[Oisf-users] Fwd: IPS
Anas.B
a.bouhsaina at gmail.com
Mon Jun 14 09:12:25 UTC 2010
Good morning,
I've tryied this rule in a new file "facebook.rules"
drop any any -> any any (msg:"drop google"; content:"google";sid:1;)
The alert is logged, but no drops !
>> On Fri, 11 Jun 2010, Anas.B wrote:
>>
>> This the results of my experience :
>>> (Strange !!!)
>>>
>>> *****************************************************************************************
>>> nmap -sS 192.168.44.135 without runingsuricata
>>>
>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:33 Afr. centrale
>>> Ouest
>>> Nmap scan report for 192.168.44.135
>>> Host is up (0.00s latency).
>>> All 1000 scanned ports on 192.168.44.135 are filtered
>>> MAC Address: 00:0C:29:07:11:87 (VMware)
>>>
>>> Nmap done: 1 IP address (1 host up) scanned in 22.33 seconds
>>>
>>> *****************************************************************************************
>>> nmap -sS 192.168.44.135 with suricata but without Drop rules
>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:40 Afr. centrale
>>> Ouest
>>> Nmap scan report for 192.168.44.135
>>> Host is up (0.0013s latency).
>>> All 1000 scanned ports on 192.168.44.135 are closed
>>> MAC Address: 00:0C:29:07:11:87 (VMware)
>>>
>>> Nmap done: 1 IP address (1 host up) scanned in 6.38 seconds
>>>
>>> [3647] 11/6/2010 -- 16:41:41 - (source-nfq.c:533) <Info>
>>> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 2004, dropped 0
>>>
>>>
>>> *****************************************************************************************
>>> nmap -sS 192.168.44.135 with suricata and replacing alert by Drop
>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:45 Afr. centrale
>>> Ouest
>>> Nmap scan report for 192.168.44.135
>>> Host is up (0.00s latency).
>>> All 1000 scanned ports on 192.168.44.135 are filtered
>>> MAC Address: 00:0C:29:07:11:87 (VMware)
>>>
>>> Nmap done: 1 IP address (1 host up) scanned in 22.68 seconds
>>>
>>> [3701] 11/6/2010 -- 16:46:51 - (source-nfq.c:533) <Info>
>>> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 0, dropped 2000
>>>
>>> *****************************************************************************************
>>>
>>> What can we conclude ?? ==> [ we can't drop the Nmap scans !!! ?? ]
>>>
>>>
>>>
>>>
>>> 2010/6/11 Anas.B <a.bouhsaina at gmail.com>
>>> Je n'ai pas 2010051 voici la régle que j'ai :
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>>> MALWARE Executable purporting to be .cfg file with no Referrer - Likely
>>> Malware";
>>> flow:established,to_server; content:"GET "; nocase; depth:4;
>>> content:!"|0d 0a|Referer\: "; nocase; uricontent:".cfg"; nocase;
>>> pcre:"/\.cfg$/Ui";
>>> flowbits:set,ET.hidden.exe; flowbits:noalert;
>>> classtype:trojan-activity;
>>> reference:url,
>>> www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99;
>>> reference:url,doc.emergingthreats.net/2010501;
>>> reference:url,
>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL;
>>> sid:2010501; rev:2;)
>>>
>>> je n'ai pas compris l'offload de cksum (cela veut dire , la
>>> vérification de CRC d'arrivé avec le CRC du départ ??)
>>> et aussi le renvoi de data compressé !
>>>
>>> Snort et meilleur que Suricata ?
>>>
>>>
>>>
>>> 2010/6/11 rmkml <rmkml at free.fr>
>>> cherche dans les fichiers emerging que tu as si tu as déjà le sid
>>> 2010051?
>>> visiblement elle est dans un fichier qui contient le mot malware...
>>> suricata ne vérifie pas le contenu des packets ayant un mauvais
>>> cksum par défaut, donc si tu as une carte réseau qui fait de l'offload de
>>> cksum, alors tu vas avoir bcp de bad cksum... tu peux le vérifier
>>> avec tcpdump...
>>> concernant le cache des navigateurs web, si tu vas sur l'url
>>> http://www.google.com/install/ws.exe avec firefox ou ie, tu auras une
>>> alerte avec
>>> suricata, mais si tu fais refresh de ton navigateur, en fait le
>>> navigateur ne va pas essayer de nouveau l'url, puis il a certainement dans
>>> son
>>> cache... c'est pour cela que j'utilise wget ou curl ou fetch
>>> Plus tard il faut aussi faire attention au renvoi de data compresser
>>> des serveurs web...
>>>
>>> a+
>>> Rmkml
>>>
>>>
>>>
>>> On Fri, 11 Jun 2010, Anas.B wrote:
>>>
>>> Je dois la créer,
>>> oubien elle existe déja, ?
>>>
>>> si oui dans quel fichier,
>>> si nn comment ?
>>>
>>> en fait j'ai pas compris :
>>> - attention au cksum...
>>> et - attention au cache des navigatuers web...
>>>
>>> désolé, et merci bcp.
>>>
>>>
>>> 2010/6/11 rmkml <rmkml at free.fr>
>>> heu bonne question,
>>> exemple peut être avec le sid 2010051,
>>> generer une alerte avec le client wget unix: (ou fetch ou curl)
>>> wget http://www.google.com/install/ws.exe
>>> avoir une alerte:
>>> 06/11-16:32:23.306483 [**] [1:2010051:2] ET CURRENT_EVENTS
>>> MALWARE Likely Rogue Antivirus Download - ws.exe [**] [Classification: A
>>> Network Trojan
>>> was detected] [Priority: 1] {TCP} 10.50.1.40:34322 ->
>>> a.b.c.d:80
>>> puis la passer en drop tjrs vérifier si tu as des drop de
>>> packets ou pas...
>>> attention au cksum...
>>>
>>> a+
>>> Rmkml
>>>
>>>
>>> On Fri, 11 Jun 2010, Anas.B wrote:
>>>
>>> Bjr,
>>> oui je crois que t'a raison,
>>> quel genre de règle facile que je px bloquer ?
>>>
>>> Merciiiiii
>>>
>>> 2010/6/11 rmkml <rmkml at free.fr>
>>> Bonjour Anas,
>>> suite à l'email de Victor, et je crois que les scan nmap
>>> sont particulier, c-a-d que les scans ouvrent de multiples sessions,
>>> ce qui n'est
>>> pas un cas
>>> facile pour commencer...
>>> Essaye plus tot une attaque sur une regle, puis tu l'as
>>> bloque... attention au cache des navigatuers web...
>>> a+
>>> Rmkml
>>>
>>>
>>>
>>> On Fri, 11 Jun 2010, Anas.B wrote:
>>>
>>>
>>> Hello,
>>>
>>> I've replaced "alert" by"drop" where we have "Nmap" rules
>>> in emerging-scan.rules file ,
>>>
>>> but I've the same result in Nmap:
>>>
>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11
>>> 14:49 Afr. centrale Ouest
>>> Nmap scan report for 192.168.44.135
>>> Host is up (0.00s latency).
>>> All 1000 scanned ports on 192.168.44.135 are filtered
>>> MAC Address: 00:0C:29:07:11:87 (VMware)
>>> as before !!!
>>>
>>> why the packets aren't dropped ?
>>>
>>> These are the commands applied :
>>> suricata -c /etc/suricata/suricata.yaml -q 0
>>>
>>> and this is the iptables :
>>>
>>> NFQUEUE all -- anywhere
>>> anywhere NFQUEUE num 0
>>>
>>> Chain FORWARD (policy ACCEPT)
>>> target prot opt source
>>> destination
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target prot opt source
>>> destination
>>> NFQUEUE all -- anywhere
>>> anywhere NFQUEUE num 0
>>>
>>>
>>> Kindest regards :)
>>>
>>> Anas
>>>
>>> Nmap done: 1 IP address (1 host up) scanned in 23.16
>>> seconds
>>>
>>>
>>> 2010/6/9 Victor Julien <victor at inliniac.net>
>>> All rules might be a bit much, but in essence, yes.
>>> But be careful that
>>> some rules might false positive.
>>>
>>> Cheers,
>>> Victor
>>>
>>> Anas.B wrote:
>>> > I've just coppied the emerging rules ,
>>> >
>>> > should i copy snort rules also ?
>>> > should i convert all the rules from alert to Drop ?
>>> >
>>> >
>>> > Thxxx
>>> >
>>> >
>>> > 2010/6/9 Victor Julien <victor at inliniac.net <mailto:
>>> victor at inliniac.net>>
>>> >
>>> > Making progress :)
>>> >
>>> > Do you have drop rules? Normally a rule is "alert ip
>>> any any -> any any
>>> > ... " etc. but you need "drop ip any any -> any
>>> ...." Did you convert
>>> > your rules?
>>> >
>>> > The TmqDebugList statements are debug stuff, you can
>>> ignore that.
>>> >
>>> > Cheers,
>>> > Victor
>>> >
>>> > Anas.B wrote:
>>> > > Thank you so much, for ur help :)
>>> > >
>>> > > this time I've these lines :
>>> > >
>>> > > 'pickup-queue', len 0
>>> > > TmqDebugList: id 1, name 'decode-queue1', len 0
>>> > > TmqDebugList: id 2, name 'stream-queue1', len 49
>>> > > TmqDebugList: id 3, name 'verdict-queue', len 0
>>> > > TmqDebugList: id 4, name 'respond-queue', len 1
>>> > > TmqDebugList: id 5, name 'alert-queue1', len 0
>>> > >
>>> > > after an Nmap scan
>>> > >
>>> > >
>>> > > after CTRL+C
>>> > >
>>> > > I've this :
>>> > >
>>> > > 4:33 - (suricata.c:1033) <Info> (main) -- signal
>>> received
>>> > > [8495] 9/6/2010 -- 16:04:33 - (suricata.c:1069)
>>> <Info> (main) -- time
>>> > > elapsed 176s
>>> > > [8500] 9/6/2010 -- 16:04:33 - (source-nfq.c:522)
>>> <Info>
>>> > > (ReceiveNFQThreadExitStats) -- (ReceiveNFQ) Pkts
>>> 6028, Bytes 256012,
>>> > > Errors 0
>>> > > [8502] 9/6/2010 -- 16:04:33 - (stream-tcp.c:2634)
>>> <Info>
>>> > > (StreamTcpExitPrintStats) -- (Stream1) Packets
>>> 6014
>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:172)
>>> <Info>
>>> > > (DetectExitPrintStats) -- (Detect1) (1byte) Pkts
>>> 6028, Searched 0
>>> > (0.0).
>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:175)
>>> <Info>
>>> > > (DetectExitPrintStats) -- (Detect1) (2byte) Pkts
>>> 6028, Searched 4
>>> > (0.1).
>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:178)
>>> <Info>
>>> > > (DetectExitPrintStats) -- (Detect1) (3byte) Pkts
>>> 6028, Searched 0
>>> > (0.0).
>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:181)
>>> <Info>
>>> > > (DetectExitPrintStats) -- (Detect1) (4byte) Pkts
>>> 6028, Searched 0
>>> > (0.0).
>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:184)
>>> <Info>
>>> > > (DetectExitPrintStats) -- (Detect1) (+byte) Pkts
>>> 6028, Searched 0
>>> > (0.0).
>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:188)
>>> <Info>
>>> > > (DetectExitPrintStats) -- (Detect1) URI (1byte)
>>> Uri's 0, Searched
>>> > 0 (-nan).
>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:191)
>>> <Info>
>>> > > (DetectExitPrintStats) -- (Detect1) URI (2byte)
>>> Uri's 0, Searched
>>> > 0 (-nan).
>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:194)
>>> <Info>
>>> > > (DetectExitPrintStats) -- (Detect1) URI (3byte)
>>> Uri's 0, Searched
>>> > 0 (-nan).
>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:197)
>>> <Info>
>>> > > (DetectExitPrintStats) -- (Detect1) URI (4byte)
>>> Uri's 0, Searched
>>> > 0 (-nan).
>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:200)
>>> <Info>
>>> > > (DetectExitPrintStats) -- (Detect1) URI (+byte)
>>> Uri's 0, Searched
>>> > 0 (-nan).
>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:202)
>>> <Info>
>>> > > (DetectExitPrintStats) -- 4 sigs per mpm match on
>>> avg needed
>>> > inspection,
>>> > > total mpm searches 2, less than 25 sigs need
>>> inspect 2, more than 100
>>> > > sigs need inspect 0, more than 1000 0 max 5
>>> > > [8504] 9/6/2010 -- 16:04:33 - (source-nfq.c:533)
>>> <Info>
>>> > > (VerdictNFQThreadExitStats) -- (Verdict) Pkts
>>> accepted 6028, dropped 0
>>> > > [8506] 9/6/2010 -- 16:04:33 -
>>> (alert-fastlog.c:256) <Info>
>>> > > (AlertFastLogExitPrintStats) -- (Outputs) Alerts
>>> 3792
>>> > > [8506] 9/6/2010 -- 16:04:33 -
>>> (alert-unified-log.c:304) <Info>
>>> > > (AlertUnifiedLogThreadDeinit) -- Alert unified1
>>> log module wrote
>>> > 3792 alerts
>>> > > [8506] 9/6/2010 -- 16:04:33 -
>>> (alert-unified-alert.c:281) <Info>
>>> > > (AlertUnifiedAlertThreadDeinit) -- Alert unified1
>>> alert module wrote
>>> > > 3792 alerts
>>> > > [8506] 9/6/2010 -- 16:04:33 -
>>> (alert-unified2-alert.c:582) <Info>
>>> > > (Unified2AlertThreadDeinit) -- Alert unified2
>>> module wrote 3792 alerts
>>> > > [8506] 9/6/2010 -- 16:04:33 - (log-httplog.c:391)
>>> <Info>
>>> > > (LogHttpLogExitPrintStats) -- (Outputs) HTTP
>>> requests 0
>>> > > [8506] 9/6/2010 -- 16:04:33 -
>>> (alert-debuglog.c:254) <Info>
>>> > > (AlertDebugLogExitPrintStats) -- (Outputs) Alerts
>>> 3792
>>> > > [8507] 9/6/2010 -- 16:04:33 - (flow.c:767) <Info>
>>> > (FlowManagerThread) --
>>> > > 6 new flows, 1000 established flows were timed
>>> out, 0 flows in
>>> > closed state
>>> > > [8495] 9/6/2010 -- 16:04:33 - (flow.c:588) <Info>
>>> (FlowPrintQueueInfo)
>>> > > -- flowbits added: 0, removed: 0, max memory
>>> usage: 0
>>> > > [8495] 9/6/2010 -- 16:04:33 - (stream-tcp.c:365)
>>> <Info>
>>> > > (StreamTcpFreeConfig) -- Max memuse of stream
>>> engine 15021952 (in
>>> > use 0)
>>> > > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2492)
>>> <Info>
>>> > > (SigAddressCleanupStage1) -- cleaning up signature
>>> grouping
>>> > structure...
>>> > > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2509)
>>> <Info>
>>> > > (SigAddressCleanupStage1) -- cleaning up signature
>>> grouping
>>> > structure...
>>> > > done
>>> > >
>>> > >
>>> > > is this normal ?
>>> > > (just alerts no Dropped !!!!)
>>> > >
>>> > > I've done the Nmap scan from Windows
>>> > >
>>> > >
>>> > > Sorry for the inconvenience
>>> > > Cheers
>>> > >
>>> > >
>>> > >
>>> > > 2010/6/9 Victor Julien <victor at inliniac.net
>>> > <mailto:victor at inliniac.net> <mailto:
>>> victor at inliniac.net
>>> > <mailto:victor at inliniac.net>>>
>>> > >
>>> > > In the config below you only send outgoing
>>> HTTP traffic to
>>> > Suricata. To
>>> > > inspect all do:
>>> > >
>>> > > iptables -A INPUT -j NFQUEUE
>>> > > iptables -A OUTPUT -j NFQUEUE
>>> > >
>>> > > Cheers,
>>> > > Victor
>>> > >
>>> > > Anas.B wrote:
>>> > > > I didn't configure Iptables,
>>> > > >
>>> > > > now i have the two lines
>>> > > >
>>> > > > Chain INPUT (policy ACCEPT)
>>> > > > target prot opt source
>>> destination
>>> > > > NFQUEUE tcp -- anywhere
>>> anywhere tcp
>>> > > spt:www
>>> > > > NFQUEUE num 0
>>> > > >
>>> > > > Chain FORWARD (policy ACCEPT)
>>> > > > target prot opt source
>>> destination
>>> > > >
>>> > > > Chain OUTPUT (policy ACCEPT)
>>> > > > target prot opt source
>>> destination
>>> > > > NFQUEUE tcp -- anywhere
>>> anywhere tcp
>>> > > dpt:www
>>> > > > NFQUEUE num 0
>>> > > >
>>> > > > But still no alerts/Drop/reject nmap scan
>>> > > >
>>> > > > Best Regards
>>> > > >
>>> > > > 2010/6/9 Victor Julien <victor at inliniac.net
>>> > <mailto:victor at inliniac.net>
>>> > > <mailto:victor at inliniac.net <mailto:
>>> victor at inliniac.net>>
>>> > <mailto:victor at inliniac.net <mailto:
>>> victor at inliniac.net>
>>> > > <mailto:victor at inliniac.net <mailto:
>>> victor at inliniac.net>>>>
>>> > > >
>>> > > > In that case you'd need:
>>> > > >
>>> > > > iptables -A OUTPUT -p tcp --dport 80 -j
>>> NFQUEUE
>>> > > > iptables -A INPUT -p tcp --sport 80 -j
>>> NFQUEUE
>>> > > >
>>> > > > This would send outgoing http traffic
>>> (the vm browsing
>>> > the web) to
>>> > > > Suricata.
>>> > > >
>>> > > > Cheers,
>>> > > > Victor
>>> > > >
>>> > > > Anas.B wrote:
>>> > > > > No, I'm just trying this in local
>>> Virtual Machine Ubuntu).
>>> > > > >
>>> > > > > since there is no much Doc, i'm a
>>> little lost.
>>> > > > >
>>> > > > > thaks a lot
>>> > > > >
>>> > > > >
>>> > > > > 2010/6/9 Victor Julien <
>>> victor at inliniac.net
>>> > <mailto:victor at inliniac.net>
>>> > > <mailto:victor at inliniac.net <mailto:
>>> victor at inliniac.net>>
>>> > > > <mailto:victor at inliniac.net <mailto:
>>> victor at inliniac.net>
>>> > <mailto:victor at inliniac.net <mailto:
>>> victor at inliniac.net>>>
>>> > > <mailto:victor at inliniac.net <mailto:
>>> victor at inliniac.net>
>>> > <mailto:victor at inliniac.net <mailto:
>>> victor at inliniac.net>>
>>> > > > <mailto:victor at inliniac.net <mailto:
>>> victor at inliniac.net>
>>> > <mailto:victor at inliniac.net <mailto:
>>> victor at inliniac.net>>>>>
>>> > > > >
>>> > > > > Did you add the appropriate
>>> iptables rules?
>>> > > > >
>>> > > > > For example for getting port 80 to
>>> suricata:
>>> > > > >
>>> > > > > iptables -A FORWARD -p tcp --dport
>>> 80 -j NFQUEUE
>>> > > > >
>>> > > > > Cheers,
>>> > > > > Victor
>>> > > > >
>>> > > > > Anas.B wrote:
>>> > > > > >
>>> > > > > > Hello,
>>> > > > > >
>>> > > > > > I've just tested a nmap,
>>> > > > > >
>>> > > > > > I noticed more unified files
>>> > > > > > and alerts in the file fast.log
>>> > > > > > new values in alert-debug.log
>>> and stats.log
>>> > > > > >
>>> > > > > > that means it works !!
>>> > > > > >
>>> > > > > > But with the command ==> *#
>>> suricata -c
>>> > > > > /etc/suricata/suricata.yaml -q 0
>>> > > > > >
>>> > > > > > *I have no logs,
>>> > > > > > any suggestions
>>> > > > > >
>>> > > > > > thanks :)
>>> > > > > >
>>> > > > > >
>>> > > > > >
>>> > > > >
>>> > > >
>>> > >
>>> >
>>> ------------------------------------------------------------------------
>>> > > > > >
>>> > > > > >
>>> _______________________________________________
>>> > > > > > Oisf-users mailing list
>>> > > > > >
>>> Oisf-users at openinfosecfoundation.org
>>> > <mailto:Oisf-users at openinfosecfoundation.org>
>>> > > <mailto:Oisf-users at openinfosecfoundation.org
>>> > <mailto:Oisf-users at openinfosecfoundation.org>>
>>> > > > <mailto:
>>> Oisf-users at openinfosecfoundation.org
>>> > <mailto:Oisf-users at openinfosecfoundation.org>
>>> > > <mailto:Oisf-users at openinfosecfoundation.org
>>> > <mailto:Oisf-users at openinfosecfoundation.org>>>
>>> > > > > <mailto:
>>> Oisf-users at openinfosecfoundation.org
>>> > <mailto:Oisf-users at openinfosecfoundation.org>
>>> > > <mailto:Oisf-users at openinfosecfoundation.org
>>> > <mailto:Oisf-users at openinfosecfoundation.org>>
>>> > > > <mailto:
>>> Oisf-users at openinfosecfoundation.org
>>> > <mailto:Oisf-users at openinfosecfoundation.org>
>>> > > <mailto:Oisf-users at openinfosecfoundation.org
>>> > <mailto:Oisf-users at openinfosecfoundation.org>>>>
>>> > > > > >
>>> > > >
>>> >
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> > > > >
>>> > > > >
>>> > > > > --
>>> > > > >
>>> ---------------------------------------------
>>> > > > > Victor Julien
>>> > > > > http://www.inliniac.net/
>>> > > > > PGP:
>>> http://www.inliniac.net/victorjulien.asc
>>> > > > >
>>> ---------------------------------------------
>>> > > > >
>>> > > > >
>>> > > >
>>> > > >
>>> > > > --
>>> > > >
>>> ---------------------------------------------
>>> > > > Victor Julien
>>> > > > http://www.inliniac.net/
>>> > > > PGP:
>>> http://www.inliniac.net/victorjulien.asc
>>> > > >
>>> ---------------------------------------------
>>> > > >
>>> > > >
>>> > >
>>> > >
>>> > > --
>>> > > ---------------------------------------------
>>> > > Victor Julien
>>> > > http://www.inliniac.net/
>>> > > PGP: http://www.inliniac.net/victorjulien.asc
>>> > > ---------------------------------------------
>>> > >
>>> > >
>>> >
>>> >
>>> > --
>>> > ---------------------------------------------
>>> > Victor Julien
>>> > http://www.inliniac.net/
>>> > PGP: http://www.inliniac.net/victorjulien.asc
>>> > ---------------------------------------------
>>> >
>>> >
>>>
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100614/e5523af1/attachment-0002.html>
More information about the Oisf-users
mailing list