<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">I’m using docker and it works really well. We’re hoping to continue tuning to the point where we can run a couple different containers on the same system, but RAM is an issue with the way we have it configured now. Currently using somewhere around 84GB with afpacket and using 16 procs.<div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jun 12, 2015, at 8:23 AM, Saxena, Samiksha <<a href="mailto:samiksha.saxena@verizon.com" class="">samiksha.saxena@verizon.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class=""><div class="">Suricata with load balance in one container is working for me, but I still want to configure load balancer server and Suricata in two different container. How </div><div class=""><br class=""></div><span id="OLK_SRC_BODY_SECTION" class=""><div style="font-family: Calibri; font-size: 11pt; text-align: left; border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-top-color: rgb(181, 196, 223);" class=""><span style="font-weight:bold" class="">From: </span> <Saxena>, "Saxena, Samiksha" <<a href="mailto:samiksha.saxena@one.verizon.com" class="">samiksha.saxena@one.verizon.com</a>><br class=""><span style="font-weight:bold" class="">Date: </span> Tuesday, June 2, 2015 at 4:13 PM<br class=""><span style="font-weight:bold" class="">To: </span> Claudio Kuenzler <<a href="mailto:ck@claudiokuenzler.com" class="">ck@claudiokuenzler.com</a>>, Victor Roemer <<a href="mailto:viroemer@cisco.com" class="">viroemer@cisco.com</a>><br class=""><span style="font-weight:bold" class="">Cc: </span> "<a href="mailto:oisf-users@lists.openinfosecfoundation.org" class="">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org" class="">oisf-users@lists.openinfosecfoundation.org</a>><br class=""><span style="font-weight:bold" class="">Subject: </span> Re: [Oisf-users] Suricata in container<br class=""></div><div class=""><br class=""></div><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class=""><div class="">Installing suricata with load balancer server is kind of working for me, but I am not able to see the dropped packet information.</div><div class=""><br class=""></div><span id="OLK_SRC_BODY_SECTION" class=""><div style="font-family: Calibri; font-size: 11pt; text-align: left; border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-top-color: rgb(181, 196, 223);" class=""><span style="font-weight:bold" class="">From: </span> Claudio Kuenzler <<a href="mailto:ck@claudiokuenzler.com" class="">ck@claudiokuenzler.com</a>><br class=""><span style="font-weight:bold" class="">Date: </span> Tuesday, June 2, 2015 at 3:41 PM<br class=""><span style="font-weight:bold" class="">To: </span> Victor Roemer <<a href="mailto:viroemer@cisco.com" class="">viroemer@cisco.com</a>><br class=""><span style="font-weight:bold" class="">Cc: </span> "<a href="mailto:oisf-users@lists.openinfosecfoundation.org" class="">oisf-users@lists.openinfosecfoundation.org</a>" <<a href="mailto:oisf-users@lists.openinfosecfoundation.org" class="">oisf-users@lists.openinfosecfoundation.org</a>>, "Saxena, Samiksha" <<a href="mailto:samiksha.saxena@one.verizon.com" class="">samiksha.saxena@one.verizon.com</a>><br class=""><span style="font-weight:bold" class="">Subject: </span> Re: [Oisf-users] Suricata in container<br class=""></div><div class=""><br class=""></div><div dir="ltr" class=""><div class="">Well just fyi i was talking about containers as in LXC (Linux Containers), without another layer added on it like docker.<br class=""></div>Dont know if you can do it with docker, but should be possible, too.<br class=""></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Tue, Jun 2, 2015 at 9:28 PM, Victor Roemer <span dir="ltr" class=""><<a href="mailto:viroemer@cisco.com" target="_blank" class="">viroemer@cisco.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" type="cite">
<div bgcolor="#FFFFFF" text="#000000" class="">
<div class=""><p style="margin:1.2em 0px!important" class="">I’m still pretty new to
docker (just to be clear) and have not tried this yet-</p><p style="margin:1.2em 0px!important" class="">This is how I am
planning to deploy IPS for my HTTP server(s)</p><p style="margin:1.2em 0px!important" class="">HTTP server “exposes”
its port to other containers only; (not bound to host port)</p><p style="margin:1.2em 0px!important" class="">IPS container “exposes”
port 80 and is bound to the host network. IPS container is
started with “—link <u class=""></u>:httpserv” to perform
MITM of the servers traffic. <u class=""></u></p><p style="margin:1.2em 0px!important" class="">Dockerfile not included;
the commands I expect to run would be:</p>
<pre style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;font-size:1em;line-height:1.2em;margin:1.2em 0px" class=""><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline;white-space:pre-wrap;overflow:auto;border-radius:3px;border:1px solid rgb(204,204,204);padding:0.5em 0.7em;display:block!important" class="">$ docker run -p <a href="http://127.0.0.1:12345/" target="_blank" class="">127.0.0.1:12345</a> --name application <http_server_image>
$ docker run -p 80:80 --link application:httpserv --name ips <snort_or_suricata_image>
</code></pre><p style="margin:1.2em 0px!important" class="">(YMMV, specifically I’m
uncertain of the “—link” option)</p><p style="margin:1.2em 0px!important" class="">From here, it becomes a
question of how the IPS container firewall rules are setup
(assuming NFQ+daq for my case).<br class="">
In the example above, I would have to do some sort of NATing (<u class=""></u>:80
-> <a href="http://127.0.0.1:12345/" target="_blank" class="">127.0.0.1:12345</a>).<u class=""></u></p><p style="margin:1.2em 0px!important" class="">This seems all good; but
I still feel like I’m over doing it and that docker may provide
a more reasonable<br class="">
out-of-box magic to ease this further. </p>
<hr class=""><p style="margin:1.2em 0px!important" class="">Otherwise, for passive
setups, it should be super easy. Add flags to <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);background-color:rgb(248,248,248);border-radius:3px;display:inline" class="">docker run</code>
command: “—net=host —privileged”<br class="">
(refer to “<a href="https://registry.hub.docker.com/u/manell/wireshark/" target="_blank" class="">https://registry.hub.docker.com/u/manell/wireshark/</a>“).</p><div class=""><div class="h5"><p style="margin:1.2em 0px!important" class="">On 6/2/15 14:17, Claudio
Kuenzler wrote:</p><div style="margin: 1.2em 0px !important;" class=""><br class="webkit-block-placeholder"></div>
<div class=""><div class=""><br class="webkit-block-placeholder"></div>
<blockquote type="cite" class=""><font size="+1" class=""><br class="">
<br class="">
</font><div dir="ltr" class=""><font size="+1" class="">Install suricata in the container
where you run the loadbalancer and you catch the traffic.</font></div>
<font size="+1" class=""><br class="">
</font>
<div class="gmail_quote"><font size="+1" class="">On Jun 2, 2015 8:07
PM, "Saxena, Samiksha" <<a href="mailto:samiksha.saxena@verizon.com" target="_blank" class="">samiksha.saxena@verizon.com</a>>
wrote:<br type="attribution" class="">
</font>
<blockquote class="gmail_quote" type="cite">
<div class="">
<div class=""><font size="+1" class="">How can I do so? I want the traffic
to flow from internet to load balancer server
(running in a container) to Suricata (running in a
seperate container) to application server. </font></div>
<div class=""><font size="+1" class=""><br class="">
</font></div>
<font size="+1" class=""><span class="">
<div class=""><span class="">From: </span> Claudio Kuenzler <<a href="mailto:ck@claudiokuenzler.com" target="_blank" class="">ck@claudiokuenzler.com</a>><br class="">
<span class="">Date: </span> Tuesday, June 2, 2015 at 2:05
PM<br class="">
<span class="">To: </span> "Saxena, Samiksha" <<a href="mailto:samiksha.saxena@one.verizon.com" target="_blank" class="">samiksha.saxena@one.verizon.com</a>><br class="">
<span class="">Cc: </span> "<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank" class="">oisf-users@lists.openinfosecfoundation.org</a>"
<<a href="mailto:oisf-users@lists.openinfosecfoundation.org" target="_blank" class="">oisf-users@lists.openinfosecfoundation.org</a>>,
Victor Julien <<a href="mailto:lists@inliniac.net" target="_blank" class="">lists@inliniac.net</a>><br class="">
<span class="">Subject: </span> Re: [Oisf-users] Suricata
in container<br class="">
</div>
<div class=""><br class="">
</div><div dir="ltr" class="">If you use that particular container as
reverse proxy for example. </div>
<div class="gmail_quote">On Jun 2, 2015 4:01 PM,
"Saxena, Samiksha" <<a href="mailto:samiksha.saxena@verizon.com" target="_blank" class="">samiksha.saxena@verizon.com</a>>
wrote:<br type="attribution" class="">
<blockquote class="gmail_quote" type="cite">How to make a
container a hop in the traffic?<br class="">
<br class="">
<br class="">
On 6/2/15, 5:46 AM, "Victor Julien" <<a href="mailto:lists@inliniac.net" target="_blank" class="">lists@inliniac.net</a>>
wrote:<br class="">
<br class="">
<br class="">
>On 05/26/2015 11:31 PM, Saxena, Samiksha
wrote:<br class="">
<br class="">
>> Is there a way to configure suricata in
container for IPS? I want to<br class="">
<br class="">
>> forward all the traffic coming from
internet to a Load balancer<br class="">
<br class="">
>> container forwarded to Suricata
container for IPS. Is this possible and<br class="">
<br class="">
>>how?<br class="">
<br class="">
><br class="">
<br class="">
>I think it's possible, if you can make the
container a hop in the<br class="">
<br class="">
>traffic path.<br class="">
<br class="">
><br class="">
<br class="">
>--<br class="">
<br class="">
>---------------------------------------------<br class="">
<br class="">
>Victor Julien<br class="">
<br class="">
><a href="http://www.inliniac.net/" target="_blank" class="">http://www.inliniac.net/</a><br class="">
<br class="">
>PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank" class="">http://www.inliniac.net/victorjulien.asc</a><br class="">
<br class="">
>---------------------------------------------<br class="">
<br class="">
><br class="">
<br class="">
>_______________________________________________<br class="">
<br class="">
>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank" class="">oisf-users@openinfosecfoundation.org</a><br class="">
<br class="">
>Site: <a href="http://suricata-ids.org/" target="_blank" class="">http://suricata-ids.org</a>
| Support: <a href="http://suricata-ids.org/support/" target="_blank" class="">http://suricata-ids.org/support/</a><br class="">
<br class="">
>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank" class="">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br class="">
<br class="">
>Suricata User Conference November 4 & 5
in Barcelona:<br class="">
<br class="">
><a href="http://oisfevents.net/" target="_blank" class="">http://oisfevents.net</a><br class="">
<br class="">
<br class="">
_______________________________________________<br class=""> <br class="">
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank" class="">oisf-users@openinfosecfoundation.org</a><br class="">
<br class="">
Site: <a href="http://suricata-ids.org/" target="_blank" class="">http://suricata-ids.org</a>
| Support: <a href="http://suricata-ids.org/support/" target="_blank" class="">http://suricata-ids.org/support/</a><br class="">
<br class="">
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank" class="">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br class="">
<br class="">
Suricata User Conference November 4 & 5 in
Barcelona: <a href="http://oisfevents.net/" target="_blank" class="">http://oisfevents.net</a><br class="">
</blockquote>
</div>
</span></font></div>
<font size="+1" class=""><br class="">
</font></blockquote>
</div>
<font size="+1" class=""><br class="">
<br class="">
<br class="">
</font>
<fieldset class=""></fieldset>
<font size="+1" class=""><br class="">
</font>
<pre class=""><font size="+1" class="">_______________________________________________
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank" class="">oisf-users@openinfosecfoundation.org</a>
Site: <a href="http://suricata-ids.org/" target="_blank" class="">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank" class="">http://suricata-ids.org/support/</a>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank" class="">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net/" target="_blank" class="">http://oisfevents.net</a></font></pre>
<font size="+1" class=""><br class="">
<br class="">
</font></blockquote><div class=""><br class="webkit-block-placeholder"></div>
</div><div style="margin: 1.2em 0px !important;" class=""><br class="webkit-block-placeholder"></div>
<div title="MDH:PGZvbnQgc2l6ZT0iKzEiPkknbSBzdGlsbCBwcmV0dHkgbmV3IHRvIGRvY2tlciAoanVzdCB0byBiZSBjbGVhcikgYW5kIGhhdmUgbm90IHRyaWVkIHRoaXMgeWV0LTxicj48YnI+VGhpcyBpcyBob3cg
SSBhbSBwbGFubmluZyB0byBkZXBsb3kgSVBTIGZvciBteSBIVFRQIHNlcnZlcihzKTxicj48YnI+
SFRUUCBzZXJ2ZXIgImV4cG9zZXMiIGl0cyBwb3J0IHRvIG90aGVyIGNvbnRhaW5lcnMgb25seTsg
KG5vdCBib3VuZCB0byBob3N0IHBvcnQpPGJyPjxicj5JUFMgY29udGFpbmVyICJleHBvc2VzIiBw
b3J0IDgwIGFuZCBpcyBib3VuZCB0byB0aGUgaG9zdCBuZXR3b3JrLiBJUFMgY29udGFpbmVyIGlz
IHN0YXJ0ZWQgd2l0aCAiLS1saW5rICZsdDtzZXJ2ZXJfY29udGFpbmVyJmd0OzpodHRwc2VydiIg
dG8gcGVyZm9ybSBNSVRNIG9mIHRoZSBzZXJ2ZXJzIHRyYWZmaWMuIDxicj48YnI+PGJyPkRvY2tl
cmZpbGUgbm90IGluY2x1ZGVkOyB0aGUgY29tbWFuZHMgSSBleHBlY3QgdG8gcnVuIHdvdWxkIGJl
Ojxicj48YnI+YGBgPGJyPiQgZG9ja2VyIHJ1biAtcCAxMjcuMC4wLjE6MTIzNDUgLS1uYW1lIGFw
cGxpY2F0aW9uICZsdDtodHRwX3NlcnZlcl9pbWFnZSZndDs8YnI+JCBkb2NrZXIgcnVuIC1wIDgw
OjgwIC0tbGluayBhcHBsaWNhdGlvbjpodHRwc2VydiAtLW5hbWUgaXBzICZsdDtzbm9ydF9vcl9z
dXJpY2F0YV9pbWFnZSZndDs8YnI+YGBgPGJyPjxicj4oWU1NViwgc3BlY2lmaWNhbGx5IEknbSB1
bmNlcnRhaW4gb2YgdGhlICItLWxpbmsiIG9wdGlvbik8YnI+PGJyPjxicj5Gcm9tIGhlcmUsIGl0
IGJlY29tZXMgYSBxdWVzdGlvbiBvZiBob3cgdGhlIElQUyBjb250YWluZXIgZmlyZXdhbGwgcnVs
ZXMgYXJlIHNldHVwIChhc3N1bWluZyBORlErZGFxIGZvciBteSBjYXNlKS48YnI+SW4gdGhlIGV4
YW1wbGUgYWJvdmUsIEkgd291bGQgaGF2ZSB0byBkbyBzb21lIHNvcnQgb2YgTkFUaW5nICgmbHQ7
aG9zdC1pcCZndDs6ODAgLSZndDsgMTI3LjAuMC4xOjEyMzQ1KS48YnI+PGJyPjxicj5UaGlzIHNl
ZW1zIGFsbCBnb29kOyBidXQgSSBzdGlsbCBmZWVsIGxpa2UgSSdtIG92ZXIgZG9pbmcgaXQgYW5k
IHRoYXQgZG9ja2VyIG1heSBwcm92aWRlIGEgbW9yZSByZWFzb25hYmxlPGJyPm91dC1vZi1ib3gg
bWFnaWMgdG8gZWFzZSB0aGlzIGZ1cnRoZXIuIDxicj48YnI+LS0tPGJyPjxicj5PdGhlcndpc2Us
IGZvciBwYXNzaXZlIHNldHVwcywgaXQgc2hvdWxkIGJlIHN1cGVyIGVhc3kuIEFkZCBmbGFncyB0
byBgZG9ja2VyIHJ1bmAgY29tbWFuZDogIi0tbmV0PWhvc3QgLS1wcml2aWxlZ2VkIiA8YnI+KHJl
ZmVyIHRvICJodHRwczovL3JlZ2lzdHJ5Lmh1Yi5kb2NrZXIuY29tL3UvbWFuZWxsL3dpcmVzaGFy
ay8iKS48YnI+PGJyPjxicj48YnI+PGJyPjxicj48L2ZvbnQ+PGRpdiBjbGFzcz0ibW96LWNpdGUt
cHJlZml4Ij48Zm9udCBzaXplPSIrMSI+T24gNi8yLzE1IDE0OjE3LCBDbGF1ZGlvIEt1ZW56bGVy
IHdyb3RlOjxicj48L2ZvbnQ+PC9kaXY+PGJsb2NrcXVvdGUgY2l0ZT0ibWlkOkNBRi15cWdpTGIr
OTI0aGdVaXRDWHVpPXZrQkNTMUx2YWdaKzFYc0N5UDJYeFFzd2QrZ0BtYWlsLmdtYWlsLmNvbSIg
dHlwZT0iY2l0ZSI+PGZvbnQgc2l6ZT0iKzEiPjxicj48YnI+PC9mb250PjxtZXRhIGh0dHAtZXF1
aXY9IkNvbnRleHQtVHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PVVURi04Ij48cCBk
aXI9Imx0ciI+PGZvbnQgc2l6ZT0iKzEiPkluc3RhbGwgc3VyaWNhdGEgaW4gdGhlIGNvbnRhaW5l
ciB3aGVyZSB5b3UgcnVuIHRoZSBsb2FkYmFsYW5jZXIgYW5kIHlvdSBjYXRjaCB0aGUgdHJhZmZp
Yy48L2ZvbnQ+PC9wPjxmb250IHNpemU9IisxIj48YnI+PC9mb250PjxkaXYgY2xhc3M9ImdtYWls
X3F1b3RlIj48Zm9udCBzaXplPSIrMSI+T24gSnVuIDIsIDIwMTUgODowNyBQTSwgIlNheGVuYSwg
U2FtaWtzaGEiICZsdDs8YSBtb3otZG8tbm90LXNlbmQ9InRydWUiIGhyZWY9Im1haWx0bzpzYW1p
a3NoYS5zYXhlbmFAdmVyaXpvbi5jb20iPnNhbWlrc2hhLnNheGVuYUB2ZXJpem9uLmNvbTwvYT4m
Z3Q7IHdyb3RlOjxiciB0eXBlPSJhdHRyaWJ1dGlvbiI+PC9mb250PjxibG9ja3F1b3RlIGNsYXNz
PSJnbWFpbF9xdW90ZSI+PGRpdj48ZGl2Pjxmb250IHNpemU9IisxIj5Ib3cgY2FuIEkgZG8gc28/
IEkgd2FudCB0aGUgdHJhZmZpYyB0byBmbG93IGZyb20gaW50ZXJuZXQgdG8gbG9hZCBiYWxhbmNl
ciBzZXJ2ZXIgKHJ1bm5pbmcgaW4gYSBjb250YWluZXIpIHRvIFN1cmljYXRhIChydW5uaW5nIGlu
IGEgc2VwZXJhdGUgY29udGFpbmVyKSB0byBhcHBsaWNhdGlvbiBzZXJ2ZXIuJm5ic3A7PC9mb250
PjwvZGl2PjxkaXY+PGZvbnQgc2l6ZT0iKzEiPjxicj48L2ZvbnQ+PC9kaXY+PGZvbnQgc2l6ZT0i
KzEiPjxzcGFuPjxkaXY+PHNwYW4+RnJvbTogPC9zcGFuPiBDbGF1ZGlvIEt1ZW56bGVyICZsdDs8
YSBtb3otZG8tbm90LXNlbmQ9InRydWUiIGhyZWY9Im1haWx0bzpja0BjbGF1ZGlva3VlbnpsZXIu
Y29tIiB0YXJnZXQ9Il9ibGFuayI+Y2tAY2xhdWRpb2t1ZW56bGVyLmNvbTwvYT4mZ3Q7PGJyPjxz
cGFuPkRhdGU6IDwvc3Bhbj4gVHVlc2RheSwgSnVuZSAyLCAyMDE1IGF0IDI6MDUgUE08YnI+PHNw
YW4+VG86IDwvc3Bhbj4gIlNheGVuYSwgU2FtaWtzaGEiICZsdDs8YSBtb3otZG8tbm90LXNlbmQ9
InRydWUiIGhyZWY9Im1haWx0bzpzYW1pa3NoYS5zYXhlbmFAb25lLnZlcml6b24uY29tIiB0YXJn
ZXQ9Il9ibGFuayI+c2FtaWtzaGEuc2F4ZW5hQG9uZS52ZXJpem9uLmNvbTwvYT4mZ3Q7PGJyPjxz
cGFuPkNjOiA8L3NwYW4+ICI8YSBtb3otZG8tbm90LXNlbmQ9InRydWUiIGhyZWY9Im1haWx0bzpv
aXNmLXVzZXJzQGxpc3RzLm9wZW5pbmZvc2VjZm91bmRhdGlvbi5vcmciIHRhcmdldD0iX2JsYW5r
Ij5vaXNmLXVzZXJzQGxpc3RzLm9wZW5pbmZvc2VjZm91bmRhdGlvbi5vcmc8L2E+IiAmbHQ7PGEg
bW96LWRvLW5vdC1zZW5kPSJ0cnVlIiBocmVmPSJtYWlsdG86b2lzZi11c2Vyc0BsaXN0cy5vcGVu
aW5mb3NlY2ZvdW5kYXRpb24ub3JnIiB0YXJnZXQ9Il9ibGFuayI+b2lzZi11c2Vyc0BsaXN0cy5v
cGVuaW5mb3NlY2ZvdW5kYXRpb24ub3JnPC9hPiZndDssIFZpY3RvciBKdWxpZW4gJmx0OzxhIG1v
ei1kby1ub3Qtc2VuZD0idHJ1ZSIgaHJlZj0ibWFpbHRvOmxpc3RzQGlubGluaWFjLm5ldCIgdGFy
Z2V0PSJfYmxhbmsiPmxpc3RzQGlubGluaWFjLm5ldDwvYT4mZ3Q7PGJyPjxzcGFuPlN1YmplY3Q6
IDwvc3Bhbj4gUmU6IFtPaXNmLXVzZXJzXSBTdXJpY2F0YSBpbiBjb250YWluZXI8YnI+PC9kaXY+
PGRpdj48YnI+PC9kaXY+PHAgZGlyPSJsdHIiPklmIHlvdSB1c2UgdGhhdCBwYXJ0aWN1bGFyIGNv
bnRhaW5lciBhcyByZXZlcnNlIHByb3h5IGZvciBleGFtcGxlLiA8L3A+PGRpdiBjbGFzcz0iZ21h
aWxfcXVvdGUiPk9uIEp1biAyLCAyMDE1IDQ6MDEgUE0sICJTYXhlbmEsIFNhbWlrc2hhIiAmbHQ7
PGEgbW96LWRvLW5vdC1zZW5kPSJ0cnVlIiBocmVmPSJtYWlsdG86c2FtaWtzaGEuc2F4ZW5hQHZl
cml6b24uY29tIiB0YXJnZXQ9Il9ibGFuayI+c2FtaWtzaGEuc2F4ZW5hQHZlcml6b24uY29tPC9h
PiZndDsgd3JvdGU6PGJyIHR5cGU9ImF0dHJpYnV0aW9uIj48YmxvY2txdW90ZSBjbGFzcz0iZ21h
aWxfcXVvdGUiPkhvdyB0byBtYWtlIGEgY29udGFpbmVyIGEgaG9wIGluIHRoZSB0cmFmZmljPzxi
cj48YnI+PGJyPk9uIDYvMi8xNSwgNTo0NiBBTSwgIlZpY3RvciBKdWxpZW4iICZsdDs8YSBtb3ot
ZG8tbm90LXNlbmQ9InRydWUiIGhyZWY9Im1haWx0bzpsaXN0c0BpbmxpbmlhYy5uZXQiIHRhcmdl
dD0iX2JsYW5rIj5saXN0c0BpbmxpbmlhYy5uZXQ8L2E+Jmd0OyB3cm90ZTo8YnI+PGJyPjxicj4m
Z3Q7T24gMDUvMjYvMjAxNSAxMTozMSBQTSwgU2F4ZW5hLCBTYW1pa3NoYSB3cm90ZTo8YnI+PGJy
PiZndDsmZ3Q7IElzIHRoZXJlIGEgd2F5IHRvIGNvbmZpZ3VyZSBzdXJpY2F0YSBpbiBjb250YWlu
ZXIgZm9yIElQUz8gSSB3YW50IHRvPGJyPjxicj4mZ3Q7Jmd0OyBmb3J3YXJkIGFsbCB0aGUgdHJh
ZmZpYyBjb21pbmcgZnJvbSBpbnRlcm5ldCB0byBhIExvYWQgYmFsYW5jZXI8YnI+PGJyPiZndDsm
Z3Q7IGNvbnRhaW5lciBmb3J3YXJkZWQgdG8gU3VyaWNhdGEgY29udGFpbmVyIGZvciBJUFMuIElz
IHRoaXMgcG9zc2libGUgYW5kPGJyPjxicj4mZ3Q7Jmd0O2hvdz88YnI+PGJyPiZndDs8YnI+PGJy
PiZndDtJIHRoaW5rIGl0J3MgcG9zc2libGUsIGlmIHlvdSBjYW4gbWFrZSB0aGUgY29udGFpbmVy
IGEgaG9wIGluIHRoZTxicj48YnI+Jmd0O3RyYWZmaWMgcGF0aC48YnI+PGJyPiZndDs8YnI+PGJy
PiZndDstLTxicj48YnI+Jmd0Oy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLTxicj48YnI+Jmd0O1ZpY3RvciBKdWxpZW48YnI+PGJyPiZndDs8YSBtb3otZG8tbm90
LXNlbmQ9InRydWUiIGhyZWY9Imh0dHA6Ly93d3cuaW5saW5pYWMubmV0LyIgdGFyZ2V0PSJfYmxh
bmsiPmh0dHA6Ly93d3cuaW5saW5pYWMubmV0LzwvYT48YnI+PGJyPiZndDtQR1A6IDxhIG1vei1k
by1ub3Qtc2VuZD0idHJ1ZSIgaHJlZj0iaHR0cDovL3d3dy5pbmxpbmlhYy5uZXQvdmljdG9yanVs
aWVuLmFzYyIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly93d3cuaW5saW5pYWMubmV0L3ZpY3Rvcmp1
bGllbi5hc2M8L2E+PGJyPjxicj4mZ3Q7LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tPGJyPjxicj4mZ3Q7PGJyPjxicj4mZ3Q7X19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX188YnI+PGJyPiZndDtTdXJpY2F0YSBJRFMgVXNlcnMg
bWFpbGluZyBsaXN0OiA8YSBtb3otZG8tbm90LXNlbmQ9InRydWUiIGhyZWY9Im1haWx0bzpvaXNm
LXVzZXJzQG9wZW5pbmZvc2VjZm91bmRhdGlvbi5vcmciIHRhcmdldD0iX2JsYW5rIj5vaXNmLXVz
ZXJzQG9wZW5pbmZvc2VjZm91bmRhdGlvbi5vcmc8L2E+PGJyPjxicj4mZ3Q7U2l0ZTogPGEgbW96
LWRvLW5vdC1zZW5kPSJ0cnVlIiBocmVmPSJodHRwOi8vc3VyaWNhdGEtaWRzLm9yZyIgdGFyZ2V0
PSJfYmxhbmsiPmh0dHA6Ly9zdXJpY2F0YS1pZHMub3JnPC9hPiB8IFN1cHBvcnQ6IDxhIG1vei1k
by1ub3Qtc2VuZD0idHJ1ZSIgaHJlZj0iaHR0cDovL3N1cmljYXRhLWlkcy5vcmcvc3VwcG9ydC8i
IHRhcmdldD0iX2JsYW5rIj5odHRwOi8vc3VyaWNhdGEtaWRzLm9yZy9zdXBwb3J0LzwvYT48YnI+
PGJyPiZndDtMaXN0OiA8YSBtb3otZG8tbm90LXNlbmQ9InRydWUiIGhyZWY9Imh0dHBzOi8vbGlz
dHMub3BlbmluZm9zZWNmb3VuZGF0aW9uLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29pc2YtdXNlcnMi
IHRhcmdldD0iX2JsYW5rIj5odHRwczovL2xpc3RzLm9wZW5pbmZvc2VjZm91bmRhdGlvbi5vcmcv
bWFpbG1hbi9saXN0aW5mby9vaXNmLXVzZXJzPC9hPjxicj48YnI+Jmd0O1N1cmljYXRhIFVzZXIg
Q29uZmVyZW5jZSBOb3ZlbWJlciA0ICZhbXA7IDUgaW4gQmFyY2Vsb25hOjxicj48YnI+Jmd0Ozxh
IG1vei1kby1ub3Qtc2VuZD0idHJ1ZSIgaHJlZj0iaHR0cDovL29pc2ZldmVudHMubmV0IiB0YXJn
ZXQ9Il9ibGFuayI+aHR0cDovL29pc2ZldmVudHMubmV0PC9hPjxicj48YnI+PGJyPl9fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPjxicj5TdXJpY2F0YSBJ
RFMgVXNlcnMgbWFpbGluZyBsaXN0OiA8YSBtb3otZG8tbm90LXNlbmQ9InRydWUiIGhyZWY9Im1h
aWx0bzpvaXNmLXVzZXJzQG9wZW5pbmZvc2VjZm91bmRhdGlvbi5vcmciIHRhcmdldD0iX2JsYW5r
Ij5vaXNmLXVzZXJzQG9wZW5pbmZvc2VjZm91bmRhdGlvbi5vcmc8L2E+PGJyPjxicj5TaXRlOiA8
YSBtb3otZG8tbm90LXNlbmQ9InRydWUiIGhyZWY9Imh0dHA6Ly9zdXJpY2F0YS1pZHMub3JnIiB0
YXJnZXQ9Il9ibGFuayI+aHR0cDovL3N1cmljYXRhLWlkcy5vcmc8L2E+IHwgU3VwcG9ydDogPGEg
bW96LWRvLW5vdC1zZW5kPSJ0cnVlIiBocmVmPSJodHRwOi8vc3VyaWNhdGEtaWRzLm9yZy9zdXBw
b3J0LyIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly9zdXJpY2F0YS1pZHMub3JnL3N1cHBvcnQvPC9h
Pjxicj48YnI+TGlzdDogPGEgbW96LWRvLW5vdC1zZW5kPSJ0cnVlIiBocmVmPSJodHRwczovL2xp
c3RzLm9wZW5pbmZvc2VjZm91bmRhdGlvbi5vcmcvbWFpbG1hbi9saXN0aW5mby9vaXNmLXVzZXJz
IiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9saXN0cy5vcGVuaW5mb3NlY2ZvdW5kYXRpb24ub3Jn
L21haWxtYW4vbGlzdGluZm8vb2lzZi11c2VyczwvYT48YnI+PGJyPlN1cmljYXRhIFVzZXIgQ29u
ZmVyZW5jZSBOb3ZlbWJlciA0ICZhbXA7IDUgaW4gQmFyY2Vsb25hOiA8YSBtb3otZG8tbm90LXNl
bmQ9InRydWUiIGhyZWY9Imh0dHA6Ly9vaXNmZXZlbnRzLm5ldCIgdGFyZ2V0PSJfYmxhbmsiPmh0
dHA6Ly9vaXNmZXZlbnRzLm5ldDwvYT48YnI+PC9ibG9ja3F1b3RlPjwvZGl2Pjwvc3Bhbj48L2Zv
bnQ+PC9kaXY+PGZvbnQgc2l6ZT0iKzEiPjxicj48L2ZvbnQ+PC9ibG9ja3F1b3RlPjwvZGl2Pjxm
b250IHNpemU9IisxIj48YnI+PGJyPjxicj48L2ZvbnQ+PGZpZWxkc2V0IGNsYXNzPSJtaW1lQXR0
YWNobWVudEhlYWRlciI+PC9maWVsZHNldD48Zm9udCBzaXplPSIrMSI+PGJyPjwvZm9udD48cHJl
IHdyYXA9IiI+PGZvbnQgc2l6ZT0iKzEiPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fPGJyPlN1cmljYXRhIElEUyBVc2VycyBtYWlsaW5nIGxpc3Q6IG9pc2Yt
dXNlcnNAb3BlbmluZm9zZWNmb3VuZGF0aW9uLm9yZzxicj5TaXRlOiBodHRwOi8vc3VyaWNhdGEt
aWRzLm9yZyB8IFN1cHBvcnQ6IGh0dHA6Ly9zdXJpY2F0YS1pZHMub3JnL3N1cHBvcnQvPGJyPkxp
c3Q6IGh0dHBzOi8vbGlzdHMub3BlbmluZm9zZWNmb3VuZGF0aW9uLm9yZy9tYWlsbWFuL2xpc3Rp
bmZvL29pc2YtdXNlcnM8YnI+U3VyaWNhdGEgVXNlciBDb25mZXJlbmNlIE5vdmVtYmVyIDQgJmFt
cDsgNSBpbiBCYXJjZWxvbmE6IGh0dHA6Ly9vaXNmZXZlbnRzLm5ldDwvZm9udD48L3ByZT48Zm9u
dCBzaXplPSIrMSI+PGJyPjxicj48L2ZvbnQ+PC9ibG9ja3F1b3RlPg==" style="min-height:0;width:0;max-height:0;max-width:0;overflow:hidden;font-size:0em;padding:0;margin:0" class=""></div>
</div></div></div>
</div></blockquote></div><br class=""></div></span></div></div></span></div>
_______________________________________________<br class="">Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" class="">oisf-users@openinfosecfoundation.org</a><br class="">Site: <a href="http://suricata-ids.org" class="">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" class="">http://suricata-ids.org/support/</a><br class="">List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" class="">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br class="">Suricata User Conference November 4 & 5 in Barcelona: <a href="http://oisfevents.net" class="">http://oisfevents.net</a></div></blockquote></div><br class=""></div></body></html>