[Oisf-users] Fwd: IPS

Anas.B a.bouhsaina at gmail.com
Fri Jun 11 15:53:43 UTC 2010


This the results of my experience :
(Strange !!!)
*****************************************************************************************
nmap -sS 192.168.44.135  without runingsuricata

Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:33 Afr. centrale
Ouest
Nmap scan report for 192.168.44.135
Host is up (0.00s latency).
All 1000 scanned ports on 192.168.44.135 are filtered
MAC Address: 00:0C:29:07:11:87 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 22.33 seconds
*****************************************************************************************
nmap -sS 192.168.44.135  with suricata but without Drop rules
Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:40 Afr. centrale
Ouest
Nmap scan report for 192.168.44.135
Host is up (0.0013s latency).
All 1000 scanned ports on 192.168.44.135 are closed
MAC Address: 00:0C:29:07:11:87 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.38 seconds

[3647] 11/6/2010 -- 16:41:41 - (source-nfq.c:533) <Info>
(VerdictNFQThreadExitStats) -- (Verdict) Pkts *accepted 2004*, dropped *0*

*****************************************************************************************
nmap -sS 192.168.44.135  with suricata and replacing alert by *Drop*
Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:45 Afr. centrale
Ouest
Nmap scan report for 192.168.44.135
Host is up (0.00s latency).
All 1000 scanned ports on 192.168.44.135 are filtered
MAC Address: 00:0C:29:07:11:87 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 22.68 seconds

[3701] 11/6/2010 -- 16:46:51 - (source-nfq.c:533) <Info>
(VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 0, *dropped 2000*
*****************************************************************************************

What can we conclude ?? ==>  [ we can't drop the Nmap scans !!! ?? ]




2010/6/11 Anas.B <a.bouhsaina at gmail.com>

> Je n'ai pas *2010051* voici la régle que j'ai :
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> Executable purporting to be .cfg file with no Referrer - Likely Malware";
> flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d
> 0a|Referer\: "; nocase; uricontent:".cfg"; nocase; pcre:"/\.cfg$/Ui";
> flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity;
> reference:url,
> www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99;
> reference:url,doc.emergingthreats.net/2010501; reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL;
> sid:*2010501*; rev:2;)
>
> je n'ai pas compris l'offload de cksum (cela veut dire , la vérification de
> CRC d'arrivé avec le CRC du départ ??)
> et aussi le renvoi de data compressé !
>
> Snort et meilleur que Suricata ?
>
>
>
> 2010/6/11 rmkml <rmkml at free.fr>
>
>> cherche dans les fichiers emerging que tu as si tu as déjà le sid 2010051?
>> visiblement elle est dans un fichier qui contient le mot malware...
>> suricata ne vérifie pas le contenu des packets ayant un mauvais cksum par
>> défaut, donc si tu as une carte réseau qui fait de l'offload de cksum, alors
>> tu vas avoir bcp de bad cksum... tu peux le vérifier avec tcpdump...
>> concernant le cache des navigateurs web, si tu vas sur l'url
>> http://www.google.com/install/ws.exe avec firefox ou ie, tu auras une
>> alerte avec suricata, mais si tu fais refresh de ton navigateur, en fait le
>> navigateur ne va pas essayer de nouveau l'url, puis il a certainement dans
>> son cache... c'est pour cela que j'utilise wget ou curl ou fetch
>> Plus tard il faut aussi faire attention au renvoi de data compresser des
>> serveurs web...
>>
>> a+
>> Rmkml
>>
>>
>>
>> On Fri, 11 Jun 2010, Anas.B wrote:
>>
>>  Je dois la créer,
>>> oubien elle existe déja, ?
>>>
>>> si oui dans quel fichier,
>>> si nn comment ?
>>>
>>> en fait j'ai pas compris :
>>> - attention au cksum...
>>> et       - attention au cache des navigatuers web...
>>>
>>> désolé, et merci bcp.
>>>
>>>
>>> 2010/6/11 rmkml <rmkml at free.fr>
>>>      heu bonne question,
>>>      exemple peut être avec le sid 2010051,
>>>      generer une alerte avec le client wget unix: (ou fetch ou curl)
>>>       wget http://www.google.com/install/ws.exe
>>>      avoir une alerte:
>>>      06/11-16:32:23.306483  [**] [1:2010051:2] ET CURRENT_EVENTS MALWARE
>>> Likely Rogue Antivirus Download - ws.exe [**] [Classification: A Network
>>> Trojan
>>>      was detected] [Priority: 1] {TCP} 10.50.1.40:34322 -> a.b.c.d:80
>>>       puis la passer en drop tjrs vérifier si tu as des drop de packets
>>> ou pas...
>>>      attention au cksum...
>>>
>>> a+
>>> Rmkml
>>>
>>>
>>> On Fri, 11 Jun 2010, Anas.B wrote:
>>>
>>>      Bjr,
>>>      oui je crois que t'a raison,
>>>      quel genre de règle facile que je px bloquer ?
>>>
>>>      Merciiiiii
>>>
>>>      2010/6/11 rmkml <rmkml at free.fr>
>>>           Bonjour Anas,
>>>           suite à l'email de Victor, et je crois que les scan nmap sont
>>> particulier, c-a-d que les scans ouvrent de multiples sessions, ce qui n'est
>>>      pas un cas
>>>           facile pour commencer...
>>>           Essaye plus tot une attaque sur une regle, puis tu l'as
>>> bloque... attention au cache des navigatuers web...
>>>           a+
>>>           Rmkml
>>>
>>>
>>>
>>>      On Fri, 11 Jun 2010, Anas.B wrote:
>>>
>>>
>>>           Hello,
>>>
>>>           I've replaced "alert" by"drop"  where we have "Nmap" rules in
>>> emerging-scan.rules file ,
>>>
>>>           but I've the same result in Nmap:
>>>
>>>           Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 14:49
>>> Afr. centrale Ouest
>>>           Nmap scan report for 192.168.44.135
>>>           Host is up (0.00s latency).
>>>           All 1000 scanned ports on 192.168.44.135 are filtered
>>>           MAC Address: 00:0C:29:07:11:87 (VMware)
>>>           as before !!!
>>>
>>>           why the packets aren't dropped ?
>>>
>>>           These are the commands applied :
>>>           suricata -c /etc/suricata/suricata.yaml -q 0
>>>
>>>           and this is the iptables :
>>>
>>>           NFQUEUE    all  --  anywhere             anywhere
>>> NFQUEUE num 0
>>>
>>>           Chain FORWARD (policy ACCEPT)
>>>           target     prot opt source               destination
>>>
>>>           Chain OUTPUT (policy ACCEPT)
>>>           target     prot opt source               destination
>>>           NFQUEUE    all  --  anywhere             anywhere
>>> NFQUEUE num 0
>>>
>>>
>>>           Kindest regards :)
>>>
>>>           Anas
>>>
>>>           Nmap done: 1 IP address (1 host up) scanned in 23.16 seconds
>>>
>>>
>>>           2010/6/9 Victor Julien <victor at inliniac.net>
>>>                All rules might be a bit much, but in essence, yes. But be
>>> careful that
>>>                some rules might false positive.
>>>
>>>                Cheers,
>>>                Victor
>>>
>>>                Anas.B wrote:
>>>           > I've just coppied the emerging rules ,
>>>           >
>>>           > should i copy snort rules also ?
>>>           > should i convert all the rules from alert to Drop ?
>>>           >
>>>           >
>>>           > Thxxx
>>>           >
>>>           >
>>>           > 2010/6/9 Victor Julien <victor at inliniac.net <mailto:
>>> victor at inliniac.net>>
>>>           >
>>>           >     Making progress :)
>>>           >
>>>           >     Do you have drop rules? Normally a rule is "alert ip any
>>> any -> any any
>>>           >     ... " etc. but you need "drop ip any any -> any ...." Did
>>> you convert
>>>           >     your rules?
>>>           >
>>>           >     The TmqDebugList statements are debug stuff, you can
>>> ignore that.
>>>           >
>>>           >     Cheers,
>>>           >     Victor
>>>           >
>>>           >     Anas.B wrote:
>>>           >     > Thank you so much, for ur help :)
>>>           >     >
>>>           >     > this time I've these lines :
>>>           >     >
>>>           >     > 'pickup-queue', len 0
>>>           >     > TmqDebugList: id 1, name 'decode-queue1', len 0
>>>           >     > TmqDebugList: id 2, name 'stream-queue1', len 49
>>>           >     > TmqDebugList: id 3, name 'verdict-queue', len 0
>>>           >     > TmqDebugList: id 4, name 'respond-queue', len 1
>>>           >     > TmqDebugList: id 5, name 'alert-queue1', len 0
>>>           >     >
>>>           >     > after an Nmap scan
>>>           >     >
>>>           >     >
>>>           >     > after CTRL+C
>>>           >     >
>>>           >     > I've this :
>>>           >     >
>>>           >     > 4:33 - (suricata.c:1033) <Info> (main) -- signal
>>> received
>>>           >     > [8495] 9/6/2010 -- 16:04:33 - (suricata.c:1069) <Info>
>>> (main) -- time
>>>           >     > elapsed 176s
>>>           >     > [8500] 9/6/2010 -- 16:04:33 - (source-nfq.c:522) <Info>
>>>           >     > (ReceiveNFQThreadExitStats) -- (ReceiveNFQ) Pkts 6028,
>>> Bytes 256012,
>>>           >     > Errors 0
>>>           >     > [8502] 9/6/2010 -- 16:04:33 - (stream-tcp.c:2634)
>>> <Info>
>>>           >     > (StreamTcpExitPrintStats) -- (Stream1) Packets 6014
>>>           >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:172) <Info>
>>>           >     > (DetectExitPrintStats) -- (Detect1) (1byte) Pkts 6028,
>>> Searched 0
>>>           >     (0.0).
>>>           >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:175) <Info>
>>>           >     > (DetectExitPrintStats) -- (Detect1) (2byte) Pkts 6028,
>>> Searched 4
>>>           >     (0.1).
>>>           >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:178) <Info>
>>>           >     > (DetectExitPrintStats) -- (Detect1) (3byte) Pkts 6028,
>>> Searched 0
>>>           >     (0.0).
>>>           >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:181) <Info>
>>>           >     > (DetectExitPrintStats) -- (Detect1) (4byte) Pkts 6028,
>>> Searched 0
>>>           >     (0.0).
>>>           >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:184) <Info>
>>>           >     > (DetectExitPrintStats) -- (Detect1) (+byte) Pkts 6028,
>>> Searched 0
>>>           >     (0.0).
>>>           >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:188) <Info>
>>>           >     > (DetectExitPrintStats) -- (Detect1) URI (1byte) Uri's
>>> 0, Searched
>>>           >     0 (-nan).
>>>           >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:191) <Info>
>>>           >     > (DetectExitPrintStats) -- (Detect1) URI (2byte) Uri's
>>> 0, Searched
>>>           >     0 (-nan).
>>>           >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:194) <Info>
>>>           >     > (DetectExitPrintStats) -- (Detect1) URI (3byte) Uri's
>>> 0, Searched
>>>           >     0 (-nan).
>>>           >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:197) <Info>
>>>           >     > (DetectExitPrintStats) -- (Detect1) URI (4byte) Uri's
>>> 0, Searched
>>>           >     0 (-nan).
>>>           >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:200) <Info>
>>>           >     > (DetectExitPrintStats) -- (Detect1) URI (+byte) Uri's
>>> 0, Searched
>>>           >     0 (-nan).
>>>           >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:202) <Info>
>>>           >     > (DetectExitPrintStats) -- 4 sigs per mpm match on avg
>>> needed
>>>           >     inspection,
>>>           >     > total mpm searches 2, less than 25 sigs need inspect 2,
>>> more than 100
>>>           >     > sigs need inspect 0, more than 1000 0 max 5
>>>           >     > [8504] 9/6/2010 -- 16:04:33 - (source-nfq.c:533) <Info>
>>>           >     > (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted
>>> 6028, dropped 0
>>>           >     > [8506] 9/6/2010 -- 16:04:33 - (alert-fastlog.c:256)
>>> <Info>
>>>           >     > (AlertFastLogExitPrintStats) -- (Outputs) Alerts 3792
>>>           >     > [8506] 9/6/2010 -- 16:04:33 - (alert-unified-log.c:304)
>>> <Info>
>>>           >     > (AlertUnifiedLogThreadDeinit) -- Alert unified1 log
>>> module wrote
>>>           >     3792 alerts
>>>           >     > [8506] 9/6/2010 -- 16:04:33 -
>>> (alert-unified-alert.c:281) <Info>
>>>           >     > (AlertUnifiedAlertThreadDeinit) -- Alert unified1 alert
>>> module wrote
>>>           >     > 3792 alerts
>>>           >     > [8506] 9/6/2010 -- 16:04:33 -
>>> (alert-unified2-alert.c:582) <Info>
>>>           >     > (Unified2AlertThreadDeinit) -- Alert unified2 module
>>> wrote 3792 alerts
>>>           >     > [8506] 9/6/2010 -- 16:04:33 - (log-httplog.c:391)
>>> <Info>
>>>           >     > (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 0
>>>           >     > [8506] 9/6/2010 -- 16:04:33 - (alert-debuglog.c:254)
>>> <Info>
>>>           >     > (AlertDebugLogExitPrintStats) -- (Outputs) Alerts 3792
>>>           >     > [8507] 9/6/2010 -- 16:04:33 - (flow.c:767) <Info>
>>>           >     (FlowManagerThread) --
>>>           >     > 6 new flows, 1000 established flows were timed out, 0
>>> flows in
>>>           >     closed state
>>>           >     > [8495] 9/6/2010 -- 16:04:33 - (flow.c:588) <Info>
>>> (FlowPrintQueueInfo)
>>>           >     > -- flowbits added: 0, removed: 0, max memory usage: 0
>>>           >     > [8495] 9/6/2010 -- 16:04:33 - (stream-tcp.c:365) <Info>
>>>           >     > (StreamTcpFreeConfig) -- Max memuse of stream engine
>>> 15021952 (in
>>>           >     use 0)
>>>           >     > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2492) <Info>
>>>           >     > (SigAddressCleanupStage1) -- cleaning up signature
>>> grouping
>>>           >     structure...
>>>           >     > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2509) <Info>
>>>           >     > (SigAddressCleanupStage1) -- cleaning up signature
>>> grouping
>>>           >     structure...
>>>           >     > done
>>>           >     >
>>>           >     >
>>>           >     > is this normal ?
>>>           >     > (just alerts no Dropped !!!!)
>>>           >     >
>>>           >     > I've done the Nmap scan from Windows
>>>           >     >
>>>           >     >
>>>           >     > Sorry for the inconvenience
>>>           >     > Cheers
>>>           >     >
>>>           >     >
>>>           >     >
>>>           >     > 2010/6/9 Victor Julien <victor at inliniac.net
>>>           >     <mailto:victor at inliniac.net> <mailto:victor at inliniac.net
>>>           >     <mailto:victor at inliniac.net>>>
>>>           >     >
>>>           >     >     In the config below you only send outgoing HTTP
>>> traffic to
>>>           >     Suricata. To
>>>           >     >     inspect all do:
>>>           >     >
>>>           >     >     iptables -A INPUT -j NFQUEUE
>>>           >     >     iptables -A OUTPUT -j NFQUEUE
>>>           >     >
>>>           >     >     Cheers,
>>>           >     >     Victor
>>>           >     >
>>>           >     >     Anas.B wrote:
>>>           >     >     > I didn't configure Iptables,
>>>           >     >     >
>>>           >     >     > now i have the two lines
>>>           >     >     >
>>>           >     >     > Chain INPUT (policy ACCEPT)
>>>           >     >     > target     prot opt source
>>> destination
>>>           >     >     > NFQUEUE    tcp  --  anywhere             anywhere
>>>            tcp
>>>           >     >     spt:www
>>>           >     >     > NFQUEUE num 0
>>>           >     >     >
>>>           >     >     > Chain FORWARD (policy ACCEPT)
>>>           >     >     > target     prot opt source
>>> destination
>>>           >     >     >
>>>           >     >     > Chain OUTPUT (policy ACCEPT)
>>>           >     >     > target     prot opt source
>>> destination
>>>           >     >     > NFQUEUE    tcp  --  anywhere             anywhere
>>>            tcp
>>>           >     >     dpt:www
>>>           >     >     > NFQUEUE num 0
>>>           >     >     >
>>>           >     >     > But still no alerts/Drop/reject  nmap scan
>>>           >     >     >
>>>           >     >     > Best Regards
>>>           >     >     >
>>>           >     >     > 2010/6/9 Victor Julien <victor at inliniac.net
>>>           >     <mailto:victor at inliniac.net>
>>>           >     >     <mailto:victor at inliniac.net <mailto:
>>> victor at inliniac.net>>
>>>           >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
>>>           >     >     <mailto:victor at inliniac.net <mailto:
>>> victor at inliniac.net>>>>
>>>           >     >     >
>>>           >     >     >     In that case you'd need:
>>>           >     >     >
>>>           >     >     >     iptables -A OUTPUT -p tcp --dport 80 -j
>>> NFQUEUE
>>>           >     >     >     iptables -A INPUT -p tcp --sport 80 -j
>>> NFQUEUE
>>>           >     >     >
>>>           >     >     >     This would send outgoing http traffic (the vm
>>> browsing
>>>           >     the web) to
>>>           >     >     >     Suricata.
>>>           >     >     >
>>>           >     >     >     Cheers,
>>>           >     >     >     Victor
>>>           >     >     >
>>>           >     >     >     Anas.B wrote:
>>>           >     >     >     > No, I'm just trying this in local Virtual
>>> Machine Ubuntu).
>>>           >     >     >     >
>>>           >     >     >     > since there is no much Doc, i'm a little
>>> lost.
>>>           >     >     >     >
>>>           >     >     >     > thaks a lot
>>>           >     >     >     >
>>>           >     >     >     >
>>>           >     >     >     > 2010/6/9 Victor Julien <
>>> victor at inliniac.net
>>>           >     <mailto:victor at inliniac.net>
>>>           >     >     <mailto:victor at inliniac.net <mailto:
>>> victor at inliniac.net>>
>>>           >     >     >     <mailto:victor at inliniac.net <mailto:
>>> victor at inliniac.net>
>>>           >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net
>>> >>>
>>>           >     >     <mailto:victor at inliniac.net <mailto:
>>> victor at inliniac.net>
>>>           >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net
>>> >>
>>>           >     >     >     <mailto:victor at inliniac.net <mailto:
>>> victor at inliniac.net>
>>>           >     <mailto:victor at inliniac.net <mailto:victor at inliniac.net
>>> >>>>>
>>>           >     >     >     >
>>>           >     >     >     >     Did you add the appropriate iptables
>>> rules?
>>>           >     >     >     >
>>>           >     >     >     >     For example for getting port 80 to
>>> suricata:
>>>           >     >     >     >
>>>           >     >     >     >     iptables -A FORWARD -p tcp --dport 80
>>> -j NFQUEUE
>>>           >     >     >     >
>>>           >     >     >     >     Cheers,
>>>           >     >     >     >     Victor
>>>           >     >     >     >
>>>           >     >     >     >     Anas.B wrote:
>>>           >     >     >     >     >
>>>           >     >     >     >     > Hello,
>>>           >     >     >     >     >
>>>           >     >     >     >     > I've just tested a nmap,
>>>           >     >     >     >     >
>>>           >     >     >     >     >  I noticed more unified files
>>>           >     >     >     >     > and alerts in the file fast.log
>>>           >     >     >     >     > new values in  alert-debug.log and
>>> stats.log
>>>           >     >     >     >     >
>>>           >     >     >     >     > that means it works !!
>>>           >     >     >     >     >
>>>           >     >     >     >     > But with the command ==> *# suricata
>>> -c
>>>           >     >     >     >     /etc/suricata/suricata.yaml -q 0
>>>           >     >     >     >     >
>>>           >     >     >     >     > *I have no logs,
>>>           >     >     >     >     > any suggestions
>>>           >     >     >     >     >
>>>           >     >     >     >     > thanks :)
>>>           >     >     >     >     >
>>>           >     >     >     >     >
>>>           >     >     >     >     >
>>>           >     >     >     >
>>>           >     >     >
>>>           >     >
>>>           >
>>> ------------------------------------------------------------------------
>>>           >     >     >     >     >
>>>           >     >     >     >     >
>>> _______________________________________________
>>>           >     >     >     >     > Oisf-users mailing list
>>>           >     >     >     >     > Oisf-users at openinfosecfoundation.org
>>>           >     <mailto:Oisf-users at openinfosecfoundation.org>
>>>           >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>           >     <mailto:Oisf-users at openinfosecfoundation.org>>
>>>           >     >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>           >     <mailto:Oisf-users at openinfosecfoundation.org>
>>>           >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>           >     <mailto:Oisf-users at openinfosecfoundation.org>>>
>>>           >     >     >     >     <mailto:
>>> Oisf-users at openinfosecfoundation.org
>>>           >     <mailto:Oisf-users at openinfosecfoundation.org>
>>>           >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>           >     <mailto:Oisf-users at openinfosecfoundation.org>>
>>>           >     >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>           >     <mailto:Oisf-users at openinfosecfoundation.org>
>>>           >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>           >     <mailto:Oisf-users at openinfosecfoundation.org>>>>
>>>           >     >     >     >     >
>>>           >     >     >
>>>           >
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>           >     >     >     >
>>>           >     >     >     >
>>>           >     >     >     >     --
>>>           >     >     >     >
>>> ---------------------------------------------
>>>           >     >     >     >     Victor Julien
>>>           >     >     >     >     http://www.inliniac.net/
>>>           >     >     >     >     PGP:
>>> http://www.inliniac.net/victorjulien.asc
>>>           >     >     >     >
>>> ---------------------------------------------
>>>           >     >     >     >
>>>           >     >     >     >
>>>           >     >     >
>>>           >     >     >
>>>           >     >     >     --
>>>           >     >     >     ---------------------------------------------
>>>           >     >     >     Victor Julien
>>>           >     >     >     http://www.inliniac.net/
>>>           >     >     >     PGP:
>>> http://www.inliniac.net/victorjulien.asc
>>>           >     >     >     ---------------------------------------------
>>>           >     >     >
>>>           >     >     >
>>>           >     >
>>>           >     >
>>>           >     >     --
>>>           >     >     ---------------------------------------------
>>>           >     >     Victor Julien
>>>           >     >     http://www.inliniac.net/
>>>           >     >     PGP: http://www.inliniac.net/victorjulien.asc
>>>           >     >     ---------------------------------------------
>>>           >     >
>>>           >     >
>>>           >
>>>           >
>>>           >     --
>>>           >     ---------------------------------------------
>>>           >     Victor Julien
>>>           >     http://www.inliniac.net/
>>>           >     PGP: http://www.inliniac.net/victorjulien.asc
>>>           >     ---------------------------------------------
>>>           >
>>>           >
>>>
>>>
>>>           --
>>>           ---------------------------------------------
>>>           Victor Julien
>>>           http://www.inliniac.net/
>>>           PGP: http://www.inliniac.net/victorjulien.asc
>>>           ---------------------------------------------
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100611/65f8a616/attachment-0002.html>


More information about the Oisf-users mailing list