<div dir="ltr">Good morning,<br><br>I've tryied this rule in a new file "facebook.rules"<br>drop any any -> any any (msg:"drop google"; content:"google";sid:1;)<br><br>The alert is logged, but no drops !<br>
<br><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div dir="ltr"><div><div class="h5"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div><div>
<br>
On Fri, 11 Jun 2010, Anas.B wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
This the results of my experience :<br>
(Strange !!!)<br>
*****************************************************************************************<br>
nmap -sS 192.168.44.135 without runingsuricata<br>
<br>
Starting Nmap 5.21 ( <a href="http://nmap.org" target="_blank">http://nmap.org</a> ) at 2010-06-11 16:33 Afr. centrale Ouest<br>
Nmap scan report for 192.168.44.135<br>
Host is up (0.00s latency).<br>
All 1000 scanned ports on 192.168.44.135 are filtered<br>
MAC Address: 00:0C:29:07:11:87 (VMware)<br>
<br>
Nmap done: 1 IP address (1 host up) scanned in 22.33 seconds<br>
*****************************************************************************************<br>
nmap -sS 192.168.44.135 with suricata but without Drop rules<br>
Starting Nmap 5.21 ( <a href="http://nmap.org" target="_blank">http://nmap.org</a> ) at 2010-06-11 16:40 Afr. centrale Ouest<br>
Nmap scan report for 192.168.44.135<br>
Host is up (0.0013s latency).<br>
All 1000 scanned ports on 192.168.44.135 are closed<br>
MAC Address: 00:0C:29:07:11:87 (VMware)<br>
<br>
Nmap done: 1 IP address (1 host up) scanned in 6.38 seconds<br>
<br>
[3647] 11/6/2010 -- 16:41:41 - (source-nfq.c:533) <Info> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 2004, dropped 0<br>
<br>
*****************************************************************************************<br>
nmap -sS 192.168.44.135 with suricata and replacing alert by Drop<br>
Starting Nmap 5.21 ( <a href="http://nmap.org" target="_blank">http://nmap.org</a> ) at 2010-06-11 16:45 Afr. centrale Ouest<br>
Nmap scan report for 192.168.44.135<br>
Host is up (0.00s latency).<br>
All 1000 scanned ports on 192.168.44.135 are filtered<br>
MAC Address: 00:0C:29:07:11:87 (VMware)<br>
<br>
Nmap done: 1 IP address (1 host up) scanned in 22.68 seconds<br>
<br>
[3701] 11/6/2010 -- 16:46:51 - (source-nfq.c:533) <Info> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 0, dropped 2000<br>
*****************************************************************************************<br>
<br>
What can we conclude ?? ==> [ we can't drop the Nmap scans !!! ?? ]<br>
<br>
<br>
<br>
<br>
2010/6/11 Anas.B <<a href="mailto:a.bouhsaina@gmail.com" target="_blank">a.bouhsaina@gmail.com</a>><br>
Je n'ai pas 2010051 voici la régle que j'ai :<br>
<br>
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .cfg file with no Referrer - Likely Malware";<br>
flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".cfg"; nocase; pcre:"/\.cfg$/Ui";<br>
flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity;<br>
reference:url,<a href="http://www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99" target="_blank">www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99</a>; reference:url,<a href="http://doc.emergingthreats.net/2010501" target="_blank">doc.emergingthreats.net/2010501</a>;<br>
reference:url,<a href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL" target="_blank">www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL</a>; sid:2010501; rev:2;)<br>
<br>
je n'ai pas compris l'offload de cksum (cela veut dire , la vérification de CRC d'arrivé avec le CRC du départ ??)<br>
et aussi le renvoi de data compressé !<br>
<br>
Snort et meilleur que Suricata ?<br>
<br>
<br>
<br>
2010/6/11 rmkml <<a href="mailto:rmkml@free.fr" target="_blank">rmkml@free.fr</a>><br>
cherche dans les fichiers emerging que tu as si tu as déjà le sid 2010051?<br>
visiblement elle est dans un fichier qui contient le mot malware...<br>
suricata ne vérifie pas le contenu des packets ayant un mauvais cksum par défaut, donc si tu as une carte réseau qui fait de l'offload de<br>
cksum, alors tu vas avoir bcp de bad cksum... tu peux le vérifier avec tcpdump...<br>
concernant le cache des navigateurs web, si tu vas sur l'url <a href="http://www.google.com/install/ws.exe" target="_blank">http://www.google.com/install/ws.exe</a> avec firefox ou ie, tu auras une alerte avec<br>
suricata, mais si tu fais refresh de ton navigateur, en fait le navigateur ne va pas essayer de nouveau l'url, puis il a certainement dans son<br>
cache... c'est pour cela que j'utilise wget ou curl ou fetch<br>
Plus tard il faut aussi faire attention au renvoi de data compresser des serveurs web...<br>
<br>
a+<br>
Rmkml<br>
<br>
<br>
<br>
On Fri, 11 Jun 2010, Anas.B wrote:<br>
<br>
Je dois la créer,<br>
oubien elle existe déja, ?<br>
<br>
si oui dans quel fichier,<br>
si nn comment ?<br>
<br>
en fait j'ai pas compris :<br>
- attention au cksum...<br>
et - attention au cache des navigatuers web...<br>
<br>
désolé, et merci bcp.<br>
<br>
<br>
2010/6/11 rmkml <<a href="mailto:rmkml@free.fr" target="_blank">rmkml@free.fr</a>><br>
heu bonne question,<br>
exemple peut être avec le sid 2010051,<br>
generer une alerte avec le client wget unix: (ou fetch ou curl)<br>
wget <a href="http://www.google.com/install/ws.exe" target="_blank">http://www.google.com/install/ws.exe</a><br>
avoir une alerte:<br>
06/11-16:32:23.306483 [**] [1:2010051:2] ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - ws.exe [**] [Classification: A<br>
Network Trojan<br>
was detected] [Priority: 1] {TCP} <a href="http://10.50.1.40:34322" target="_blank">10.50.1.40:34322</a> -> a.b.c.d:80<br>
puis la passer en drop tjrs vérifier si tu as des drop de packets ou pas...<br>
attention au cksum...<br>
<br>
a+<br>
Rmkml<br>
<br>
<br>
On Fri, 11 Jun 2010, Anas.B wrote:<br>
<br>
Bjr,<br>
oui je crois que t'a raison,<br>
quel genre de règle facile que je px bloquer ?<br>
<br>
Merciiiiii<br>
<br>
2010/6/11 rmkml <<a href="mailto:rmkml@free.fr" target="_blank">rmkml@free.fr</a>><br>
Bonjour Anas,<br>
suite à l'email de Victor, et je crois que les scan nmap sont particulier, c-a-d que les scans ouvrent de multiples sessions,<br>
ce qui n'est<br>
pas un cas<br>
facile pour commencer...<br>
Essaye plus tot une attaque sur une regle, puis tu l'as bloque... attention au cache des navigatuers web...<br>
a+<br>
Rmkml<br>
<br>
<br>
<br>
On Fri, 11 Jun 2010, Anas.B wrote:<br>
<br>
<br>
Hello,<br>
<br>
I've replaced "alert" by"drop" where we have "Nmap" rules in emerging-scan.rules file ,<br>
<br>
but I've the same result in Nmap:<br>
<br>
Starting Nmap 5.21 ( <a href="http://nmap.org" target="_blank">http://nmap.org</a> ) at 2010-06-11 14:49 Afr. centrale Ouest<br>
Nmap scan report for 192.168.44.135<br>
Host is up (0.00s latency).<br>
All 1000 scanned ports on 192.168.44.135 are filtered<br>
MAC Address: 00:0C:29:07:11:87 (VMware)<br>
as before !!!<br>
<br>
why the packets aren't dropped ?<br>
<br>
These are the commands applied :<br>
suricata -c /etc/suricata/suricata.yaml -q 0<br>
<br>
and this is the iptables :<br>
<br>
NFQUEUE all -- anywhere anywhere NFQUEUE num 0<br>
<br>
Chain FORWARD (policy ACCEPT)<br>
target prot opt source destination <br>
<br>
Chain OUTPUT (policy ACCEPT)<br>
target prot opt source destination <br>
NFQUEUE all -- anywhere anywhere NFQUEUE num 0<br>
<br>
<br>
Kindest regards :)<br>
<br>
Anas<br>
<br>
Nmap done: 1 IP address (1 host up) scanned in 23.16 seconds<br>
<br>
<br>
2010/6/9 Victor Julien <<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>><br>
All rules might be a bit much, but in essence, yes. But be careful that<br>
some rules might false positive.<br>
<br>
Cheers,<br>
Victor<br>
<br>
Anas.B wrote:<br>
> I've just coppied the emerging rules ,<br>
><br>
> should i copy snort rules also ?<br>
> should i convert all the rules from alert to Drop ?<br>
><br>
><br>
> Thxxx<br>
><br>
><br>
> 2010/6/9 Victor Julien <<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>><br>
><br>
> Making progress :)<br>
><br>
> Do you have drop rules? Normally a rule is "alert ip any any -> any any<br>
> ... " etc. but you need "drop ip any any -> any ...." Did you convert<br>
> your rules?<br>
><br>
> The TmqDebugList statements are debug stuff, you can ignore that.<br>
><br>
> Cheers,<br>
> Victor<br>
><br>
> Anas.B wrote:<br>
> > Thank you so much, for ur help :)<br>
> ><br>
> > this time I've these lines :<br>
> ><br>
> > 'pickup-queue', len 0<br>
> > TmqDebugList: id 1, name 'decode-queue1', len 0<br>
> > TmqDebugList: id 2, name 'stream-queue1', len 49<br>
> > TmqDebugList: id 3, name 'verdict-queue', len 0<br>
> > TmqDebugList: id 4, name 'respond-queue', len 1<br>
> > TmqDebugList: id 5, name 'alert-queue1', len 0<br>
> ><br>
> > after an Nmap scan<br>
> ><br>
> ><br>
> > after CTRL+C<br>
> ><br>
> > I've this :<br>
> ><br>
> > 4:33 - (suricata.c:1033) <Info> (main) -- signal received<br>
> > [8495] 9/6/2010 -- 16:04:33 - (suricata.c:1069) <Info> (main) -- time<br>
> > elapsed 176s<br>
> > [8500] 9/6/2010 -- 16:04:33 - (source-nfq.c:522) <Info><br>
> > (ReceiveNFQThreadExitStats) -- (ReceiveNFQ) Pkts 6028, Bytes 256012,<br>
> > Errors 0<br>
> > [8502] 9/6/2010 -- 16:04:33 - (stream-tcp.c:2634) <Info><br>
> > (StreamTcpExitPrintStats) -- (Stream1) Packets 6014<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:172) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) (1byte) Pkts 6028, Searched 0<br>
> (0.0).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:175) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) (2byte) Pkts 6028, Searched 4<br>
> (0.1).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:178) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) (3byte) Pkts 6028, Searched 0<br>
> (0.0).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:181) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) (4byte) Pkts 6028, Searched 0<br>
> (0.0).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:184) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) (+byte) Pkts 6028, Searched 0<br>
> (0.0).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:188) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) URI (1byte) Uri's 0, Searched<br>
> 0 (-nan).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:191) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) URI (2byte) Uri's 0, Searched<br>
> 0 (-nan).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:194) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) URI (3byte) Uri's 0, Searched<br>
> 0 (-nan).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:197) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) URI (4byte) Uri's 0, Searched<br>
> 0 (-nan).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:200) <Info><br>
> > (DetectExitPrintStats) -- (Detect1) URI (+byte) Uri's 0, Searched<br>
> 0 (-nan).<br>
> > [8503] 9/6/2010 -- 16:04:33 - (detect.c:202) <Info><br>
> > (DetectExitPrintStats) -- 4 sigs per mpm match on avg needed<br>
> inspection,<br>
> > total mpm searches 2, less than 25 sigs need inspect 2, more than 100<br>
> > sigs need inspect 0, more than 1000 0 max 5<br>
> > [8504] 9/6/2010 -- 16:04:33 - (source-nfq.c:533) <Info><br>
> > (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 6028, dropped 0<br>
> > [8506] 9/6/2010 -- 16:04:33 - (alert-fastlog.c:256) <Info><br>
> > (AlertFastLogExitPrintStats) -- (Outputs) Alerts 3792<br>
> > [8506] 9/6/2010 -- 16:04:33 - (alert-unified-log.c:304) <Info><br>
> > (AlertUnifiedLogThreadDeinit) -- Alert unified1 log module wrote<br>
> 3792 alerts<br>
> > [8506] 9/6/2010 -- 16:04:33 - (alert-unified-alert.c:281) <Info><br>
> > (AlertUnifiedAlertThreadDeinit) -- Alert unified1 alert module wrote<br>
> > 3792 alerts<br>
> > [8506] 9/6/2010 -- 16:04:33 - (alert-unified2-alert.c:582) <Info><br>
> > (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 3792 alerts<br>
> > [8506] 9/6/2010 -- 16:04:33 - (log-httplog.c:391) <Info><br>
> > (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 0<br>
> > [8506] 9/6/2010 -- 16:04:33 - (alert-debuglog.c:254) <Info><br>
> > (AlertDebugLogExitPrintStats) -- (Outputs) Alerts 3792<br>
> > [8507] 9/6/2010 -- 16:04:33 - (flow.c:767) <Info><br>
> (FlowManagerThread) --<br>
> > 6 new flows, 1000 established flows were timed out, 0 flows in<br>
> closed state<br>
> > [8495] 9/6/2010 -- 16:04:33 - (flow.c:588) <Info> (FlowPrintQueueInfo)<br>
> > -- flowbits added: 0, removed: 0, max memory usage: 0<br>
> > [8495] 9/6/2010 -- 16:04:33 - (stream-tcp.c:365) <Info><br>
> > (StreamTcpFreeConfig) -- Max memuse of stream engine 15021952 (in<br>
> use 0)<br>
> > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2492) <Info><br>
> > (SigAddressCleanupStage1) -- cleaning up signature grouping<br>
> structure...<br>
> > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2509) <Info><br>
> > (SigAddressCleanupStage1) -- cleaning up signature grouping<br>
> structure...<br>
> > done<br>
> ><br>
> ><br>
> > is this normal ?<br>
> > (just alerts no Dropped !!!!)<br>
> ><br>
> > I've done the Nmap scan from Windows<br>
> ><br>
> ><br>
> > Sorry for the inconvenience<br>
> > Cheers<br>
> ><br>
> ><br>
> ><br>
> > 2010/6/9 Victor Julien <<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a><br>
> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a><br>
> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>>><br>
> ><br>
> > In the config below you only send outgoing HTTP traffic to<br>
> Suricata. To<br>
> > inspect all do:<br>
> ><br>
> > iptables -A INPUT -j NFQUEUE<br>
> > iptables -A OUTPUT -j NFQUEUE<br>
> ><br>
> > Cheers,<br>
> > Victor<br>
> ><br>
> > Anas.B wrote:<br>
> > > I didn't configure Iptables,<br>
> > ><br>
> > > now i have the two lines<br>
> > ><br>
> > > Chain INPUT (policy ACCEPT)<br>
> > > target prot opt source destination<br>
> > > NFQUEUE tcp -- anywhere anywhere tcp<br>
> > spt:www<br>
> > > NFQUEUE num 0<br>
> > ><br>
> > > Chain FORWARD (policy ACCEPT)<br>
> > > target prot opt source destination<br>
> > ><br>
> > > Chain OUTPUT (policy ACCEPT)<br>
> > > target prot opt source destination<br>
> > > NFQUEUE tcp -- anywhere anywhere tcp<br>
> > dpt:www<br>
> > > NFQUEUE num 0<br>
> > ><br>
> > > But still no alerts/Drop/reject nmap scan<br>
> > ><br>
> > > Best Regards<br>
> > ><br>
> > > 2010/6/9 Victor Julien <<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a><br>
> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>><br>
> > <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>><br>
> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>><br>
> > <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>>>><br>
> > ><br>
> > > In that case you'd need:<br>
> > ><br>
> > > iptables -A OUTPUT -p tcp --dport 80 -j NFQUEUE<br>
> > > iptables -A INPUT -p tcp --sport 80 -j NFQUEUE<br>
> > ><br>
> > > This would send outgoing http traffic (the vm browsing<br>
> the web) to<br>
> > > Suricata.<br>
> > ><br>
> > > Cheers,<br>
> > > Victor<br>
> > ><br>
> > > Anas.B wrote:<br>
> > > > No, I'm just trying this in local Virtual Machine Ubuntu).<br>
> > > ><br>
> > > > since there is no much Doc, i'm a little lost.<br>
> > > ><br>
> > > > thaks a lot<br>
> > > ><br>
> > > ><br>
> > > > 2010/6/9 Victor Julien <<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a><br>
> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>><br>
> > <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>><br>
> > > <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>><br>
> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>>><br>
> > <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>><br>
> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>><br>
> > > <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>><br>
> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a> <mailto:<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>>>>>><br>
> > > ><br>
> > > > Did you add the appropriate iptables rules?<br>
> > > ><br>
> > > > For example for getting port 80 to suricata:<br>
> > > ><br>
> > > > iptables -A FORWARD -p tcp --dport 80 -j NFQUEUE<br>
> > > ><br>
> > > > Cheers,<br>
> > > > Victor<br>
> > > ><br>
> > > > Anas.B wrote:<br>
> > > > ><br>
> > > > > Hello,<br>
> > > > ><br>
> > > > > I've just tested a nmap,<br>
> > > > ><br>
> > > > > I noticed more unified files<br>
> > > > > and alerts in the file fast.log<br>
> > > > > new values in alert-debug.log and stats.log<br>
> > > > ><br>
> > > > > that means it works !!<br>
> > > > ><br>
> > > > > But with the command ==> *# suricata -c<br>
> > > > /etc/suricata/suricata.yaml -q 0<br>
> > > > ><br>
> > > > > *I have no logs,<br>
> > > > > any suggestions<br>
> > > > ><br>
> > > > > thanks :)<br>
> > > > ><br>
> > > > ><br>
> > > > ><br>
> > > ><br>
> > ><br>
> ><br>
> ------------------------------------------------------------------------<br>
> > > > ><br>
> > > > > _______________________________________________<br>
> > > > > Oisf-users mailing list<br>
> > > > > <a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>><br>
> > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>>><br>
> > > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>><br>
> > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>>>><br>
> > > > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>><br>
> > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>>><br>
> > > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>><br>
> > <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a>>>>><br>
> > > > ><br>
> > ><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> > > ><br>
> > > ><br>
> > > > --<br>
> > > > ---------------------------------------------<br>
> > > > Victor Julien<br>
> > > > <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> > > > PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> > > > ---------------------------------------------<br>
> > > ><br>
> > > ><br>
> > ><br>
> > ><br>
> > > --<br>
> > > ---------------------------------------------<br>
> > > Victor Julien<br>
> > > <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> > > PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> > > ---------------------------------------------<br>
> > ><br>
> > ><br>
> ><br>
> ><br>
> > --<br>
> > ---------------------------------------------<br>
> > Victor Julien<br>
> > <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> > PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> > ---------------------------------------------<br>
> ><br>
> ><br>
><br>
><br>
> --<br>
> ---------------------------------------------<br>
> Victor Julien<br>
> <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> ---------------------------------------------<br>
><br>
><br>
<br>
<br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
</div></div></blockquote></div><br></div></div></div>
</blockquote></div><br></div>