kristof at sigsegv.be>
>> wrote:
>>
>> What are you trying to accomplish?
>
> Some people believe that "last match" is a great metric to audit rules
> for
> intrusion detection and all sorts ruleset optimisation and refinement.
>
> In OPNsense the question has popped up a few times to support it, but
> without
> doing it in pf(4) directly it makes little sense as you'd have to
> crawl pflog
> output and even then you can't crawl non-log rules this way...
>
Would SDT probe points be useful for this?
I have a background todo item to add those where they’d be meaningful.
They have the advantage of not really having a cost when they’re not
active, of being really easy to add, and of not imposing ABI changes.
Best regards,
Kristof
More information about the freebsd-pf
mailing list