[Oisf-users] Fwd: IPS
Will Metcalf
william.metcalf at gmail.com
Fri Jun 11 16:06:50 UTC 2010
> What can we conclude ?? ==> [ we can't drop the Nmap scans !!! ?? ]
I'm confused. Are you scanning a host with no open ports? Also is
your first command run still diverting traffic to NFQUEUE? If this is
the case then all traffic sent to the QUEUE will be dropped if you
don't have a userspace app attached to the QUEUE. Have you actually
fired up a sniffer on the target host to see if the packets are
actually making it there? With all of this said, trying to prevent
port scans with an IPS be it snort, suricata, or whatever is generally
a bad idea. Signatures and things like preprocessors that do portscan
detection tend to fp a lot. However if there is indeed a bug please
let us know. I will do some testing a bit later if you don't have the
cycles.
Regards,
Will
On Fri, Jun 11, 2010 at 10:53 AM, Anas.B <a.bouhsaina at gmail.com> wrote:
> This the results of my experience :
> (Strange !!!)
> *****************************************************************************************
> nmap -sS 192.168.44.135 without runingsuricata
>
> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:33 Afr. centrale
> Ouest
> Nmap scan report for 192.168.44.135
> Host is up (0.00s latency).
> All 1000 scanned ports on 192.168.44.135 are filtered
> MAC Address: 00:0C:29:07:11:87 (VMware)
>
> Nmap done: 1 IP address (1 host up) scanned in 22.33 seconds
> *****************************************************************************************
> nmap -sS 192.168.44.135 with suricata but without Drop rules
> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:40 Afr. centrale
> Ouest
> Nmap scan report for 192.168.44.135
> Host is up (0.0013s latency).
> All 1000 scanned ports on 192.168.44.135 are closed
> MAC Address: 00:0C:29:07:11:87 (VMware)
>
> Nmap done: 1 IP address (1 host up) scanned in 6.38 seconds
>
> [3647] 11/6/2010 -- 16:41:41 - (source-nfq.c:533) <Info>
> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 2004, dropped 0
>
> *****************************************************************************************
> nmap -sS 192.168.44.135 with suricata and replacing alert by Drop
> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:45 Afr. centrale
> Ouest
> Nmap scan report for 192.168.44.135
> Host is up (0.00s latency).
> All 1000 scanned ports on 192.168.44.135 are filtered
> MAC Address: 00:0C:29:07:11:87 (VMware)
>
> Nmap done: 1 IP address (1 host up) scanned in 22.68 seconds
>
> [3701] 11/6/2010 -- 16:46:51 - (source-nfq.c:533) <Info>
> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 0, dropped 2000
> *****************************************************************************************
>
> What can we conclude ?? ==> [ we can't drop the Nmap scans !!! ?? ]
>
>
>
>
> 2010/6/11 Anas.B <a.bouhsaina at gmail.com>
>>
>> Je n'ai pas 2010051 voici la régle que j'ai :
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
>> Executable purporting to be .cfg file with no Referrer - Likely Malware";
>> flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d
>> 0a|Referer\: "; nocase; uricontent:".cfg"; nocase; pcre:"/\.cfg$/Ui";
>> flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity;
>> reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99;
>> reference:url,doc.emergingthreats.net/2010501;
>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL;
>> sid:2010501; rev:2;)
>>
>> je n'ai pas compris l'offload de cksum (cela veut dire , la vérification
>> de CRC d'arrivé avec le CRC du départ ??)
>> et aussi le renvoi de data compressé !
>>
>> Snort et meilleur que Suricata ?
>>
>>
>> 2010/6/11 rmkml <rmkml at free.fr>
>>>
>>> cherche dans les fichiers emerging que tu as si tu as déjà le sid
>>> 2010051?
>>> visiblement elle est dans un fichier qui contient le mot malware...
>>> suricata ne vérifie pas le contenu des packets ayant un mauvais cksum par
>>> défaut, donc si tu as une carte réseau qui fait de l'offload de cksum, alors
>>> tu vas avoir bcp de bad cksum... tu peux le vérifier avec tcpdump...
>>> concernant le cache des navigateurs web, si tu vas sur l'url
>>> http://www.google.com/install/ws.exe avec firefox ou ie, tu auras une alerte
>>> avec suricata, mais si tu fais refresh de ton navigateur, en fait le
>>> navigateur ne va pas essayer de nouveau l'url, puis il a certainement dans
>>> son cache... c'est pour cela que j'utilise wget ou curl ou fetch
>>> Plus tard il faut aussi faire attention au renvoi de data compresser des
>>> serveurs web...
>>> a+
>>> Rmkml
>>>
>>>
>>>
>>> On Fri, 11 Jun 2010, Anas.B wrote:
>>>
>>>> Je dois la créer,
>>>> oubien elle existe déja, ?
>>>>
>>>> si oui dans quel fichier,
>>>> si nn comment ?
>>>>
>>>> en fait j'ai pas compris :
>>>> - attention au cksum...
>>>> et - attention au cache des navigatuers web...
>>>>
>>>> désolé, et merci bcp.
>>>>
>>>>
>>>> 2010/6/11 rmkml <rmkml at free.fr>
>>>> heu bonne question,
>>>> exemple peut être avec le sid 2010051,
>>>> generer une alerte avec le client wget unix: (ou fetch ou curl)
>>>> wget http://www.google.com/install/ws.exe
>>>> avoir une alerte:
>>>> 06/11-16:32:23.306483 [**] [1:2010051:2] ET CURRENT_EVENTS MALWARE
>>>> Likely Rogue Antivirus Download - ws.exe [**] [Classification: A Network
>>>> Trojan
>>>> was detected] [Priority: 1] {TCP} 10.50.1.40:34322 -> a.b.c.d:80
>>>> puis la passer en drop tjrs vérifier si tu as des drop de packets
>>>> ou pas...
>>>> attention au cksum...
>>>>
>>>> a+
>>>> Rmkml
>>>>
>>>>
>>>> On Fri, 11 Jun 2010, Anas.B wrote:
>>>>
>>>> Bjr,
>>>> oui je crois que t'a raison,
>>>> quel genre de règle facile que je px bloquer ?
>>>>
>>>> Merciiiiii
>>>>
>>>> 2010/6/11 rmkml <rmkml at free.fr>
>>>> Bonjour Anas,
>>>> suite à l'email de Victor, et je crois que les scan nmap sont
>>>> particulier, c-a-d que les scans ouvrent de multiples sessions, ce qui n'est
>>>> pas un cas
>>>> facile pour commencer...
>>>> Essaye plus tot une attaque sur une regle, puis tu l'as
>>>> bloque... attention au cache des navigatuers web...
>>>> a+
>>>> Rmkml
>>>>
>>>>
>>>>
>>>> On Fri, 11 Jun 2010, Anas.B wrote:
>>>>
>>>>
>>>> Hello,
>>>>
>>>> I've replaced "alert" by"drop" where we have "Nmap" rules in
>>>> emerging-scan.rules file ,
>>>>
>>>> but I've the same result in Nmap:
>>>>
>>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 14:49
>>>> Afr. centrale Ouest
>>>> Nmap scan report for 192.168.44.135
>>>> Host is up (0.00s latency).
>>>> All 1000 scanned ports on 192.168.44.135 are filtered
>>>> MAC Address: 00:0C:29:07:11:87 (VMware)
>>>> as before !!!
>>>>
>>>> why the packets aren't dropped ?
>>>>
>>>> These are the commands applied :
>>>> suricata -c /etc/suricata/suricata.yaml -q 0
>>>>
>>>> and this is the iptables :
>>>>
>>>> NFQUEUE all -- anywhere anywhere
>>>> NFQUEUE num 0
>>>>
>>>> Chain FORWARD (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>> NFQUEUE all -- anywhere anywhere
>>>> NFQUEUE num 0
>>>>
>>>>
>>>> Kindest regards :)
>>>>
>>>> Anas
>>>>
>>>> Nmap done: 1 IP address (1 host up) scanned in 23.16 seconds
>>>>
>>>>
>>>> 2010/6/9 Victor Julien <victor at inliniac.net>
>>>> All rules might be a bit much, but in essence, yes. But
>>>> be careful that
>>>> some rules might false positive.
>>>>
>>>> Cheers,
>>>> Victor
>>>>
>>>> Anas.B wrote:
>>>> > I've just coppied the emerging rules ,
>>>> >
>>>> > should i copy snort rules also ?
>>>> > should i convert all the rules from alert to Drop ?
>>>> >
>>>> >
>>>> > Thxxx
>>>> >
>>>> >
>>>> > 2010/6/9 Victor Julien <victor at inliniac.net
>>>> <mailto:victor at inliniac.net>>
>>>> >
>>>> > Making progress :)
>>>> >
>>>> > Do you have drop rules? Normally a rule is "alert ip any
>>>> any -> any any
>>>> > ... " etc. but you need "drop ip any any -> any ...."
>>>> Did you convert
>>>> > your rules?
>>>> >
>>>> > The TmqDebugList statements are debug stuff, you can
>>>> ignore that.
>>>> >
>>>> > Cheers,
>>>> > Victor
>>>> >
>>>> > Anas.B wrote:
>>>> > > Thank you so much, for ur help :)
>>>> > >
>>>> > > this time I've these lines :
>>>> > >
>>>> > > 'pickup-queue', len 0
>>>> > > TmqDebugList: id 1, name 'decode-queue1', len 0
>>>> > > TmqDebugList: id 2, name 'stream-queue1', len 49
>>>> > > TmqDebugList: id 3, name 'verdict-queue', len 0
>>>> > > TmqDebugList: id 4, name 'respond-queue', len 1
>>>> > > TmqDebugList: id 5, name 'alert-queue1', len 0
>>>> > >
>>>> > > after an Nmap scan
>>>> > >
>>>> > >
>>>> > > after CTRL+C
>>>> > >
>>>> > > I've this :
>>>> > >
>>>> > > 4:33 - (suricata.c:1033) <Info> (main) -- signal
>>>> received
>>>> > > [8495] 9/6/2010 -- 16:04:33 - (suricata.c:1069) <Info>
>>>> (main) -- time
>>>> > > elapsed 176s
>>>> > > [8500] 9/6/2010 -- 16:04:33 - (source-nfq.c:522)
>>>> <Info>
>>>> > > (ReceiveNFQThreadExitStats) -- (ReceiveNFQ) Pkts 6028,
>>>> Bytes 256012,
>>>> > > Errors 0
>>>> > > [8502] 9/6/2010 -- 16:04:33 - (stream-tcp.c:2634)
>>>> <Info>
>>>> > > (StreamTcpExitPrintStats) -- (Stream1) Packets 6014
>>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:172) <Info>
>>>> > > (DetectExitPrintStats) -- (Detect1) (1byte) Pkts 6028,
>>>> Searched 0
>>>> > (0.0).
>>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:175) <Info>
>>>> > > (DetectExitPrintStats) -- (Detect1) (2byte) Pkts 6028,
>>>> Searched 4
>>>> > (0.1).
>>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:178) <Info>
>>>> > > (DetectExitPrintStats) -- (Detect1) (3byte) Pkts 6028,
>>>> Searched 0
>>>> > (0.0).
>>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:181) <Info>
>>>> > > (DetectExitPrintStats) -- (Detect1) (4byte) Pkts 6028,
>>>> Searched 0
>>>> > (0.0).
>>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:184) <Info>
>>>> > > (DetectExitPrintStats) -- (Detect1) (+byte) Pkts 6028,
>>>> Searched 0
>>>> > (0.0).
>>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:188) <Info>
>>>> > > (DetectExitPrintStats) -- (Detect1) URI (1byte) Uri's
>>>> 0, Searched
>>>> > 0 (-nan).
>>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:191) <Info>
>>>> > > (DetectExitPrintStats) -- (Detect1) URI (2byte) Uri's
>>>> 0, Searched
>>>> > 0 (-nan).
>>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:194) <Info>
>>>> > > (DetectExitPrintStats) -- (Detect1) URI (3byte) Uri's
>>>> 0, Searched
>>>> > 0 (-nan).
>>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:197) <Info>
>>>> > > (DetectExitPrintStats) -- (Detect1) URI (4byte) Uri's
>>>> 0, Searched
>>>> > 0 (-nan).
>>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:200) <Info>
>>>> > > (DetectExitPrintStats) -- (Detect1) URI (+byte) Uri's
>>>> 0, Searched
>>>> > 0 (-nan).
>>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:202) <Info>
>>>> > > (DetectExitPrintStats) -- 4 sigs per mpm match on avg
>>>> needed
>>>> > inspection,
>>>> > > total mpm searches 2, less than 25 sigs need inspect
>>>> 2, more than 100
>>>> > > sigs need inspect 0, more than 1000 0 max 5
>>>> > > [8504] 9/6/2010 -- 16:04:33 - (source-nfq.c:533)
>>>> <Info>
>>>> > > (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted
>>>> 6028, dropped 0
>>>> > > [8506] 9/6/2010 -- 16:04:33 - (alert-fastlog.c:256)
>>>> <Info>
>>>> > > (AlertFastLogExitPrintStats) -- (Outputs) Alerts 3792
>>>> > > [8506] 9/6/2010 -- 16:04:33 -
>>>> (alert-unified-log.c:304) <Info>
>>>> > > (AlertUnifiedLogThreadDeinit) -- Alert unified1 log
>>>> module wrote
>>>> > 3792 alerts
>>>> > > [8506] 9/6/2010 -- 16:04:33 -
>>>> (alert-unified-alert.c:281) <Info>
>>>> > > (AlertUnifiedAlertThreadDeinit) -- Alert unified1
>>>> alert module wrote
>>>> > > 3792 alerts
>>>> > > [8506] 9/6/2010 -- 16:04:33 -
>>>> (alert-unified2-alert.c:582) <Info>
>>>> > > (Unified2AlertThreadDeinit) -- Alert unified2 module
>>>> wrote 3792 alerts
>>>> > > [8506] 9/6/2010 -- 16:04:33 - (log-httplog.c:391)
>>>> <Info>
>>>> > > (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests
>>>> 0
>>>> > > [8506] 9/6/2010 -- 16:04:33 - (alert-debuglog.c:254)
>>>> <Info>
>>>> > > (AlertDebugLogExitPrintStats) -- (Outputs) Alerts 3792
>>>> > > [8507] 9/6/2010 -- 16:04:33 - (flow.c:767) <Info>
>>>> > (FlowManagerThread) --
>>>> > > 6 new flows, 1000 established flows were timed out, 0
>>>> flows in
>>>> > closed state
>>>> > > [8495] 9/6/2010 -- 16:04:33 - (flow.c:588) <Info>
>>>> (FlowPrintQueueInfo)
>>>> > > -- flowbits added: 0, removed: 0, max memory usage: 0
>>>> > > [8495] 9/6/2010 -- 16:04:33 - (stream-tcp.c:365)
>>>> <Info>
>>>> > > (StreamTcpFreeConfig) -- Max memuse of stream engine
>>>> 15021952 (in
>>>> > use 0)
>>>> > > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2492) <Info>
>>>> > > (SigAddressCleanupStage1) -- cleaning up signature
>>>> grouping
>>>> > structure...
>>>> > > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2509) <Info>
>>>> > > (SigAddressCleanupStage1) -- cleaning up signature
>>>> grouping
>>>> > structure...
>>>> > > done
>>>> > >
>>>> > >
>>>> > > is this normal ?
>>>> > > (just alerts no Dropped !!!!)
>>>> > >
>>>> > > I've done the Nmap scan from Windows
>>>> > >
>>>> > >
>>>> > > Sorry for the inconvenience
>>>> > > Cheers
>>>> > >
>>>> > >
>>>> > >
>>>> > > 2010/6/9 Victor Julien <victor at inliniac.net
>>>> > <mailto:victor at inliniac.net> <mailto:victor at inliniac.net
>>>> > <mailto:victor at inliniac.net>>>
>>>> > >
>>>> > > In the config below you only send outgoing HTTP
>>>> traffic to
>>>> > Suricata. To
>>>> > > inspect all do:
>>>> > >
>>>> > > iptables -A INPUT -j NFQUEUE
>>>> > > iptables -A OUTPUT -j NFQUEUE
>>>> > >
>>>> > > Cheers,
>>>> > > Victor
>>>> > >
>>>> > > Anas.B wrote:
>>>> > > > I didn't configure Iptables,
>>>> > > >
>>>> > > > now i have the two lines
>>>> > > >
>>>> > > > Chain INPUT (policy ACCEPT)
>>>> > > > target prot opt source
>>>> destination
>>>> > > > NFQUEUE tcp -- anywhere
>>>> anywhere tcp
>>>> > > spt:www
>>>> > > > NFQUEUE num 0
>>>> > > >
>>>> > > > Chain FORWARD (policy ACCEPT)
>>>> > > > target prot opt source
>>>> destination
>>>> > > >
>>>> > > > Chain OUTPUT (policy ACCEPT)
>>>> > > > target prot opt source
>>>> destination
>>>> > > > NFQUEUE tcp -- anywhere
>>>> anywhere tcp
>>>> > > dpt:www
>>>> > > > NFQUEUE num 0
>>>> > > >
>>>> > > > But still no alerts/Drop/reject nmap scan
>>>> > > >
>>>> > > > Best Regards
>>>> > > >
>>>> > > > 2010/6/9 Victor Julien <victor at inliniac.net
>>>> > <mailto:victor at inliniac.net>
>>>> > > <mailto:victor at inliniac.net
>>>> <mailto:victor at inliniac.net>>
>>>> > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>
>>>> > > <mailto:victor at inliniac.net
>>>> <mailto:victor at inliniac.net>>>>
>>>> > > >
>>>> > > > In that case you'd need:
>>>> > > >
>>>> > > > iptables -A OUTPUT -p tcp --dport 80 -j
>>>> NFQUEUE
>>>> > > > iptables -A INPUT -p tcp --sport 80 -j
>>>> NFQUEUE
>>>> > > >
>>>> > > > This would send outgoing http traffic (the
>>>> vm browsing
>>>> > the web) to
>>>> > > > Suricata.
>>>> > > >
>>>> > > > Cheers,
>>>> > > > Victor
>>>> > > >
>>>> > > > Anas.B wrote:
>>>> > > > > No, I'm just trying this in local Virtual
>>>> Machine Ubuntu).
>>>> > > > >
>>>> > > > > since there is no much Doc, i'm a little
>>>> lost.
>>>> > > > >
>>>> > > > > thaks a lot
>>>> > > > >
>>>> > > > >
>>>> > > > > 2010/6/9 Victor Julien
>>>> <victor at inliniac.net
>>>> > <mailto:victor at inliniac.net>
>>>> > > <mailto:victor at inliniac.net
>>>> <mailto:victor at inliniac.net>>
>>>> > > > <mailto:victor at inliniac.net
>>>> <mailto:victor at inliniac.net>
>>>> > <mailto:victor at inliniac.net
>>>> <mailto:victor at inliniac.net>>>
>>>> > > <mailto:victor at inliniac.net
>>>> <mailto:victor at inliniac.net>
>>>> > <mailto:victor at inliniac.net
>>>> <mailto:victor at inliniac.net>>
>>>> > > > <mailto:victor at inliniac.net
>>>> <mailto:victor at inliniac.net>
>>>> > <mailto:victor at inliniac.net
>>>> <mailto:victor at inliniac.net>>>>>
>>>> > > > >
>>>> > > > > Did you add the appropriate iptables
>>>> rules?
>>>> > > > >
>>>> > > > > For example for getting port 80 to
>>>> suricata:
>>>> > > > >
>>>> > > > > iptables -A FORWARD -p tcp --dport 80
>>>> -j NFQUEUE
>>>> > > > >
>>>> > > > > Cheers,
>>>> > > > > Victor
>>>> > > > >
>>>> > > > > Anas.B wrote:
>>>> > > > > >
>>>> > > > > > Hello,
>>>> > > > > >
>>>> > > > > > I've just tested a nmap,
>>>> > > > > >
>>>> > > > > > I noticed more unified files
>>>> > > > > > and alerts in the file fast.log
>>>> > > > > > new values in alert-debug.log and
>>>> stats.log
>>>> > > > > >
>>>> > > > > > that means it works !!
>>>> > > > > >
>>>> > > > > > But with the command ==> *# suricata
>>>> -c
>>>> > > > > /etc/suricata/suricata.yaml -q 0
>>>> > > > > >
>>>> > > > > > *I have no logs,
>>>> > > > > > any suggestions
>>>> > > > > >
>>>> > > > > > thanks :)
>>>> > > > > >
>>>> > > > > >
>>>> > > > > >
>>>> > > > >
>>>> > > >
>>>> > >
>>>> >
>>>> ------------------------------------------------------------------------
>>>> > > > > >
>>>> > > > > >
>>>> _______________________________________________
>>>> > > > > > Oisf-users mailing list
>>>> > > > > > Oisf-users at openinfosecfoundation.org
>>>> > <mailto:Oisf-users at openinfosecfoundation.org>
>>>> > > <mailto:Oisf-users at openinfosecfoundation.org
>>>> > <mailto:Oisf-users at openinfosecfoundation.org>>
>>>> > > > <mailto:Oisf-users at openinfosecfoundation.org
>>>> > <mailto:Oisf-users at openinfosecfoundation.org>
>>>> > > <mailto:Oisf-users at openinfosecfoundation.org
>>>> > <mailto:Oisf-users at openinfosecfoundation.org>>>
>>>> > > > >
>>>> <mailto:Oisf-users at openinfosecfoundation.org
>>>> > <mailto:Oisf-users at openinfosecfoundation.org>
>>>> > > <mailto:Oisf-users at openinfosecfoundation.org
>>>> > <mailto:Oisf-users at openinfosecfoundation.org>>
>>>> > > > <mailto:Oisf-users at openinfosecfoundation.org
>>>> > <mailto:Oisf-users at openinfosecfoundation.org>
>>>> > > <mailto:Oisf-users at openinfosecfoundation.org
>>>> > <mailto:Oisf-users at openinfosecfoundation.org>>>>
>>>> > > > > >
>>>> > > >
>>>> >
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> > > > >
>>>> > > > >
>>>> > > > > --
>>>> > > > >
>>>> ---------------------------------------------
>>>> > > > > Victor Julien
>>>> > > > > http://www.inliniac.net/
>>>> > > > > PGP:
>>>> http://www.inliniac.net/victorjulien.asc
>>>> > > > >
>>>> ---------------------------------------------
>>>> > > > >
>>>> > > > >
>>>> > > >
>>>> > > >
>>>> > > > --
>>>> > > >
>>>> ---------------------------------------------
>>>> > > > Victor Julien
>>>> > > > http://www.inliniac.net/
>>>> > > > PGP:
>>>> http://www.inliniac.net/victorjulien.asc
>>>> > > >
>>>> ---------------------------------------------
>>>> > > >
>>>> > > >
>>>> > >
>>>> > >
>>>> > > --
>>>> > > ---------------------------------------------
>>>> > > Victor Julien
>>>> > > http://www.inliniac.net/
>>>> > > PGP: http://www.inliniac.net/victorjulien.asc
>>>> > > ---------------------------------------------
>>>> > >
>>>> > >
>>>> >
>>>> >
>>>> > --
>>>> > ---------------------------------------------
>>>> > Victor Julien
>>>> > http://www.inliniac.net/
>>>> > PGP: http://www.inliniac.net/victorjulien.asc
>>>> > ---------------------------------------------
>>>> >
>>>> >
>>>>
>>>>
>>>> --
>>>> ---------------------------------------------
>>>> Victor Julien
>>>> http://www.inliniac.net/
>>>> PGP: http://www.inliniac.net/victorjulien.asc
>>>> ---------------------------------------------
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
More information about the Oisf-users
mailing list