I'm not sure how to get it in there but would be eager to contribute. <span></span><br><br>On Wednesday, June 15, 2016, Andreas Herz <<a href="mailto:andi@geekosphere.org">andi@geekosphere.org</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 31/05/16 at 09:02, Chris Boley wrote:<br>
> Andreas, this is lengthy sorry, I tried to include useful detail but,<br>
> unfortunately I ramble on a lot:<br>
<br>
Thanks for the detailed information. What could be interesting, that you<br>
put that in our redmine wiki so it won't get lost.<br>
<br>
Looks like a very special usecase/setup, thus not that many responses,<br>
but still worth it to be documented.<br>
<br>
><br>
> I had this idea because I wanted to be able to have two or 3 working<br>
> Suricata test OS's for experimenting with things in the YAML and<br>
> other configs. This allows me to set up multiple VM's with varying configs<br>
> and find out what works and what doesn't.<br>
> That's why I did it.<br>
><br>
> My basic setup.<br>
> I had 4 ethernet adapters installed in a dell 2970 with latest bios, 2 - 6<br>
> Core opterons running at 2.6 ghz, and 32 gigs of RAM.<br>
><br>
> Why 4 nics? 1. host interface 2. VM Mgmt. Interface 3. Bridge-side A 4.<br>
> Bridge-Side B.<br>
><br>
><br>
> If your physical host interfaces are like em1 em2 or whatever in Ubuntu<br>
> edit /etc/default/grub<br>
><br>
> find these two lines:<br>
> GRUB_CMDLINE_LINUX_DEFAULT="splash quiet"<br>
> GRUB_CMDLINE_LINUX=""<br>
><br>
><br>
> modify to look like<br>
><br>
> GRUB_CMDLINE_LINUX_DEFAULT="splash quiet biosdevname=0"<br>
> GRUB_CMDLINE_LINUX="biosdevname=0"<br>
><br>
> sudo update-grub<br>
><br>
> Modify your operational host interface in /etc/network/interfaces file to<br>
> reflect eth0 instead of whatever it was named before.<br>
> If you don't, you'll find yourself without a working interface.<br>
><br>
> then reboot<br>
><br>
> ---------------------------------------------------------------------------------------------<br>
><br>
> **macvtap with passthrough must have a dedicated physical interface to tie<br>
> itself to.<br>
><br>
><br>
> You've got to create a specialized network configuration within the libvirt<br>
> setup.<br>
> ** Caveats** You need to have hardware and BIOS platform that supports<br>
> SR-IOV.<br>
> How do you figure that out? Do the homework. Or simply experiment. I just<br>
> tried building the VM initially via virt-manager.<br>
> It let me do it. Meaning, the toolkit detected the right resources to<br>
> accomplish building the parameters I gave it.<br>
><br>
> When I looked up SR-IOV capabilities online through DELL, I didn't see<br>
> where it was supported but I tried it anyway and it worked.<br>
> If it doesn't libvirt will just bark at you and tell you that you can't do<br>
> that. Here's a good link to explain SR-IOV:<br>
><br>
><br>
> <a href="http://blog.scottlowe.org/2009/12/02/what-is-sr-iov/" target="_blank">http://blog.scottlowe.org/2009/12/02/what-is-sr-iov/</a><br>
><br>
> ---A note about command line versus CLI installs<br>
> For those of you who are adamant about staying on ssh cli access only with<br>
> the host;<br>
> this script below will startup a virtual machine net install for ubuntu<br>
> 14.04 64 bit in your terminal with full hardware acceleration.<br>
> The machine will initially have a NAT based virtual network interface, 16<br>
> gig of ram and 8 vcpu's.<br>
> You'll be dealing with a qcow2 based harddisk file which doesn't offer the<br>
> best performance.<br>
> but I like it because of being able to snapshot. Look up libvirt snapshot +<br>
> qcow2 and you'll find some good articles on snappshotting.<br>
> I'm not going to write a book here. :)<br>
><br>
> I toyed with setting up the interfaces right from this install script. In<br>
> the end and 4 hours later, it ended up being<br>
> more trouble than it was worth. I used virt-manager from a xwindows GUI in<br>
> lieu of all the headache.<br>
><br>
> Plus, there are adjustments you can make in virt-manager that I've never<br>
> figured out how to do in virsh.<br>
> My most sincere recommendation is to install a really lightweight window<br>
> manager.<br>
> I tend to install Lubuntu minimal desktop during my server install and add<br>
> in some basics like leafpad but most importantly virt-manager.<br>
> Use whatever desktop you want. Maybe blackbox or fluxbox would be a great<br>
> choice as they use almost no resources.<br>
> You'll find manipulating VM's with Virt manager is much easier.<br>
> Moreover, you can tailor your cpu's settings more easily which is kind of<br>
> important for Suricata.<br>
><br>
> Alternatively, you can stick to the cli and modify the xml with 'virsh<br>
> edit'. Beware that it uses 'vi' and is kind of a PITA.<br>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
> sudo apt-get -y install qemu-kvm libvirt-bin bridge-utils qemu-system<br>
> & virt-manager if you're going to install a GUI....<br>
><br>
> qemu-img create -f qcow2 -o preallocation=full<br>
> /home/ipsadmin/vmimgs/virtdrive.qcow2 64G<br>
><br>
> virt-install --connect=qemu:///system \<br>
> --name=IPSTEST \<br>
> --ram 16384 \<br>
> --disk<br>
> path=/home/ipsadmin/vmimgs/virtdrive.qcow2,format=qcow2,bus=virtio,cache=none,size=64<br>
> \<br>
> --vcpus=8 \<br>
> --os-type linux \<br>
> --os-variant ubuntutrusty \<br>
> --network bridge=virbr0 \<br>
> --check-cpu \<br>
> --hvm \<br>
> --location '<br>
> <a href="http://archive.ubuntu.com/ubuntu/dists/trusty/main/installer-amd64/" target="_blank">http://archive.ubuntu.com/ubuntu/dists/trusty/main/installer-amd64/</a>' \<br>
> --graphics none \<br>
> --console pty,target_type=serial \<br>
> --extra-args="console=ttyS0,115200n8 serial" \<br>
><br>
><br>
> ***add ' --debug ' flag into that script if you want to see verbose output<br>
> of what's going on.<br>
><br>
> ---- for the second time you need to connect to the VM.-----<br>
><br>
> The first time, based on the above settings, it will connect automatically.<br>
><br>
> virsh start IPSTEST<br>
><br>
> virsh console IPSTEST<br>
><br>
><br>
> -----------------------------------------------------------------------------------------------------------------------------------<br>
> ----for editing the machine xml if you want to stick to the CLI. ** This is<br>
> an example** modify to fit your needs.<br>
> Find the adapter and paste in the place of the original adapter segment,<br>
> something that looks like this below.<br>
> Obviously you need 3 adapters for the VM 2 for bridge and one for mgmt<br>
> iface. Be mindful of slot numbers and alias naming nomenclature.<br>
> Logically in the xml you'll find that most things like slot number<br>
> increment. Just make sure you don't conflict with something else.<br>
> You'll break the VM in that case. Make a backup before you edit. Eth1 in<br>
> the case below will take the place of what used to be<br>
><br>
> your virtual adapter that was natted from inside to outside the host. Now<br>
> you've tied it to a physical interface. It will pull DHCP<br>
><br>
> addresses from the physical network.<br>
><br>
><br>
> <interface type='direct'><br>
> <mac address='52:54:00:67:7e:5d'/><br>
> <source dev='eth1' mode='passthrough'/><br>
> <target dev='macvtap0'/><br>
> <model type='virtio'/><br>
> <alias name='net0'/><br>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x02'<br>
> function='0x0'/><br>
> </interface><br>
> <interface type='direct'><br>
> <mac address='52:54:00:67:7e:5d'/><br>
> <source dev='eth2' mode='passthrough'/><br>
> <target dev='macvtap0'/><br>
> <model type='virtio'/><br>
> <alias name='net1'/><br>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x03'<br>
> function='0x0'/><br>
> </interface><br>
> <interface type='direct'><br>
> <mac address='52:54:00:67:7e:5d'/><br>
> <source dev='eth2' mode='passthrough'/><br>
> <target dev='macvtap0'/><br>
> <model type='virtio'/><br>
> <alias name='net2'/><br>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x04'<br>
> function='0x0'/><br>
> </interface><br>
> ------------------------------------------------------------------------------------------------------------------------------------------<br>
><br>
> My full xml off my primary test machine looks like this:<br>
><br>
> idsadmin@SRVCHSURICATA1:~$ virsh dumpxml CSNIPESNSR01<br>
> <domain type='kvm' id='2'><br>
> <name>CSNIPESNSR01</name><br>
> <uuid>ec0d0563-aa0a-ef29-5f24-ba5ba1416b50</uuid><br>
> <memory unit='KiB'>16777216</memory><br>
> <currentMemory unit='KiB'>16777216</currentMemory><br>
> <vcpu placement='static'>8</vcpu><br>
> <resource><br>
> <partition>/machine</partition><br>
> </resource><br>
> <os><br>
> <type arch='i686' machine='pc-i440fx-trusty'>hvm</type><br>
> <boot dev='hd'/><br>
> </os><br>
> <features><br>
> <acpi/><br>
> <apic/><br>
> <pae/><br>
> </features><br>
> <cpu mode='custom' match='exact'><br>
> <model fallback='allow'>Opteron_G3</model><br>
> <vendor>AMD</vendor><br>
> <feature policy='require' name='skinit'/><br>
> <feature policy='require' name='vme'/><br>
> <feature policy='require' name='mmxext'/><br>
> <feature policy='require' name='fxsr_opt'/><br>
> <feature policy='require' name='cr8legacy'/><br>
> <feature policy='require' name='ht'/><br>
> <feature policy='require' name='3dnowprefetch'/><br>
> <feature policy='require' name='3dnowext'/><br>
> <feature policy='require' name='wdt'/><br>
> <feature policy='require' name='extapic'/><br>
> <feature policy='require' name='pdpe1gb'/><br>
> <feature policy='require' name='osvw'/><br>
> <feature policy='require' name='ibs'/><br>
> <feature policy='require' name='cmp_legacy'/><br>
> <feature policy='require' name='3dnow'/><br>
> </cpu><br>
> <clock offset='utc'/><br>
> <on_poweroff>destroy</on_poweroff><br>
> <on_reboot>restart</on_reboot><br>
> <on_crash>restart</on_crash><br>
> <devices><br>
> <emulator>/usr/bin/kvm-spice</emulator><br>
> <disk type='file' device='disk'><br>
> <driver name='qemu' type='qcow2'/><br>
> <source file='/home/idsadmin/CSNIPE/snipedrive.qcow2'/><br>
> <target dev='vda' bus='virtio'/><br>
> <serial>1</serial><br>
> <alias name='virtio-disk0'/><br>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x05'<br>
> function='0x0'/><br>
> </disk><br>
> <disk type='file' device='cdrom'><br>
> <driver name='qemu' type='raw'/><br>
> <target dev='hdc' bus='ide'/><br>
> <readonly/><br>
> <alias name='ide0-1-0'/><br>
> <address type='drive' controller='0' bus='1' target='0' unit='0'/><br>
> </disk><br>
> <controller type='usb' index='0'><br>
> <alias name='usb0'/><br>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x01'<br>
> function='0x2'/><br>
> </controller><br>
> <controller type='pci' index='0' model='pci-root'><br>
> <alias name='pci.0'/><br>
> </controller><br>
> <controller type='ide' index='0'><br>
> <alias name='ide0'/><br>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x01'<br>
> function='0x1'/><br>
> </controller><br>
> <interface type='direct'><br>
> <mac address='52:54:00:b1:16:c2'/><br>
> <source dev='eth3' mode='passthrough'/><br>
> <target dev='macvtap0'/><br>
> <model type='virtio'/><br>
> <alias name='net0'/><br>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x03'<br>
> function='0x0'/><br>
> </interface><br>
> <interface type='direct'><br>
> <mac address='52:54:00:3e:db:eb'/><br>
> <source dev='eth0' mode='passthrough'/><br>
> <target dev='macvtap1'/><br>
> <model type='virtio'/><br>
> <alias name='net1'/><br>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x07'<br>
> function='0x0'/><br>
> </interface><br>
> <interface type='direct'><br>
> <mac address='52:54:00:1c:71:70'/><br>
> <source dev='eth1' mode='passthrough'/><br>
> <target dev='macvtap2'/><br>
> <model type='virtio'/><br>
> <alias name='net2'/><br>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x08'<br>
> function='0x0'/><br>
> </interface><br>
> <serial type='pty'><br>
> <source path='/dev/pts/2'/><br>
> <target port='0'/><br>
> <alias name='serial0'/><br>
> </serial><br>
> <console type='pty' tty='/dev/pts/2'><br>
> <source path='/dev/pts/2'/><br>
> <target type='serial' port='0'/><br>
> <alias name='serial0'/><br>
> </console><br>
> <input type='mouse' bus='ps2'/><br>
> <input type='keyboard' bus='ps2'/><br>
> <graphics type='vnc' port='5900' autoport='yes' listen='127.0.0.1'><br>
> <listen type='address' address='127.0.0.1'/><br>
> </graphics><br>
> <sound model='ich6'><br>
> <alias name='sound0'/><br>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x04'<br>
> function='0x0'/><br>
> </sound><br>
> <video><br>
> <model type='cirrus' vram='9216' heads='1'/><br>
> <alias name='video0'/><br>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x02'<br>
> function='0x0'/><br>
> </video><br>
> <memballoon model='virtio'><br>
> <alias name='balloon0'/><br>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x06'<br>
> function='0x0'/><br>
> </memballoon><br>
> </devices><br>
> <seclabel type='dynamic' model='apparmor' relabel='yes'><br>
> <label>libvirt-ec0d0563-aa0a-ef29-5f24-ba5ba1416b50</label><br>
> <imagelabel>libvirt-ec0d0563-aa0a-ef29-5f24-ba5ba1416b50</imagelabel><br>
> </seclabel><br>
> </domain><br>
> ----------------------------------------------------------------------------------------------------------------------------<br>
><br>
> I set up my interfaces on the host like what's below here. I used my eth0<br>
> and eth1 on the VM Bridge. Eth2 is my host interface.<br>
> Eth3 is the 3rd interface on the VM dedicated to mgmt interface on the VM.<br>
> This way you can SSH into the VM and manage it.<br>
><br>
> The ' interfacetune' file listed there in the interfaces script is a page<br>
> torn directly out of Peter Manev's Github page on how to<br>
> tune interfaces best for Suricata use. (thanks again Peter. Your shared<br>
> info is really awesome!) See what's in the script below.<br>
> Physical Host interfaces file:<br>
><br>
> # The loopback network interface<br>
> auto lo<br>
> iface lo inet loopback<br>
><br>
> auto eth2<br>
> iface eth2 inet static<br>
> address 192.168.5.6<br>
> netmask 255.255.255.0<br>
> gateway 192.168.5.1<br>
> dns-nameservers 192.168.5.1<br>
><br>
> auto eth3<br>
> iface eth3 inet manual<br>
> pre-up modprobe 8021q<br>
> post-up ifconfig $IFACE up<br>
> pre-down ifconfig $IFACE down<br>
><br>
> auto eth0<br>
> iface eth0 inet manual<br>
> post-up ifconfig $IFACE up<br>
> post-up ifconfig eth0 mtu 1520<br>
> post-up /etc/network/if-up.d/interfacetune<br>
> post-up ethtool -s eth0 autoneg off speed 1000 duplex full<br>
> pre-down ifconfig $IFACE down<br>
><br>
> auto eth1<br>
> iface eth1 inet manual<br>
> post-up ifconfig $IFACE up<br>
> post-up ifconfig eth1 mtu 1520<br>
> post-up /etc/network/if-up.d/interfacetune<br>
> post-up ethtool -s eth1 autoneg off speed 1000 duplex full<br>
> pre-down ifconfig $IFACE down<br>
><br>
><br>
> ---------------------------------------------------------------------------------------------------------------------<br>
><br>
><br>
> idsadmin@SRVCHSURICATA1:~$ sudo cat /etc/network/if-up.d/interfacetune<br>
> /sbin/ethtool -G $IFACE rx 4096 >/dev/null 2>&1 ;<br>
> for i in rx tx sg tso ufo gso gro lro rxvlan txvlan; do /sbin/ethtool -K<br>
> $IFACE $i off >/dev/null 2>&1; done;<br>
><br>
> /sbin/ethtool -N $IFACE rx-flow-hash udp4 sdfn >/dev/null 2>&1;<br>
> /sbin/ethtool -N $IFACE rx-flow-hash udp6 sdfn >/dev/null 2>&1;<br>
> /sbin/ethtool -C $IFACE rx-usecs 1 rx-frames 0 >/dev/null 2>&1;<br>
> /sbin/ethtool -C $IFACE adaptive-rx off >/dev/null 2>&1;<br>
><br>
> exit 0<br>
> ----------------------------------------------------------------------------------------------------------------------------------------------------<br>
> HERES THE VM INTERFACE FILE:<br>
> idsadmin@SRVCHIPSSNSR01:~$ sudo cat /etc/network/interfaces<br>
> [sudo] password for idsadmin:<br>
> # This file describes the network interfaces available on your system<br>
> # and how to activate them. For more information, see interfaces(5).<br>
><br>
> # The loopback network interface<br>
> auto lo<br>
> iface lo inet loopback<br>
><br>
> # The primary network interface<br>
> auto eth0<br>
> iface eth0 inet static<br>
> address 192.168.5.5<br>
> netmask 255.255.255.0<br>
> gateway 192.168.5.1<br>
> dns-nameservers 192.168.5.1<br>
><br>
> auto eth1<br>
> iface eth1 inet manual<br>
> pre-up modprobe 8021q<br>
> post-up ifconfig $IFACE up<br>
> post-up /etc/network/if-up.d/interfacetune<br>
> pre-down ifconfig $IFACE down<br>
><br>
> auto eth2<br>
> iface eth2 inet manual<br>
> post-up ifconfig $IFACE up<br>
> post-up /etc/network/if-up.d/interfacetune<br>
> pre-down ifconfig $IFACE down<br>
><br>
><br>
> auto br0<br>
> iface br0 inet static<br>
> address 0.0.0.0<br>
> netmask 255.255.255.255<br>
> bridge_ports eth1 eth2<br>
> bridge_stp off<br>
> post-up ifconfig eth1 mtu 1520<br>
> post-up ifconfig eth2 mtu 1520<br>
> post-up ethtool -s eth2 autoneg off speed 1000 duplex full<br>
> post-up ethtool -s eth1 autoneg off speed 1000 duplex full<br>
> post-up /etc/network/if-up.d/interfacetune<br>
> post-down brctl delbr br0<br>
> -------------------------------------------------------------------------------------------------------------------------------<br>
> ** Notes-- I was scanning a 1 gigabit trunk interface between a CISCO 3750G<br>
> interface and a cisco 2911 ISR router with dot1q sub-interfaces.<br>
> If anyone cares. CISCO devices get pissed when you inject a linux bridge in<br>
> between it's CDP neighbor.<br>
> On your cisco parent interface configs, a ' no cdp enable ' is prudent for<br>
> the interfaces that are directly facing to the Linux bridge.<br>
> No need to set up individual subinterfaces on the bridge. The 'pre-up<br>
> modprobe 8021q' is all that's necessary to teach the bridge how<br>
> to pass vlan tags correctly.<br>
> And also hard code all speed and duplex settings or you're asking for a lot<br>
> of frustration and duplexing errors.<br>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
> Last but not least, I also had HSRP (hot standby router protocol) which<br>
> uses multicast keepalives running between the router and the L3 switch.<br>
> I used these IPTABLES rules to shove the traffice toward NFQUEUE on the VM:<br>
><br>
> Compile suricata on the guest... Do it with NFQUEUE flags.. That's a whole<br>
> different procedure in and of itself.<br>
> If anyone decides to do this I'd love to see if it works in the VM with the<br>
> directly copied attributes<br>
> of the CPU within the VM and compile with hyperscan on an INTEL cpu set.<br>
> I used Gen 3 OPTERONS in my rig so I couldn't utilize hyperscan.<br>
> ------------------------------------------------------------------------------------------------------------------------------------<br>
> sudo iptables -I FORWARD -m physdev --physdev-in eth1 -j NFQUEUE<br>
> --queue-balance 0:7<br>
> sudo iptables -I FORWARD -m physdev --physdev-in eth2 -j NFQUEUE<br>
> --queue-balance 0:7<br>
><br>
> I started suricata like this:<br>
> sudo suricata -q 0 -q 1 -q 2 -q 3 -q 4 -q 5 -q 6 -q 7 -c<br>
> /homeidsadmin/suricata-3.0.1/suricata.yaml<br>
><br>
> It works really well as far as I can tell. I'd post performance data too..<br>
> but I can only generate traffic with a few end user nodes as I'm not<br>
> running this in production. I'd like to see if anybody could post results<br>
> of high utilization environments with a similiar setup.<br>
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
><br>
><br>
><br>
> On Sat, May 28, 2016 at 6:40 PM, Andreas Herz <<a href="javascript:;" onclick="_e(event, 'cvml', 'andi@geekosphere.org')">andi@geekosphere.org</a>> wrote:<br>
><br>
> > On 19/05/16 at 19:12, Chris Boley wrote:<br>
> > > I have been playing with using suricata ' inline ' using KVM/QEMU<br>
> > > <<a href="http://libvirt.org/drvqemu.html" target="_blank">http://libvirt.org/drvqemu.html</a>> by way of the libvirt toolkit.<br>
> > > I realize that the setups will vary wildly based on the hardware platform<br>
> > > capabilities. I'm wondering if anyone else here on the list could share<br>
> > > with me any experiences they've had on the networking I/O side of things<br>
> > > like tuning specifically for where it concerns suricata. For example, how<br>
> > > you have set up network configs on both the host systems and guest OS's<br>
> > to<br>
> > > get the best performance?<br>
> > > I've already got a config that's working, I'm just not sure it's the best<br>
> > > way to go about it.<br>
> ><br>
> > Can you share your config and experience?<br>
> ><br>
> > > If anybody can let me know I'd be really interested in getting that<br>
> > input.<br>
> > > Hopefully this is an appropriate topic for the list.<br>
> ><br>
> > Sure it is!<br>
> ><br>
> > > Thanks in advance,<br>
> > > Chris<br>
> ><br>
> > > _______________________________________________<br>
> > > Suricata IDS Users mailing list: <a href="javascript:;" onclick="_e(event, 'cvml', 'oisf-users@openinfosecfoundation.org')">oisf-users@openinfosecfoundation.org</a><br>
> > > Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:<br>
> > <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> > > List:<br>
> > <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> > > Suricata User Conference November 9-11 in Washington, DC:<br>
> > <a href="http://oisfevents.net" target="_blank">http://oisfevents.net</a><br>
> ><br>
> ><br>
> > --<br>
> > Andreas Herz<br>
> > _______________________________________________<br>
> > Suricata IDS Users mailing list: <a href="javascript:;" onclick="_e(event, 'cvml', 'oisf-users@openinfosecfoundation.org')">oisf-users@openinfosecfoundation.org</a><br>
> > Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
> > List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> > Suricata User Conference November 9-11 in Washington, DC:<br>
> > <a href="http://oisfevents.net" target="_blank">http://oisfevents.net</a><br>
<br>
--<br>
Andreas Herz<br>
</blockquote>