<div dir="ltr">This the results of my experience :<br>(Strange !!!)<br><span style="color: rgb(255, 102, 102);">*****************************************************************************************</span><br style="color: rgb(51, 51, 153);">
<span style="color: rgb(51, 51, 153);">nmap -sS 192.168.44.135 without runingsuricata</span><br style="color: rgb(51, 51, 153);"><br style="color: rgb(51, 51, 153);"><span style="color: rgb(51, 51, 153);">Starting Nmap 5.21 ( <a href="http://nmap.org">http://nmap.org</a> ) at 2010-06-11 16:33 Afr. centrale Ouest</span><br style="color: rgb(51, 51, 153);">
<span style="color: rgb(51, 51, 153);">Nmap scan report for 192.168.44.135</span><br style="color: rgb(51, 51, 153);"><span style="color: rgb(51, 51, 153);">Host is up (0.00s latency).</span><br style="color: rgb(51, 51, 153);">
<span style="color: rgb(51, 51, 153);">All 1000 scanned ports on 192.168.44.135 are filtered</span><br style="color: rgb(51, 51, 153);"><span style="color: rgb(51, 51, 153);">MAC Address: 00:0C:29:07:11:87 (VMware)</span><br style="color: rgb(51, 51, 153);">
<br style="color: rgb(51, 51, 153);"><span style="color: rgb(51, 51, 153);">Nmap done: 1 IP address (1 host up) scanned in 22.33 seconds</span><br><span style="color: rgb(255, 102, 102);">*****************************************************************************************</span><br>
<span style="color: rgb(0, 0, 153);">nmap -sS 192.168.44.135 with suricata but without Drop rules</span><br style="color: rgb(0, 0, 153);"><span style="color: rgb(0, 0, 153);">Starting Nmap 5.21 ( <a href="http://nmap.org">http://nmap.org</a> ) at 2010-06-11 16:40 Afr. centrale Ouest</span><br style="color: rgb(0, 0, 153);">
<span style="color: rgb(0, 0, 153);">Nmap scan report for 192.168.44.135</span><br style="color: rgb(0, 0, 153);"><span style="color: rgb(0, 0, 153);">Host is up (0.0013s latency).</span><br style="color: rgb(0, 0, 153);">
<span style="color: rgb(0, 0, 153);">All 1000 scanned ports on 192.168.44.135 are closed</span><br style="color: rgb(0, 0, 153);"><span style="color: rgb(0, 0, 153);">MAC Address: 00:0C:29:07:11:87 (VMware)</span><br style="color: rgb(0, 0, 153);">
<br style="color: rgb(0, 0, 153);"><span style="color: rgb(0, 0, 153);">Nmap done: 1 IP address (1 host up) scanned in 6.38 seconds</span><br style="color: rgb(0, 0, 153);"><br style="color: rgb(0, 0, 153);"><span style="color: rgb(0, 0, 153);">[3647] 11/6/2010 -- 16:41:41 - (source-nfq.c:533) <Info> (VerdictNFQThreadExitStats) -- (Verdict) Pkts <b><span style="color: rgb(0, 0, 102);">accepted 2004</span></b>, dropped <b>0</b></span><br>
<br><span style="color: rgb(255, 102, 102);">*****************************************************************************************</span><br><span style="color: rgb(51, 51, 153);">nmap -sS 192.168.44.135 with suricata and replacing alert by <b>Drop</b></span> <br style="color: rgb(51, 51, 153);">
<span style="color: rgb(51, 51, 153);">Starting Nmap 5.21 ( <a href="http://nmap.org">http://nmap.org</a> ) at 2010-06-11 16:45 Afr. centrale Ouest</span><br style="color: rgb(51, 51, 153);"><span style="color: rgb(51, 51, 153);">Nmap scan report for 192.168.44.135</span><br style="color: rgb(51, 51, 153);">
<span style="color: rgb(51, 51, 153);">Host is up (0.00s latency).</span><br style="color: rgb(51, 51, 153);"><span style="color: rgb(51, 51, 153);">All 1000 scanned ports on 192.168.44.135 are filtered</span><br style="color: rgb(51, 51, 153);">
<span style="color: rgb(51, 51, 153);">MAC Address: 00:0C:29:07:11:87 (VMware)</span><br style="color: rgb(51, 51, 153);"><br style="color: rgb(51, 51, 153);"><span style="color: rgb(51, 51, 153);">Nmap done: 1 IP address (1 host up) scanned in 22.68 seconds</span><br style="color: rgb(51, 51, 153);">
<br style="color: rgb(51, 51, 153);"><span style="color: rgb(51, 51, 153);">[3701] 11/6/2010 -- 16:46:51 - (source-nfq.c:533) <Info> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 0, <font size="2"><b><span style="color: rgb(0, 0, 102);">dropped 2000</span></b></font></span><br>
<span style="color: rgb(255, 102, 102);">*****************************************************************************************</span><br><br>What can we conclude ?? ==> [ we can't drop the Nmap scans !!! ?? ]<br>
<br><br><br><br><div class="gmail_quote">2010/6/11 Anas.B <span dir="ltr"><<a href="mailto:a.bouhsaina@gmail.com">a.bouhsaina@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div dir="ltr">Je n'ai pas <b>2010051</b> voici la régle que j'ai :<br><br>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .cfg file with no Referrer - Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".cfg"; nocase; pcre:"/\.cfg$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity; reference:url,<a href="http://www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99" target="_blank">www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99</a>; reference:url,<a href="http://doc.emergingthreats.net/2010501" target="_blank">doc.emergingthreats.net/2010501</a>; reference:url,<a href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL" target="_blank">www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL</a>; sid:<b>2010501</b>; rev:2;)<br>
<br>je n'ai pas compris l'offload de cksum (cela veut dire , la vérification de CRC d'arrivé avec le CRC du départ ??)<br>et aussi le renvoi de data compressé !<br><br>Snort et meilleur que Suricata ?<div><div>
</div><div class="h5"><br><br>
<br><div class="gmail_quote">2010/6/11 rmkml <span dir="ltr"><<a href="mailto:rmkml@free.fr" target="_blank">rmkml@free.fr</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
cherche dans les fichiers emerging que tu as si tu as déjà le sid 2010051?<br>
visiblement elle est dans un fichier qui contient le mot malware...<br>
suricata ne vérifie pas le contenu des packets ayant un mauvais cksum par défaut, donc si tu as une carte réseau qui fait de l'offload de cksum, alors tu vas avoir bcp de bad cksum... tu peux le vérifier avec tcpdump...<br>
concernant le cache des navigateurs web, si tu vas sur l'url <a href="http://www.google.com/install/ws.exe" target="_blank">http://www.google.com/install/ws.exe</a> avec firefox ou ie, tu auras une alerte avec suricata, mais si tu fais refresh de ton navigateur, en fait le navigateur ne va pas essayer de nouveau l'url, puis il a certainement dans son cache... c'est pour cela que j'utilise wget ou curl ou fetch<br>
Plus tard il faut aussi faire attention au renvoi de data compresser des serveurs web...<div><div></div><div><br>
a+<br>
Rmkml<br>
<br>
<br>
<br>
On Fri, 11 Jun 2010, Anas.B wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Je dois la créer,<br>
oubien elle existe déja, ?<br>
<br>
si oui dans quel fichier,<br>
si nn comment ?<br>
<br>
en fait j'ai pas compris :<br>
- attention au cksum...<br>
et - attention au cache des navigatuers web...<br>
<br>
désolé, et merci bcp.<br>
<br>
<br>
2010/6/11 rmkml <<a href="mailto:rmkml@free.fr" target="_blank">rmkml@free.fr</a>><br>
heu bonne question,<br>
exemple peut être avec le sid 2010051,<br>
generer une alerte avec le client wget unix: (ou fetch ou curl)<br>
wget <a href="http://www.google.com/install/ws.exe" target="_blank">http://www.google.com/install/ws.exe</a><br>
avoir une alerte:<br>
06/11-16:32:23.306483 [**] [1:2010051:2] ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - ws.exe [**] [Classification: A Network Trojan<br>
was detected] [Priority: 1] {TCP} <a href="http://10.50.1.40:34322" target="_blank">10.50.1.40:34322</a> -> a.b.c.d:80<br>
puis la passer en drop tjrs vérifier si tu as des drop de packets ou pas...<br>
attention au cksum...<br>
<br>
a+<br>
Rmkml<br>
<br>
<br>
On Fri, 11 Jun 2010, Anas.B wrote:<br>
<br>
Bjr,<br>
oui je crois que t'a raison,<br>
quel genre de règle facile que je px bloquer ?<br>
<br>
Merciiiiii<br>
<br>
2010/6/11 rmkml <<a href="mailto:rmkml@free.fr" target="_blank">rmkml@free.fr</a>><br>
Bonjour Anas,<br>
suite à l'email de Victor, et je crois que les scan nmap sont particulier, c-a-d que les scans ouvrent de multiples sessions, ce qui n'est<br>
pas un cas<br>
facile pour commencer...<br>
Essaye plus tot une attaque sur une regle, puis tu l'as bloque... attention au cache des navigatuers web...<br>
a+<br>
Rmkml<br>
<br>
<br>
<br>
On Fri, 11 Jun 2010, Anas.B wrote:<br>
<br>
<br>
Hello,<br>
<br>
I've replaced "alert" by"drop" where we have "Nmap" rules in emerging-scan.rules file ,<br>
<br>
but I've the same result in Nmap:<br>
<br>
Starting Nmap 5.21 ( <a href="http://nmap.org" target="_blank">http://nmap.org</a> ) at 2010-06-11 14:49 Afr. centrale Ouest<br>
Nmap scan report for 192.168.44.135<br>
Host is up (0.00s latency).<br>
All 1000 scanned ports on 192.168.44.135 are filtered<br>
MAC Address: 00:0C:29:07:11:87 (VMware)<br>
as before !!!<br>
<br>
why the packets aren't dropped ?<br>
<br>
These are the commands applied :<br>
suricata -c /etc/suricata/suricata.yaml -q 0<br>
<br>
and this is the iptables :<br>
<br>
NFQUEUE all -- anywhere anywhere NFQUEUE num 0<br>
<br>
Chain FORWARD (policy ACCEPT)<br>
target prot opt source destination <br>
<br>
Chain OUTPUT (policy ACCEPT)<br>
target prot opt source destination <br>
NFQUEUE all -- anywhere anywhere NFQUEUE num 0<br>
<br>
<br>
Kindest regards :)<br>
<br>
Anas<br>
<br>
Nmap done: 1 IP address (1 host up) scanned in 23.16 seconds<br>
<br>
<br>
2010/6/9 Victor Julien <<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>><br>
All rules might be a bit much, but in essence, yes. But be careful that<br>
some rules might false positive.<br>
<br>
Cheers,<br>
Victor<br>
<br>
Anas.B wrote:<br>
> I've just coppied the emerging rules ,<br>
><br>
> should i copy snort rules also ?<br>
> should i convert all the rules from alert to Drop ?<br>
><br>
><br>
> Thxxx<br>
><br>
><br>
> 2010/6/9 Victor Julien <<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>><br>
><br>
> Making progress :)<br>
><br>
> Do you have drop rules? Normally a rule is "alert ip any any -> any any<br>
> ... " etc. but you need "drop ip any any -> any ...." Did you convert<br>
> your rules?<br>
><br>
> The TmqDebugList statements are debug stuff, you can ignore that.<br>
><br>
> Cheers,<br>
> Victor<br>
><br>
> Anas.B wrote:<br>
> > Thank you so much, for ur help :)<br>
> ><br>
> > this time I've these lines :<br>
> ><br>
> > 'pickup-queue', len 0<br>
> > TmqDebugList: id 1, name 'decode-queue1', len 0<br>
> > TmqDebugList: id 2, name 'stream-queue1', len 49<br>
> > TmqDebugList: id 3, name 'verdict-queue', len 0<br>
> > TmqDebugList: id 4, name 'respond-queue', len 1<br>
> > TmqDebugList: id 5, name 'alert-queue1', len 0<br>
> ><br>
> > after an Nmap scan<br>
> ><br>
> ><br>
> > after CTRL+C<br>
> ><br>
> > I've this :<br>
> ><br>
> > 4:33 - (suricata.c:1033) <Info> (main) -- signal received<br>
> > [8495] 9/6/2010 -- 16:04:33 - (suricata.c:1069) <Info> (main) -- time<br>
> > elapsed 176s<br>
> > [8500] 9/6/2010 -- 16:04:33 - (source-nfq.c:522) <Info><br>
> > (ReceiveNFQThreadExitStats) -- (ReceiveNFQ) Pkts 6028, Bytes 256012,<br>
> > Errors 0<br>
> > [8502] 9/6/2010 -- 16:04:33 - (stream-tcp.c:2634) <Info><br>
> > (StreamTcpExitPrintStats) -- (Stream1) Packets 6014<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:172) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) (1byte) Pkts 6028, Searched 0<br>
> (0.0).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:175) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) (2byte) Pkts 6028, Searched 4<br>
> (0.1).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:178) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) (3byte) Pkts 6028, Searched 0<br>
> (0.0).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:181) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) (4byte) Pkts 6028, Searched 0<br>
> (0.0).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:184) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) (+byte) Pkts 6028, Searched 0<br>
> (0.0).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:188) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) URI (1byte) Uri's 0, Searched<br>
> 0 (-nan).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:191) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) URI (2byte) Uri's 0, Searched<br>
> 0 (-nan).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:194) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) URI (3byte) Uri's 0, Searched<br>
> 0 (-nan).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:197) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) URI (4byte) Uri's 0, Searched<br>
> 0 (-nan).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:200) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) URI (+byte) Uri's 0, Searched<br>
> 0 (-nan).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:202) <Info><br>
> > (DetectExitPrintStats) -- 4 sigs per mpm match on avg needed<br>
> inspection,<br>
> > total mpm searches 2, less than 25 sigs need inspect 2, more than 100<br>
> > sigs need inspect 0, more than 1000 0 max 5<br>
> > [8504] 9/6/2010 -- 16:04:33 - (source-nfq.c:533) <Info><br>
> > (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 6028, dropped 0<br>
> > [8506] 9/6/2010 -- 16:04:33 - (alert-fastlog.c:256) <Info><br>
> > (AlertFastLogExitPrintStats) -- (Outputs) Alerts 3792<br>
> > [8506] 9/6/2010 -- 16:04:33 - (alert-unified-log.c:304) <Info><br>
> > (AlertUnifiedLogThreadDeinit) -- Alert unified1 log module wrote<br>
> 3792 alerts<br>
> > [8506] 9/6/2010 -- 16:04:33 - (alert-unified-alert.c:281) <Info><br>
> > (AlertUnifiedAlertThreadDeinit) -- Alert unified1 alert module wrote<br>
> > 3792 alerts<br>
> > [8506] 9/6/2010 -- 16:04:33 - (alert-unified2-alert.c:582) <Info><br>
> > (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 3792 alerts<br>
> > [8506] 9/6/2010 -- 16:04:33 - (log-httplog.c:391) <Info><br>
> > (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 0<br>
> > [8506] 9/6/2010 -- 16:04:33 - (alert-debuglog.c:254) <Info><br>
> > (AlertDebugLogExitPrintStats) -- (Outputs) Alerts 3792<br>
> > [8507] 9/6/2010 -- 16:04:33 - (flow.c:767) <Info><br>
> (FlowManagerThread) --<br>
> > 6 new flows, 1000 established flows were timed out, 0 flows in<br>
> closed state<br>
> > [8495] 9/6/2010 -- 16:04:33 - (flow.c:588) <Info> (FlowPrintQueueInfo)<br>
> > -- flowbits added: 0, removed: 0, max memory usage: 0<br>
> > [8495] 9/6/2010 -- 16:04:33 - (stream-tcp.c:365) <Info><br>
> > (StreamTcpFreeConfig) -- Max memuse of stream engine 15021952 (in<br>
> use 0)<br>
> > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2492) <Info><br>
> > (SigAddressCleanupStage1) -- cleaning up signature grouping<br>
> structure...<br>
> > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2509) <Info><br>
> > (SigAddressCleanupStage1) -- cleaning up signature grouping<br>
> structure...<br>
> > done<br>
> ><br>
> ><br>
> > is this normal ?<br>
> > (just alerts no Dropped !!!!)<br>
> ><br>
> > I've done the Nmap scan from Windows<br>
> ><br>
> ><br>
> > Sorry for the inconvenience<br>
> > Cheers<br>
> ><br>
> ><br>
> ><br>
> > 2010/6/9 Victor Julien <<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a><br>
> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a><br>
> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>>><br>
> ><br>
> > In the config below you only send outgoing HTTP traffic to<br>
> Suricata. To<br>
> > inspect all do:<br>
> ><br>
> > iptables -A INPUT -j NFQUEUE<br>
> > iptables -A OUTPUT -j NFQUEUE<br>
> ><br>
> > Cheers,<br>
> > Victor<br>
> ><br>
> > Anas.B wrote:<br>
> > > I didn't configure Iptables,<br>
> > ><br>
> > > now i have the two lines<br>
> > ><br>
> > > Chain INPUT (policy ACCEPT)<br>
> > > target prot opt source destination<br>
> > > NFQUEUE tcp -- anywhere anywhere tcp<br>
> > spt:www<br>
> > > NFQUEUE num 0<br>
> > ><br>
> > > Chain FORWARD (policy ACCEPT)<br>
> > > target prot opt source destination<br>
> > ><br>
> > > Chain OUTPUT (policy ACCEPT)<br>
> > > target prot opt source destination<br>
> > > NFQUEUE tcp -- anywhere anywhere tcp<br>
> > dpt:www<br>
> > > NFQUEUE num 0<br>
> > ><br>
> > > But still no alerts/Drop/reject nmap scan<br>
> > ><br>
> > > Best Regards<br>
> > ><br>
> > > 2010/6/9 Victor Julien <<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a><br>
> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>><br>
> > <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>><br>
> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>><br>
> > <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>>>><br>
> > ><br>
> > > In that case you'd need:<br>
> > ><br>
> > > iptables -A OUTPUT -p tcp --dport 80 -j NFQUEUE<br>
> > > iptables -A INPUT -p tcp --sport 80 -j NFQUEUE<br>
> > ><br>
> > > This would send outgoing http traffic (the vm browsing<br>
> the web) to<br>
> > > Suricata.<br>
> > ><br>
> > > Cheers,<br>
> > > Victor<br>
> > ><br>
> > > Anas.B wrote:<br>
> > > > No, I'm just trying this in local Virtual Machine Ubuntu).<br>
> > > ><br>
> > > > since there is no much Doc, i'm a little lost.<br>
> > > ><br>
> > > > thaks a lot<br>
> > > ><br>
> > > ><br>
> > > > 2010/6/9 Victor Julien <<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a><br>
> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>><br>
> > <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>><br>
> > > <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>><br>
> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>>><br>
> > <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>><br>
> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>><br>
> > > <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>><br>
> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>>>>><br>
> > > ><br>
> > > > Did you add the appropriate iptables rules?<br>
> > > ><br>
> > > > For example for getting port 80 to suricata:<br>
> > > ><br>
> > > > iptables -A FORWARD -p tcp --dport 80 -j NFQUEUE<br>
> > > ><br>
> > > > Cheers,<br>
> > > > Victor<br>
> > > ><br>
> > > > Anas.B wrote:<br>
> > > > ><br>
> > > > > Hello,<br>
> > > > ><br>
> > > > > I've just tested a nmap,<br>
> > > > ><br>
> > > > > I noticed more unified files<br>
> > > > > and alerts in the file fast.log<br>
> > > > > new values in alert-debug.log and stats.log<br>
> > > > ><br>
> > > > > that means it works !!<br>
> > > > ><br>
> > > > > But with the command ==> *# suricata -c<br>
> > > > /etc/suricata/suricata.yaml -q 0<br>
> > > > ><br>
> > > > > *I have no logs,<br>
> > > > > any suggestions<br>
> > > > ><br>
> > > > > thanks :)<br>
> > > > ><br>
> > > > ><br>
> > > > ><br>
> > > ><br>
> > ><br>
> ><br>
> ------------------------------------------------------------------------<br>
> > > > ><br>
> > > > > _______________________________________________<br>
> > > > > Oisf-users mailing list<br>
> > > > > <a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>><br>
> > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>>><br>
> > > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>><br>
> > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>>>><br>
> > > > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>><br>
> > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>>><br>
> > > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>><br>
> > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>>>>><br>
> > > > ><br>
> > ><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> > > ><br>
> > > ><br>
> > > > --<br>
> > > > ---------------------------------------------<br>
> > > > Victor Julien<br>
> > > > <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> > > > PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> > > > ---------------------------------------------<br>
> > > ><br>
> > > ><br>
> > ><br>
> > ><br>
> > > --<br>
> > > ---------------------------------------------<br>
> > > Victor Julien<br>
> > > <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> > > PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> > > ---------------------------------------------<br>
> > ><br>
> > ><br>
> ><br>
> ><br>
> > --<br>
> > ---------------------------------------------<br>
> > Victor Julien<br>
> > <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> > PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> > ---------------------------------------------<br>
> ><br>
> ><br>
><br>
><br>
> --<br>
> ---------------------------------------------<br>
> Victor Julien<br>
> <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> ---------------------------------------------<br>
><br>
><br>
<br>
<br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
</div></div></blockquote></div><br></div></div></div>
</blockquote></div><br></div>