<div dir="ltr">In that case you can simply not specify a buffer, or possibly make 2 rules if performance is a concern.</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 12, 2018 at 8:45 AM, 7ym0n <span dir="ltr"><<a href="mailto:hackking@126.com" target="_blank">hackking@126.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="color:#000;font-size:14px;font-family:arial"><div>sorry,I didn't express clearly.<br><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">what I want to say is that <em> http_cookie</em></span></span><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"> or  <em>http_client_body</em> Contain <em>SRCHD=AF=NOFORM</em></span></span><em><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial"></span></span></span></span><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial"></span></span></span></span></em></div><div><br></div><div><br></div></div><div class="HOEnZb"><div class="h5"><div>在2018年04月10 22时21分, "Travis Green"<<a href="mailto:travis@travisgreen.net" target="_blank">travis@travisgreen.net</a>><wbr>写道:</div><blockquote id="m_6466759494575651157isReplyContent" style="padding-left:1ex;margin:0px 0px 0px 0.8ex;BORDER-LEFT:#ccc 1px solid"><br><div dir="ltr">Hi there, you likely want to do this:<div><br></div><div><span style="color:rgb(0,0,0);font-family:arial;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;background-color:rgb(255,255,255);float:none;display:inline">content:"</span><span style="color:rgb(0,0,0);font-family:arial;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;background-color:rgb(255,255,255);float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial">SRCHD=AF=NOFORM</span></span>"; <span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">http_cookie; <span style="font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;color:rgb(0,0,0);font-family:arial;font-size:14px;background-color:rgb(255,255,255);float:none;display:inline">content:"</span><span style="font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;color:rgb(0,0,0);font-family:arial;font-size:14px;background-color:rgb(255,255,255);float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial">SRCHD=<wbr>AF=NOFORM</span></span>";<span> </span></span>http_client_body;</span></span><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 9, 2018 at 7:50 PM, 7ym0n <span dir="ltr"><<a href="mailto:hackking@126.com" target="_blank">hackking@126.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="color:#000;font-size:14px;font-family:arial"><div>Hi:<br>     thanks! @Jason Williams A detailed answer.<br>    <br>    I known <span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"> </span><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial"> add classtype of 'test' to classifications.config,<br>    but, </span></span>Why can't a feature specify multiple detection items?<span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial"> <br>    e.g:<br>======<br>    Accept: text/html,application/xhtml+xm<wbr>l,application/xml;q=0.9,*/*;q=<wbr>0.8<br>    Accept-Encoding: gzip, deflate, br<br>    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-<wbr>HK;q=0.5,en-US;q=0.3,en;q=0.2<br>    Connection: keep-alive<br>    Content-Length: 355<br>    Content-Type: text/plain;charset=UTF-8<br>    Cookie: SRCHD=AF=NOFORM;<br><br>    id=1&page=2&c=</span></span><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial"><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial">SRCHD=AF=NOF<wbr>ORM<br></span></span>======<br></span>    content:"</span><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(0,0,0);font-family:arial">SRCHD=AF=NOFORM</span></span>"; "<span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">http_cookie; http_client_body;" </span></span></div><div><br></div><div><br></div><div><br></div></div><div class="m_6466759494575651157HOEnZb"><div class="m_6466759494575651157h5"><div>在2018年04月10 01时58分, "Jason Williams"<<a href="mailto:jwilliams@emergingthreats.net" target="_blank">jwilliams@emergingth<wbr>reats.net</a>>写道:</div><blockquote id="m_6466759494575651157m_1675898279225377164isReplyContent" style="padding-left:1ex;margin:0px 0px 0px 0.8ex;BORDER-LEFT:#ccc 1px solid"><br><div dir="ltr">Hello,<div><br></div><div>You can match anywhere in the content you want, if you want to match things at the end of the buffer say something like </div><div><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div>content:"<span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">105,110,105)</span><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">)</span>"; http_uri; isdataat:!1,relative; </div></blockquote><div><br></div><div>Or if you are using Suricata 4.1beta you can do </div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">content:"</span><span style="font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;color:rgb(0,0,0);font-family:arial;background-color:rgb(255,255,255);float:none;display:inline">105,110,105)</span><span style="font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;color:rgb(0,0,0);font-family:arial;background-color:rgb(255,255,255);float:none;display:inline">)</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">"; endswith; </span></div></blockquote><div><br></div><div>For your rule:</div><div><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><i><span style="color:rgb(0,0,0);font-family:arial;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">alert http any any -> any any (msg:"---(1)-test union select"; content:"load_file"; </span><span style="color:rgb(0,0,0);font-family:arial;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">http_uri; http_client_body; </span><span style="color:rgb(0,0,0);font-family:arial;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">nocase; classtype:test; sid:</span><span style="color:rgb(0,0,0);font-family:arial;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">203456189; rev:1;) </span></i></div></blockquote><div><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">You have an error here --> "<span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">http_uri; http_client_body;" - y</span></span><span style="color:rgb(0,0,0);font-family:arial">ou must specify contents one per buffer.</span></div><div><span style="color:rgb(0,0,0);font-family:arial"><br></span></div><div><span style="color:rgb(0,0,0);font-family:arial">You would also need to add classtype of 'test' to classifications.config or your rule will error. </span></div><div><span style="color:rgb(0,0,0);font-family:arial"><br></span></div><div><font face="arial" color="#000000">This should work (but will probably give false positives and may not be very efficient):</font></div><div><span style="color:rgb(0,0,0);font-family:arial"><br></span></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><span style="color:rgb(0,0,0);font-family:arial"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">alert http any any -> any any (msg:"---(1)-test union select"; content:"load_file"; </span><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">http_uri; </span><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">nocase; sid:</span><span style="color:rgb(0,0,0);font-family:arial;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">203456189; rev:1;) </span></div></span></div></blockquote><div><span style="color:rgb(0,0,0);font-family:arial"><br class="m_6466759494575651157m_1675898279225377164gmail-Apple-interchange-newline">Thanks,</span></div><div><span style="color:rgb(0,0,0);font-family:arial"><br></span></div><div><font face="arial" color="#000000">Jason</font></div><div><span style="color:rgb(0,0,0);font-family:arial;font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 8, 2018 at 10:04 PM, 7ym0n <span dir="ltr"><<a href="mailto:hackking@126.com" target="_blank">hackking@126.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="color:#000;font-size:14px;font-family:arial"><div>HI all:<br>    When I was using suricata, I encountered the following problems. Using Google,bing didn't find a solution, How can solve this problem??<br>    1.How do I start a match from the reciprocal N bytes of a payload or buffer?<br>    e.g:<br>        <a class="m_6466759494575651157m_1675898279225377164m_839772643549979634external" href="http://localhost/?id=1&test=-1" target="_blank">http://localhost/?id=1<wbr>&page=-1</a> union select 1,1,1,load_file(char(99,58,47,<wbr>98,111,111,116,46,105,110,105)<wbr>)</div><div>    <br></div><div>    The match starts at the end of the uri:"116,46,105,110,105"<br><br></div><div>    2. cannot specify multiple HTTP keywords in the content?<br>    e.g:<br>    alert http any any -> any any (msg:"---(1)-test union select";content:"load_file";ht<wbr>tp_uri;http_client_body;nocase<wbr>;classtype:test;sid:203456189;<wbr>rev:1;)    <br>    it's not work!<br><br>    need to check whether there are related features in multiple fields in HTTP, and how to present them in a rule?<br></div></div><div><br><br><span title="neteasefooter"><p> </p></span></div><br><br><span title="neteasefooter"><p> </p></span><br>______________________________<wbr>_________________<br>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundati<wbr>on.org</a><br>Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a><br>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/ois<wbr>f-users</a><br><br>Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/train<wbr>ing/</a><br></blockquote></div><br></div></div></blockquote><br><br><span title="neteasefooter"><p> </p></span></div></div><br>______________________________<wbr>_________________<br>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundati<wbr>on.org</a><br>Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a><br>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/<wbr>oisf-users</a><br><br>Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/train<wbr>ing/</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_6466759494575651157gmail_signature" data-smartmail="gmail_signature">PGP: ABE625E6<br><a href="http://keybase.io/travisbgreen" target="_blank">keybase.io/travisbgreen</a></div></div></blockquote><br><br><span title="neteasefooter"><p> </p></span></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">PGP: ABE625E6<br><a href="http://keybase.io/travisbgreen" target="_blank">keybase.io/travisbgreen</a></div>
</div>