[Oisf-users] Fwd: IPS
Pablo
pablo.rincon.crespo at gmail.com
Fri Jun 11 16:13:38 UTC 2010
Well, drop != reject.
I think it's working correctly. Not sure, but I think it says filtered
because suricata drops the packet and nmap never receive a response of open
or closed port. Let's say it sends a SYN and gets no SYN/ACK or RST in
response ( nmap -sS expect a packet reply with RST on closed ports). So it
doesn't know the state, but knows that something blocked either the send or
the response and says "filtered".
To ensure that it's working, another test would be try to create a rule for
a web page, or make a small test with netcat.
drop any any -> any any (msg:"drop google"; content:"google";sid:1;)
then try to fetch a google webpage with wget "http://www.google.com" for
example, or your favorite browser..
You can also try with netcat some tests on one terminal
nc -l -p12345 localhost
that should listen on port 12345
and then, on another terminal at the same time connecting to it
nc localhost 12345
then try to send some text and check if the word "google" reaches the
destination.
Good luck with it.
2010/6/11 Will Metcalf <william.metcalf at gmail.com>
> > What can we conclude ?? ==> [ we can't drop the Nmap scans !!! ?? ]
>
> I'm confused. Are you scanning a host with no open ports? Also is
> your first command run still diverting traffic to NFQUEUE? If this is
> the case then all traffic sent to the QUEUE will be dropped if you
> don't have a userspace app attached to the QUEUE. Have you actually
> fired up a sniffer on the target host to see if the packets are
> actually making it there? With all of this said, trying to prevent
> port scans with an IPS be it snort, suricata, or whatever is generally
> a bad idea. Signatures and things like preprocessors that do portscan
> detection tend to fp a lot. However if there is indeed a bug please
> let us know. I will do some testing a bit later if you don't have the
> cycles.
>
> Regards,
>
> Will
>
> On Fri, Jun 11, 2010 at 10:53 AM, Anas.B <a.bouhsaina at gmail.com> wrote:
> > This the results of my experience :
> > (Strange !!!)
> >
> *****************************************************************************************
> > nmap -sS 192.168.44.135 without runingsuricata
> >
> > Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:33 Afr. centrale
> > Ouest
> > Nmap scan report for 192.168.44.135
> > Host is up (0.00s latency).
> > All 1000 scanned ports on 192.168.44.135 are filtered
> > MAC Address: 00:0C:29:07:11:87 (VMware)
> >
> > Nmap done: 1 IP address (1 host up) scanned in 22.33 seconds
> >
> *****************************************************************************************
> > nmap -sS 192.168.44.135 with suricata but without Drop rules
> > Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:40 Afr. centrale
> > Ouest
> > Nmap scan report for 192.168.44.135
> > Host is up (0.0013s latency).
> > All 1000 scanned ports on 192.168.44.135 are closed
> > MAC Address: 00:0C:29:07:11:87 (VMware)
> >
> > Nmap done: 1 IP address (1 host up) scanned in 6.38 seconds
> >
> > [3647] 11/6/2010 -- 16:41:41 - (source-nfq.c:533) <Info>
> > (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 2004, dropped 0
> >
> >
> *****************************************************************************************
> > nmap -sS 192.168.44.135 with suricata and replacing alert by Drop
> > Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:45 Afr. centrale
> > Ouest
> > Nmap scan report for 192.168.44.135
> > Host is up (0.00s latency).
> > All 1000 scanned ports on 192.168.44.135 are filtered
> > MAC Address: 00:0C:29:07:11:87 (VMware)
> >
> > Nmap done: 1 IP address (1 host up) scanned in 22.68 seconds
> >
> > [3701] 11/6/2010 -- 16:46:51 - (source-nfq.c:533) <Info>
> > (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 0, dropped 2000
> >
> *****************************************************************************************
> >
> > What can we conclude ?? ==> [ we can't drop the Nmap scans !!! ?? ]
> >
> >
> >
> >
> > 2010/6/11 Anas.B <a.bouhsaina at gmail.com>
> >>
> >> Je n'ai pas 2010051 voici la régle que j'ai :
> >>
> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> >> Executable purporting to be .cfg file with no Referrer - Likely
> Malware";
> >> flow:established,to_server; content:"GET "; nocase; depth:4;
> content:!"|0d
> >> 0a|Referer\: "; nocase; uricontent:".cfg"; nocase; pcre:"/\.cfg$/Ui";
> >> flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity;
> >> reference:url,
> www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99;
> >> reference:url,doc.emergingthreats.net/2010501;
> >> reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL
> ;
> >> sid:2010501; rev:2;)
> >>
> >> je n'ai pas compris l'offload de cksum (cela veut dire , la vérification
> >> de CRC d'arrivé avec le CRC du départ ??)
> >> et aussi le renvoi de data compressé !
> >>
> >> Snort et meilleur que Suricata ?
> >>
> >>
> >> 2010/6/11 rmkml <rmkml at free.fr>
> >>>
> >>> cherche dans les fichiers emerging que tu as si tu as déjà le sid
> >>> 2010051?
> >>> visiblement elle est dans un fichier qui contient le mot malware...
> >>> suricata ne vérifie pas le contenu des packets ayant un mauvais cksum
> par
> >>> défaut, donc si tu as une carte réseau qui fait de l'offload de cksum,
> alors
> >>> tu vas avoir bcp de bad cksum... tu peux le vérifier avec tcpdump...
> >>> concernant le cache des navigateurs web, si tu vas sur l'url
> >>> http://www.google.com/install/ws.exe avec firefox ou ie, tu auras une
> alerte
> >>> avec suricata, mais si tu fais refresh de ton navigateur, en fait le
> >>> navigateur ne va pas essayer de nouveau l'url, puis il a certainement
> dans
> >>> son cache... c'est pour cela que j'utilise wget ou curl ou fetch
> >>> Plus tard il faut aussi faire attention au renvoi de data compresser
> des
> >>> serveurs web...
> >>> a+
> >>> Rmkml
> >>>
> >>>
> >>>
> >>> On Fri, 11 Jun 2010, Anas.B wrote:
> >>>
> >>>> Je dois la créer,
> >>>> oubien elle existe déja, ?
> >>>>
> >>>> si oui dans quel fichier,
> >>>> si nn comment ?
> >>>>
> >>>> en fait j'ai pas compris :
> >>>> - attention au cksum...
> >>>> et - attention au cache des navigatuers web...
> >>>>
> >>>> désolé, et merci bcp.
> >>>>
> >>>>
> >>>> 2010/6/11 rmkml <rmkml at free.fr>
> >>>> heu bonne question,
> >>>> exemple peut être avec le sid 2010051,
> >>>> generer une alerte avec le client wget unix: (ou fetch ou curl)
> >>>> wget http://www.google.com/install/ws.exe
> >>>> avoir une alerte:
> >>>> 06/11-16:32:23.306483 [**] [1:2010051:2] ET CURRENT_EVENTS
> MALWARE
> >>>> Likely Rogue Antivirus Download - ws.exe [**] [Classification: A
> Network
> >>>> Trojan
> >>>> was detected] [Priority: 1] {TCP} 10.50.1.40:34322 -> a.b.c.d:80
> >>>> puis la passer en drop tjrs vérifier si tu as des drop de
> packets
> >>>> ou pas...
> >>>> attention au cksum...
> >>>>
> >>>> a+
> >>>> Rmkml
> >>>>
> >>>>
> >>>> On Fri, 11 Jun 2010, Anas.B wrote:
> >>>>
> >>>> Bjr,
> >>>> oui je crois que t'a raison,
> >>>> quel genre de règle facile que je px bloquer ?
> >>>>
> >>>> Merciiiiii
> >>>>
> >>>> 2010/6/11 rmkml <rmkml at free.fr>
> >>>> Bonjour Anas,
> >>>> suite à l'email de Victor, et je crois que les scan nmap
> sont
> >>>> particulier, c-a-d que les scans ouvrent de multiples sessions, ce qui
> n'est
> >>>> pas un cas
> >>>> facile pour commencer...
> >>>> Essaye plus tot une attaque sur une regle, puis tu l'as
> >>>> bloque... attention au cache des navigatuers web...
> >>>> a+
> >>>> Rmkml
> >>>>
> >>>>
> >>>>
> >>>> On Fri, 11 Jun 2010, Anas.B wrote:
> >>>>
> >>>>
> >>>> Hello,
> >>>>
> >>>> I've replaced "alert" by"drop" where we have "Nmap" rules
> in
> >>>> emerging-scan.rules file ,
> >>>>
> >>>> but I've the same result in Nmap:
> >>>>
> >>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 14:49
> >>>> Afr. centrale Ouest
> >>>> Nmap scan report for 192.168.44.135
> >>>> Host is up (0.00s latency).
> >>>> All 1000 scanned ports on 192.168.44.135 are filtered
> >>>> MAC Address: 00:0C:29:07:11:87 (VMware)
> >>>> as before !!!
> >>>>
> >>>> why the packets aren't dropped ?
> >>>>
> >>>> These are the commands applied :
> >>>> suricata -c /etc/suricata/suricata.yaml -q 0
> >>>>
> >>>> and this is the iptables :
> >>>>
> >>>> NFQUEUE all -- anywhere anywhere
> >>>> NFQUEUE num 0
> >>>>
> >>>> Chain FORWARD (policy ACCEPT)
> >>>> target prot opt source destination
> >>>>
> >>>> Chain OUTPUT (policy ACCEPT)
> >>>> target prot opt source destination
> >>>> NFQUEUE all -- anywhere anywhere
> >>>> NFQUEUE num 0
> >>>>
> >>>>
> >>>> Kindest regards :)
> >>>>
> >>>> Anas
> >>>>
> >>>> Nmap done: 1 IP address (1 host up) scanned in 23.16 seconds
> >>>>
> >>>>
> >>>> 2010/6/9 Victor Julien <victor at inliniac.net>
> >>>> All rules might be a bit much, but in essence, yes. But
> >>>> be careful that
> >>>> some rules might false positive.
> >>>>
> >>>> Cheers,
> >>>> Victor
> >>>>
> >>>> Anas.B wrote:
> >>>> > I've just coppied the emerging rules ,
> >>>> >
> >>>> > should i copy snort rules also ?
> >>>> > should i convert all the rules from alert to Drop ?
> >>>> >
> >>>> >
> >>>> > Thxxx
> >>>> >
> >>>> >
> >>>> > 2010/6/9 Victor Julien <victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>
> >>>> >
> >>>> > Making progress :)
> >>>> >
> >>>> > Do you have drop rules? Normally a rule is "alert ip
> any
> >>>> any -> any any
> >>>> > ... " etc. but you need "drop ip any any -> any ...."
> >>>> Did you convert
> >>>> > your rules?
> >>>> >
> >>>> > The TmqDebugList statements are debug stuff, you can
> >>>> ignore that.
> >>>> >
> >>>> > Cheers,
> >>>> > Victor
> >>>> >
> >>>> > Anas.B wrote:
> >>>> > > Thank you so much, for ur help :)
> >>>> > >
> >>>> > > this time I've these lines :
> >>>> > >
> >>>> > > 'pickup-queue', len 0
> >>>> > > TmqDebugList: id 1, name 'decode-queue1', len 0
> >>>> > > TmqDebugList: id 2, name 'stream-queue1', len 49
> >>>> > > TmqDebugList: id 3, name 'verdict-queue', len 0
> >>>> > > TmqDebugList: id 4, name 'respond-queue', len 1
> >>>> > > TmqDebugList: id 5, name 'alert-queue1', len 0
> >>>> > >
> >>>> > > after an Nmap scan
> >>>> > >
> >>>> > >
> >>>> > > after CTRL+C
> >>>> > >
> >>>> > > I've this :
> >>>> > >
> >>>> > > 4:33 - (suricata.c:1033) <Info> (main) -- signal
> >>>> received
> >>>> > > [8495] 9/6/2010 -- 16:04:33 - (suricata.c:1069)
> <Info>
> >>>> (main) -- time
> >>>> > > elapsed 176s
> >>>> > > [8500] 9/6/2010 -- 16:04:33 - (source-nfq.c:522)
> >>>> <Info>
> >>>> > > (ReceiveNFQThreadExitStats) -- (ReceiveNFQ) Pkts
> 6028,
> >>>> Bytes 256012,
> >>>> > > Errors 0
> >>>> > > [8502] 9/6/2010 -- 16:04:33 - (stream-tcp.c:2634)
> >>>> <Info>
> >>>> > > (StreamTcpExitPrintStats) -- (Stream1) Packets 6014
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:172) <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) (1byte) Pkts
> 6028,
> >>>> Searched 0
> >>>> > (0.0).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:175) <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) (2byte) Pkts
> 6028,
> >>>> Searched 4
> >>>> > (0.1).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:178) <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) (3byte) Pkts
> 6028,
> >>>> Searched 0
> >>>> > (0.0).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:181) <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) (4byte) Pkts
> 6028,
> >>>> Searched 0
> >>>> > (0.0).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:184) <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) (+byte) Pkts
> 6028,
> >>>> Searched 0
> >>>> > (0.0).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:188) <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) URI (1byte)
> Uri's
> >>>> 0, Searched
> >>>> > 0 (-nan).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:191) <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) URI (2byte)
> Uri's
> >>>> 0, Searched
> >>>> > 0 (-nan).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:194) <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) URI (3byte)
> Uri's
> >>>> 0, Searched
> >>>> > 0 (-nan).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:197) <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) URI (4byte)
> Uri's
> >>>> 0, Searched
> >>>> > 0 (-nan).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:200) <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) URI (+byte)
> Uri's
> >>>> 0, Searched
> >>>> > 0 (-nan).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:202) <Info>
> >>>> > > (DetectExitPrintStats) -- 4 sigs per mpm match on
> avg
> >>>> needed
> >>>> > inspection,
> >>>> > > total mpm searches 2, less than 25 sigs need inspect
> >>>> 2, more than 100
> >>>> > > sigs need inspect 0, more than 1000 0 max 5
> >>>> > > [8504] 9/6/2010 -- 16:04:33 - (source-nfq.c:533)
> >>>> <Info>
> >>>> > > (VerdictNFQThreadExitStats) -- (Verdict) Pkts
> accepted
> >>>> 6028, dropped 0
> >>>> > > [8506] 9/6/2010 -- 16:04:33 - (alert-fastlog.c:256)
> >>>> <Info>
> >>>> > > (AlertFastLogExitPrintStats) -- (Outputs) Alerts
> 3792
> >>>> > > [8506] 9/6/2010 -- 16:04:33 -
> >>>> (alert-unified-log.c:304) <Info>
> >>>> > > (AlertUnifiedLogThreadDeinit) -- Alert unified1 log
> >>>> module wrote
> >>>> > 3792 alerts
> >>>> > > [8506] 9/6/2010 -- 16:04:33 -
> >>>> (alert-unified-alert.c:281) <Info>
> >>>> > > (AlertUnifiedAlertThreadDeinit) -- Alert unified1
> >>>> alert module wrote
> >>>> > > 3792 alerts
> >>>> > > [8506] 9/6/2010 -- 16:04:33 -
> >>>> (alert-unified2-alert.c:582) <Info>
> >>>> > > (Unified2AlertThreadDeinit) -- Alert unified2 module
> >>>> wrote 3792 alerts
> >>>> > > [8506] 9/6/2010 -- 16:04:33 - (log-httplog.c:391)
> >>>> <Info>
> >>>> > > (LogHttpLogExitPrintStats) -- (Outputs) HTTP
> requests
> >>>> 0
> >>>> > > [8506] 9/6/2010 -- 16:04:33 - (alert-debuglog.c:254)
> >>>> <Info>
> >>>> > > (AlertDebugLogExitPrintStats) -- (Outputs) Alerts
> 3792
> >>>> > > [8507] 9/6/2010 -- 16:04:33 - (flow.c:767) <Info>
> >>>> > (FlowManagerThread) --
> >>>> > > 6 new flows, 1000 established flows were timed out,
> 0
> >>>> flows in
> >>>> > closed state
> >>>> > > [8495] 9/6/2010 -- 16:04:33 - (flow.c:588) <Info>
> >>>> (FlowPrintQueueInfo)
> >>>> > > -- flowbits added: 0, removed: 0, max memory usage:
> 0
> >>>> > > [8495] 9/6/2010 -- 16:04:33 - (stream-tcp.c:365)
> >>>> <Info>
> >>>> > > (StreamTcpFreeConfig) -- Max memuse of stream engine
> >>>> 15021952 (in
> >>>> > use 0)
> >>>> > > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2492) <Info>
> >>>> > > (SigAddressCleanupStage1) -- cleaning up signature
> >>>> grouping
> >>>> > structure...
> >>>> > > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2509) <Info>
> >>>> > > (SigAddressCleanupStage1) -- cleaning up signature
> >>>> grouping
> >>>> > structure...
> >>>> > > done
> >>>> > >
> >>>> > >
> >>>> > > is this normal ?
> >>>> > > (just alerts no Dropped !!!!)
> >>>> > >
> >>>> > > I've done the Nmap scan from Windows
> >>>> > >
> >>>> > >
> >>>> > > Sorry for the inconvenience
> >>>> > > Cheers
> >>>> > >
> >>>> > >
> >>>> > >
> >>>> > > 2010/6/9 Victor Julien <victor at inliniac.net
> >>>> > <mailto:victor at inliniac.net> <mailto:
> victor at inliniac.net
> >>>> > <mailto:victor at inliniac.net>>>
> >>>> > >
> >>>> > > In the config below you only send outgoing HTTP
> >>>> traffic to
> >>>> > Suricata. To
> >>>> > > inspect all do:
> >>>> > >
> >>>> > > iptables -A INPUT -j NFQUEUE
> >>>> > > iptables -A OUTPUT -j NFQUEUE
> >>>> > >
> >>>> > > Cheers,
> >>>> > > Victor
> >>>> > >
> >>>> > > Anas.B wrote:
> >>>> > > > I didn't configure Iptables,
> >>>> > > >
> >>>> > > > now i have the two lines
> >>>> > > >
> >>>> > > > Chain INPUT (policy ACCEPT)
> >>>> > > > target prot opt source
> >>>> destination
> >>>> > > > NFQUEUE tcp -- anywhere
> >>>> anywhere tcp
> >>>> > > spt:www
> >>>> > > > NFQUEUE num 0
> >>>> > > >
> >>>> > > > Chain FORWARD (policy ACCEPT)
> >>>> > > > target prot opt source
> >>>> destination
> >>>> > > >
> >>>> > > > Chain OUTPUT (policy ACCEPT)
> >>>> > > > target prot opt source
> >>>> destination
> >>>> > > > NFQUEUE tcp -- anywhere
> >>>> anywhere tcp
> >>>> > > dpt:www
> >>>> > > > NFQUEUE num 0
> >>>> > > >
> >>>> > > > But still no alerts/Drop/reject nmap scan
> >>>> > > >
> >>>> > > > Best Regards
> >>>> > > >
> >>>> > > > 2010/6/9 Victor Julien <victor at inliniac.net
> >>>> > <mailto:victor at inliniac.net>
> >>>> > > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>
> >>>> > <mailto:victor at inliniac.net <mailto:
> victor at inliniac.net>
> >>>> > > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>>>
> >>>> > > >
> >>>> > > > In that case you'd need:
> >>>> > > >
> >>>> > > > iptables -A OUTPUT -p tcp --dport 80 -j
> >>>> NFQUEUE
> >>>> > > > iptables -A INPUT -p tcp --sport 80 -j
> >>>> NFQUEUE
> >>>> > > >
> >>>> > > > This would send outgoing http traffic (the
> >>>> vm browsing
> >>>> > the web) to
> >>>> > > > Suricata.
> >>>> > > >
> >>>> > > > Cheers,
> >>>> > > > Victor
> >>>> > > >
> >>>> > > > Anas.B wrote:
> >>>> > > > > No, I'm just trying this in local
> Virtual
> >>>> Machine Ubuntu).
> >>>> > > > >
> >>>> > > > > since there is no much Doc, i'm a little
> >>>> lost.
> >>>> > > > >
> >>>> > > > > thaks a lot
> >>>> > > > >
> >>>> > > > >
> >>>> > > > > 2010/6/9 Victor Julien
> >>>> <victor at inliniac.net
> >>>> > <mailto:victor at inliniac.net>
> >>>> > > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>
> >>>> > > > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>
> >>>> > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>>
> >>>> > > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>
> >>>> > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>
> >>>> > > > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>
> >>>> > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>>>>
> >>>> > > > >
> >>>> > > > > Did you add the appropriate iptables
> >>>> rules?
> >>>> > > > >
> >>>> > > > > For example for getting port 80 to
> >>>> suricata:
> >>>> > > > >
> >>>> > > > > iptables -A FORWARD -p tcp --dport
> 80
> >>>> -j NFQUEUE
> >>>> > > > >
> >>>> > > > > Cheers,
> >>>> > > > > Victor
> >>>> > > > >
> >>>> > > > > Anas.B wrote:
> >>>> > > > > >
> >>>> > > > > > Hello,
> >>>> > > > > >
> >>>> > > > > > I've just tested a nmap,
> >>>> > > > > >
> >>>> > > > > > I noticed more unified files
> >>>> > > > > > and alerts in the file fast.log
> >>>> > > > > > new values in alert-debug.log and
> >>>> stats.log
> >>>> > > > > >
> >>>> > > > > > that means it works !!
> >>>> > > > > >
> >>>> > > > > > But with the command ==> *#
> suricata
> >>>> -c
> >>>> > > > > /etc/suricata/suricata.yaml -q 0
> >>>> > > > > >
> >>>> > > > > > *I have no logs,
> >>>> > > > > > any suggestions
> >>>> > > > > >
> >>>> > > > > > thanks :)
> >>>> > > > > >
> >>>> > > > > >
> >>>> > > > > >
> >>>> > > > >
> >>>> > > >
> >>>> > >
> >>>> >
> >>>>
> ------------------------------------------------------------------------
> >>>> > > > > >
> >>>> > > > > >
> >>>> _______________________________________________
> >>>> > > > > > Oisf-users mailing list
> >>>> > > > > >
> Oisf-users at openinfosecfoundation.org
> >>>> > <mailto:Oisf-users at openinfosecfoundation.org>
> >>>> > > <mailto:Oisf-users at openinfosecfoundation.org
> >>>> > <mailto:Oisf-users at openinfosecfoundation.org>>
> >>>> > > > <mailto:
> Oisf-users at openinfosecfoundation.org
> >>>> > <mailto:Oisf-users at openinfosecfoundation.org>
> >>>> > > <mailto:Oisf-users at openinfosecfoundation.org
> >>>> > <mailto:Oisf-users at openinfosecfoundation.org>>>
> >>>> > > > >
> >>>> <mailto:Oisf-users at openinfosecfoundation.org
> >>>> > <mailto:Oisf-users at openinfosecfoundation.org>
> >>>> > > <mailto:Oisf-users at openinfosecfoundation.org
> >>>> > <mailto:Oisf-users at openinfosecfoundation.org>>
> >>>> > > > <mailto:
> Oisf-users at openinfosecfoundation.org
> >>>> > <mailto:Oisf-users at openinfosecfoundation.org>
> >>>> > > <mailto:Oisf-users at openinfosecfoundation.org
> >>>> > <mailto:Oisf-users at openinfosecfoundation.org>>>>
> >>>> > > > > >
> >>>> > > >
> >>>> >
> >>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>>> > > > >
> >>>> > > > >
> >>>> > > > > --
> >>>> > > > >
> >>>> ---------------------------------------------
> >>>> > > > > Victor Julien
> >>>> > > > > http://www.inliniac.net/
> >>>> > > > > PGP:
> >>>> http://www.inliniac.net/victorjulien.asc
> >>>> > > > >
> >>>> ---------------------------------------------
> >>>> > > > >
> >>>> > > > >
> >>>> > > >
> >>>> > > >
> >>>> > > > --
> >>>> > > >
> >>>> ---------------------------------------------
> >>>> > > > Victor Julien
> >>>> > > > http://www.inliniac.net/
> >>>> > > > PGP:
> >>>> http://www.inliniac.net/victorjulien.asc
> >>>> > > >
> >>>> ---------------------------------------------
> >>>> > > >
> >>>> > > >
> >>>> > >
> >>>> > >
> >>>> > > --
> >>>> > > ---------------------------------------------
> >>>> > > Victor Julien
> >>>> > > http://www.inliniac.net/
> >>>> > > PGP: http://www.inliniac.net/victorjulien.asc
> >>>> > > ---------------------------------------------
> >>>> > >
> >>>> > >
> >>>> >
> >>>> >
> >>>> > --
> >>>> > ---------------------------------------------
> >>>> > Victor Julien
> >>>> > http://www.inliniac.net/
> >>>> > PGP: http://www.inliniac.net/victorjulien.asc
> >>>> > ---------------------------------------------
> >>>> >
> >>>> >
> >>>>
> >>>>
> >>>> --
> >>>> ---------------------------------------------
> >>>> Victor Julien
> >>>> http://www.inliniac.net/
> >>>> PGP: http://www.inliniac.net/victorjulien.asc
> >>>> ---------------------------------------------
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>
> >
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
Best regards,
--
Pablo Rincón Crespo
Security researcher and developer
Open Information Security Foundation (OISF)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100611/d65f764e/attachment-0002.html>
More information about the Oisf-users
mailing list