<br><br>
<div class="gmail_quote">On Wed, Feb 15, 2012 at 6:52 AM, Anoop Saldanha <span dir="ltr"><<a href="mailto:anoopsaldanha@gmail.com">anoopsaldanha@gmail.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote">
<div class="HOEnZb">
<div class="h5">On Wed, Feb 15, 2012 at 11:04 AM, Nikolay Denev <<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a>> wrote:<br>><br>> On Feb 15, 2012, at 6:51 AM, Anoop Saldanha wrote:<br>><br>>> On Tue, Feb 14, 2012 at 2:59 PM, Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> wrote:<br>
>>><br>>>><br>>>> On Tue, Feb 14, 2012 at 10:21 AM, Victor Julien <<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>> wrote:<br>>>>><br>>>>> On 02/12/2012 08:15 AM, Nikolay Denev wrote:<br>
>>>>><br>>>>>> On Feb 11, 2012, at 10:11 PM, Peter Manev wrote:<br>>>>>><br>>>>>>><br>>>>>>><br>>>>>>> On Sat, Feb 11, 2012 at 8:27 PM, Nikolay Denev <<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a><br>
>>>>>> <mailto:<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a>>> wrote:<br>>>>>>><br>>>>>>><br>>>>>>> On Feb 11, 2012, at 9:14 PM, Peter Manev wrote:<br>
>>>>>><br>>>>>>>><br>>>>>>>><br>>>>>>>> On Sat, Feb 11, 2012 at 7:42 PM, Nikolay Denev <<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a><br>
>>>>>>> <mailto:<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a>>> wrote:<br>>>>>>>><br>>>>>>>><br>>>>>>>> On Feb 11, 2012, at 7:52 PM, Peter Manev wrote:<br>
>>>>>>><br>>>>>>>>><br>>>>>>>>><br>>>>>>>>> On Sat, Feb 11, 2012 at 4:31 PM, Nikolay Denev<br>>>>>>>>> <<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a> <mailto:<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a>>> wrote:<br>
>>>>>>>><br>>>>>>>>><br>>>>>>>>> On Feb 11, 2012, at 12:11 PM, Peter Manev wrote:<br>>>>>>>>><br>>>>>>>>>><br>
>>>>>>>>><br>>>>>>>>>> On Fri, Feb 10, 2012 at 6:43 AM, Nikolay Denev<br>>>>>>>>>> <<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a> <mailto:<a href="mailto:ndenev@gmail.com">ndenev@gmail.com</a>>> wrote:<br>
>>>>>>>>><br>>>>>>>>>><br>>>>>>>>>> On Feb 9, 2012, at 10:04 PM, Nikolay Denev wrote:<br>>>>>>>>>><br>
>>>>>>>>> > On Feb 9, 2012, at 10:03 PM, Nikolay Denev wrote:<br>>>>>>>>>> ><br>>>>>>>>>> >> Hi all,<br>
>>>>>>>>> >><br>>>>>>>>>> >> It's probably stupid question and I'm missing<br>>>>>>>>>> something but I don't seem to be able<br>
>>>>>>>>> >> to generate alert immediately when for example a<br>>>>>>>>>> given string is found inside a TCP stream.<br>>>>>>>>>> >> When the TCP connection closes, suricata<br>
>>>>>>>>> immediately prints the alert in fast.log.<br>>>>>>>>>> >> How can I make the alert be generated<br>>>>>>>>>> immediately when the rule condition is matched?<br>
>>>>>>>>> >><br>>>>>>>>>> >> Also I don't know if its because of this I don't<br>>>>>>>>>> seem to be able to trigger the rule to match<br>
>>>>>>>>> several times on the same stream,<br>>>>>>>>>> >> while I have the string that should fire the<br>>>>>>>>>> alert several times in the stream.<br>
>>>>>>>>> >><br>>>>>>>>>> >> Here's an example :<br>>>>>>>>>> >><br>>>>>>>>>> >> alert tcp $HOME_NET 6666 -> any any \<br>
>>>>>>>>> >> (msg:"got one"; content:"something";<br>>>>>>>>>> flowint:something,notset; flowint:something,=,1;<br>
>>>>>>>>> sid:10;)<br>>>>>>>>>> >><br>>>>>>>>>> >> alert tcp $HOME_NET 6666 -> any any \<br>
>>>>>>>>> >> (msg:"got five or more";<br>>>>>>>>>> content:"something"; flowint:something,isset;<br>>>>>>>>>> flowint:something,+,1; flowint:something,>,5;<br>
>>>>>>>>> sid:11;)<br>>>>>>>>>> >><br>>>>>>>>>> >> This never works, I just have the first rule<br>
>>>>>>>>> fire once when the TCP session is terminated.<br>>>>>>>>>> >><br>>>>>>>>>> >><br>
>>>>>>>>> >> P.S.: As a side note the wiki should be updated<br>>>>>>>>>> to include probably "sid"s for the rules, as<br>
>>>>>>>>> currently when I try to run the examples<br>>>>>>>>>> >> suricata complains about duplicated rules.<br>>>>>>>>>> >><br>
>>>>>>>>> >> Thanks,<br>>>>>>>>>> >><br>>>>>>>>>> ><br>>>>>>>>>> > I'm running 1.2.1 RELEASE on FreeBSD-9.0-STABLE.<br>
>>>>>>>>><br>>>>>>>>>> This seems to work :<br>>>>>>>>>><br>>>>>>>>>> alert tcp $HOME_NET 6666 -> any any \<br>
>>>>>>>>> (msg:"got one"; content:"something";<br>>>>>>>>>> flowint:something,notset; flowint:something,=,1;<br>
>>>>>>>>> noalert; sid:10; priority: 1;)<br>>>>>>>>>><br>>>>>>>>>> alert tcp $HOME_NET 6666 -> any any \<br>
>>>>>>>>> (msg:"got more"; content:"something";<br>>>>>>>>>> flowint:something,isset; flowint:something,+,1;<br>
>>>>>>>>> noalert; sid:11; priority: 2;)<br>>>>>>>>>><br>>>>>>>>>><br>>>>>>>>>> alert tcp $HOME_NET 6666 -> any any \<br>
>>>>>>>>> (msg:"got too many"; content:"something";<br>>>>>>>>>> flowint:something,isset; flowint:something,>,2;<br>
>>>>>>>>> sid:12; priority: 3;)<br>>>>>>>>>><br>>>>>>>>>><br>>>>>>>>>> _______________________________________________<br>
>>>>>>>>> Oisf-users mailing list<br>>>>>>>>>> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
>>>>>>>>> <mailto:<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a>><br>>>>>>>>>><br>>>>>>>>>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>>>>>>>>><br>>>>>>>>>><br>>>>>>>>>><br>>>>>>>>>> Hi Nikolay,<br>>>>>>>>>> I think this is the way it is supposed to work. (last<br>
>>>>>>>>> example, by you).<br>>>>>>>>>><br>>>>>>>>>> When you take out "noalert" form sid 11 - does it fire ?<br>
>>>>>>>>><br>>>>>>>>>> And are these the only rules that are loaded in terms<br>>>>>>>>>> of flowint or you have others before that?<br>
>>>>>>>>><br>>>>>>>>>> thanks<br>>>>>>>>>><br>>>>>>>>>><br>>>>>>>>>><br>>>>>>>>>> --<br>
>>>>>>>>> Peter Manev<br>>>>>>>>><br>>>>>>>>><br>>>>>>>>> Yes, It fires, the problem I have is that it doesn't<br>
>>>>>>>> fire for each occurence of "content".<br>>>>>>>>> Is alert supposed to fire once per packet if it matches,<br>>>>>>>>> or for each match in the stream?<br>
>>>>>>>><br>>>>>>>>> For example now I'm using these rules to catch if there<br>>>>>>>>> are more than some defined amount of email addresses in<br>
>>>>>>>> a given stream :<br>>>>>>>>><br>>>>>>>>><br>>>>>>>>> alert tcp $HOME_NET 80 -> any any \<br>
>>>>>>>> (msg:"got one email addr"; content:"|40|";<br>>>>>>>>> pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \<br>
>>>>>>>> flow:established,from_server;<br>>>>>>>>> flowint:something,notset; flowint:something,=,1; sid:10;<br>>>>>>>>> priority:3; noalert;)<br>
>>>>>>>><br>>>>>>>>> alert tcp $HOME_NET 80 -> any any \<br>>>>>>>>> (msg:"got more email addrs"; content:"|40|";<br>
>>>>>>>> pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \<br>>>>>>>>> flow:established,from_server;<br>>>>>>>>> flowint:something,isset; flowint:something,+,1; sid:11;<br>
>>>>>>>> priority:2; noalert;)<br>>>>>>>>><br>>>>>>>>> alert tcp $HOME_NET 80 -> any any \<br>>>>>>>>> (msg:"Got too many email addrs!";<br>
>>>>>>>> content:"|40|";<br>>>>>>>>> pcre:"/[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}/i"; \<br>>>>>>>>> flow:established,from_server;<br>
>>>>>>>> flowint:something,isset; flowint:something,>,10; sid:12;<br>>>>>>>>> priority:1; classtype:policy-violation;)<br>>>>>>>>><br>
>>>>>>>><br>>>>>>>>> This for example works, but would not match for a simple<br>>>>>>>>> plain text file with 10 email adresses, I need to have<br>
>>>>>>>> maybe 40-50 or more for this to match.<br>>>>>>>>> Maybe I'm missing something…<br>>>>>>>>><br>>>>>>>>> And yes, these are my only rules that I'm testing with.<br>
>>>>>>>> No other rules with or without flowint whatsoever.<br>>>>>>>>><br>>>>>>>>><br>>>>>>>>> Hi ,<br>>>>>>>>> Just so I understand you correctly - you have a text file<br>
>>>>>>>> (in the stream) and in that text file you have 10 e-mail<br>>>>>>>>> addresses and it wold not fire. correct ?<br>>>>>>>>><br>
>>>>>>>><br>>>>>>>>> thanks<br>>>>>>>>><br>>>>>>>>><br>>>>>>>>> --<br>>>>>>>>> Peter Manev<br>
>>>>>>><br>>>>>>>> Exactly.<br>>>>>>>><br>>>>>>>> For example if I try to fetch the file emails.txt via http<br>>>>>>>> which has the following content :<br>
>>>>>>><br>>>>>>>> # cat emails.txt<br>>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>>>>>><br>>>>>>>> $ curl <a href="http://testserver/emails.txt" target="_blank">http://testserver/emails.txt</a><br>
>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>>>>>>>> <a href="mailto:edin@email.com">edin@email.com</a> <mailto:<a href="mailto:edin@email.com">edin@email.com</a>><br>
>>>>>>> $<br>>>>>>>><br>>>>>>>> And I also remove the "noalert" option from the rules, this<br>>>>>>>> is what I get in fast.log :<br>
>>>>>>><br>>>>>>>> 02/11/2012-20:37:23.988271 [**] [1:10:0] got one email addr<br>>>>>>>> [**] [Classification: (null)] [Priority: 3] {TCP} X.X.X.X:80<br>
>>>>>>> -> Y.Y.Y.Y:57923<br>>>>>>>> 02/11/2012-20:37:23.988271 [**] [1:11:0] got more email<br>>>>>>>> addrs [**] [Classification: (null)] [Priority: 2] {TCP}<br>
>>>>>>> X.X.X.X:80 -> Y.Y.Y.Y:57923<br>>>>>>>><br>>>>>>>><br>>>>>>>> If I change the third rule to fire if the flowint var is more<br>
>>>>>>> than 1, it is being triggered.<br>>>>>>>><br>>>>>>>> If I insert some random data between the email addresses in<br>>>>>>>> the text file, then I get 4 maybe 5 matches. Doesn't it have<br>
>>>>>>> to match all 10 of them?<br>>>>>>>><br>>>>>>>><br>>>>>>>> 1. What happens if you take out the PCRE expressions from all<br>
>>>>>>> the rules ?<br>>>>>>>> 2. sid:12 - should not fire because you have >10 , and there are<br>>>>>>>> exactly 10 e-mails in the file<br>>>>>>>> 3. how big is the stream itself? i think it is below 2KB, correct?<br>
>>>>>>> 4. is the PCRE matching the e-mails, under the unix shell ?<br>>>>>>>> 5. yes i think you should get more sid:11 alerts - but first lets<br>>>>>>>> investigate the above 4.<br>
>>>>>>><br>>>>>>>> thanks<br>>>>>>>><br>>>>>>>> --<br>>>>>>>> Peter Manev<br>>>>>>><br>
>>>>>> The file with only the 10 emails is 160 bytes. Even without pcre I<br>>>>>>> get the same result :<br>>>>>>><br>>>>>>> alert tcp $HOME_NET 80 -> any any \<br>
>>>>>> (msg:"got one email addr"; content:"|40|"; \<br>>>>>>> flow:established,from_server; flowint:something,notset;<br>>>>>>> flowint:something,=,1; sid:10; priority:3;)<br>
>>>>>><br>>>>>>> alert tcp $HOME_NET 80 -> any any \<br>>>>>>> (msg:"got more email addrs"; content:"|40|"; \<br>>>>>>> flow:established,from_server; flowint:something,isset;<br>
>>>>>> flowint:something,+,1; sid:11; priority:2;)<br>>>>>>><br>>>>>>> alert tcp $HOME_NET 80 -> any any \<br>>>>>>> (msg:"Got too many email addrs!"; content:"|40|"; \<br>
>>>>>> flow:established,from_server; flowint:something,isset;<br>>>>>>> flowint:something,>,9; sid:12; priority:1;<br>>>>>>> classtype:policy-violation;)<br>
>>>>>><br>>>>>>><br>>>>>>> alerts I get :<br>>>>>>><br>>>>>>> 02/11/2012-21:23:14.567194 [**] [1:10:0] got one email addr [**]<br>
>>>>>> [Classification: (null)] [Priority: 3] {TCP} X.X.X.X:80 -><br>>>>>>> Y.Y.Y.Y:58158<br>>>>>>> 02/11/2012-21:23:14.567194 [**] [1:11:0] got more email addrs<br>
>>>>>> [**] [Classification: (null)] [Priority: 2] {TCP} X.X.X.X:80 -><br>>>>>>> Y.Y.Y.Y:58158<br>>>>>>><br>>>>>>> If I put some '#' symbols between the emails in the file so that<br>
>>>>>> it gets about 9K big and I fetch it I get these alerts :<br>>>>>>><br>>>>>>> 02/11/2012-21:25:37.755214 [**] [1:10:0] got one email addr [**]<br>>>>>>> [Classification: (null)] [Priority: 3] {TCP} X.X.X.X:80 -><br>
>>>>>> Y.Y.Y.Y:58166<br>>>>>>> 02/11/2012-21:25:37.755214 [**] [1:11:0] got more email addrs<br>>>>>>> [**] [Classification: (null)] [Priority: 2] {TCP} X.X.X.X:80 -><br>
>>>>>> Y.Y.Y.Y:58166<br>>>>>>> 02/11/2012-21:25:37.761077 [**] [1:11:0] got more email addrs<br>>>>>>> [**] [Classification: (null)] [Priority: 2] {TCP} X.X.X.X:80 -><br>
>>>>>> Y.Y.Y.Y:58166<br>>>>>>> 02/11/2012-21:25:37.764451 [**] [1:11:0] got more email addrs<br>>>>>>> [**] [Classification: (null)] [Priority: 2] {TCP} X.X.X.X:80 -><br>
>>>>>> Y.Y.Y.Y:58166<br>>>>>>><br>>>>>>><br>>>>>>><br>>>>>>> Hi Nikolay,<br>>>>>>><br>>>>>>><br>
>>>>>> Can you please post this as a bug - please be detailed (as you were in<br>>>>>>> your 2 previous e-mails).<br>>>>>>> Personally i think here sid 11 is the problem , may be it does not<br>
>>>>>> count/increment correctly....<br>>>>>>> thanks<br>>>>>>><br>>>>>>><br>>>>>>> --<br>>>>>>> Peter Manev<br>>>>>><br>
>>>>> Yes I will post this as a bug. But I've just found a much simpler case.<br>>>>>><br>>>>>> Let's for example have only this rule in suricata :<br>>>>>><br>
>>>>> alert tcp $HOME_NET 6666 -> any any (msg:"match"; content:"|40|";)<br>>>>>><br>>>>>> Then on a monitored machine from the $HOME_NET range I do :<br>
>>>>><br>>>>>> echo "@ @ @ @ @ @ @ @ @" | nc -l 6666<br>>>>>><br>>>>>> And on different host I do :<br>>>>>><br>>>>>> nc testserver 6666<br>
>>>>><br>>>>>> This gets the ten @ chars transferred, and I get only one alert.<br>>>>>> But for example if I echo more @ chars, like 5000 or something, I get<br>>>>>> 3-6 alerts.<br>
>>>>> I have to check what is actually the number of packets with payload,<br>>>>>> probably the rule<br>>>>>> is matched once per packet? But this could not explain that I get<br>
>>>>> different number of alerts on different runs.<br>>>>><br>>>>> The behavior is by design. TCP data by default is inspected in the<br>>>>> stream context, which means the "@ @ @ @ @ @ @ @ @" buffer is inspected<br>
>>>> at once.<br>>>><br>>>><br>>>>><br>>>>> Suricata will not try to find every possible match in a<br>>>>> payload, but just one.<br>>>><br>>>> That's good to know - clears out a few questions of mine....<br>
>>> but then a PCRE (matching on 10 "@") should match all of them - correct?<br>>>> having in mind they are in the same "chunk".<br>>>><br>>><br>>> If I have understood your question right, no! Pcre works just like<br>
>> content on the first match it finds. So alerts wise or match wise it<br>>> should work the same as using content<br>>><br>><br>> So this means that there is no way to count the total number of occurrences of a<br>
> given string or pattern in a flow, and alert if some predefined number is reached?<br>> i.e. no matter the number I will get one alert per chunk?<br>><br>> Something like 'g' (global match) flag for pcre? This will definitely be very expensive, but looks interesting as feature.<br>
><br><br></div></div>You won't be able to alert for every pattern in the flow, but you can<br>alert once by counting the no of patterns present in the stream using<br>pcre. You don't need 'g' or such feature to do so.<br>
<br>Something like<br><br>pcre:"/(kaboom.*){3}/";<br></blockquote>
<div>That's what i had in mind ... </div>
<div> </div>
<div> </div>
<blockquote style="BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex;PADDING-LEFT:1ex" class="gmail_quote"><br>should do the trick by alerting if the pattern kaboom is present in<br>the string thrice.<br><br>But I'd suggest avoiding pcre under most circumstances.<br>
<div class="HOEnZb">
<div class="h5"><br>>>><br>>>>><br>>>>><br>>>>> The reason you get more alerts if you increase the payload<br>>>>> significantly, is that the stream is inspected in chunks. The size of<br>
>>>> those chunks is determined by your stream toserver_chunk_size setting.<br>>>>><br>>>>> --<br>>>>> ---------------------------------------------<br>>>>> Victor Julien<br>
>>>> <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>>>>> PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
>>>> ---------------------------------------------<br>>>>><br>>>>> _______________________________________________<br>>>>> Oisf-users mailing list<br>>>>> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
>>>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>>>><br>>>><br>>>><br>
>>><br>>>> --<br>>>> Peter Manev<br>>>><br>>>> _______________________________________________<br>>>> Oisf-users mailing list<br>>>> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
>>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>>>><br>>><br>>><br>>><br>
>> --<br>>> Anoop Saldanha<br>>> _______________________________________________<br>>> Oisf-users mailing list<br>>> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
>> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>><br><br><br><br></div></div><span class="HOEnZb"><font color="#888888">--<br>
Anoop Saldanha<br></font></span></blockquote></div><br><br clear="all"><br>-- <br>Peter Manev<br>