Another idea is to use snort (or other sniffer) to do the "protocol 
analysis" and "content searching/matching" and combine that with a packet 
filter.

I see that snort2c, snort2pf, and SnortSam can be used with Snort to block 
IP addresses using PF. I am sure other solutions exist.

http://snort2c.sourceforge.net/
https://snort2pf.unixgu.ru/ 
http://www.snortsam.net/

Maybe someone would be interested in adding these to pkgsrc?

 Jeremy C. Reed

p.s. I had these listed in an appendix of a book I am editing about PF. If 
you use any of these (or others) in combination with PF, please tell me 
about it.