[Oisf-users] Fwd: IPS

Anas.B a.bouhsaina at gmail.com
Mon Jun 14 09:21:12 UTC 2010


I remind you that I'm running Suricata in VMware workstation,

and this the tables:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
NFQUEUE    all  --  anywhere             anywhere            NFQUEUE num 0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
NFQUEUE    all  --  anywhere             anywhere            NFQUEUE num 0

Best regards

2010/6/14 Anas.B <a.bouhsaina at gmail.com>

> Good morning,
>
> I've tryied this rule in a new file "facebook.rules"
>
> drop any any -> any any (msg:"drop google"; content:"google";sid:1;)
>
> The alert is logged, but no drops !
>
>
>
>
>>> On Fri, 11 Jun 2010, Anas.B wrote:
>>>
>>>  This the results of my experience :
>>>> (Strange !!!)
>>>>
>>>> *****************************************************************************************
>>>> nmap -sS 192.168.44.135  without runingsuricata
>>>>
>>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:33 Afr.
>>>> centrale Ouest
>>>> Nmap scan report for 192.168.44.135
>>>> Host is up (0.00s latency).
>>>> All 1000 scanned ports on 192.168.44.135 are filtered
>>>> MAC Address: 00:0C:29:07:11:87 (VMware)
>>>>
>>>> Nmap done: 1 IP address (1 host up) scanned in 22.33 seconds
>>>>
>>>> *****************************************************************************************
>>>> nmap -sS 192.168.44.135  with suricata but without Drop rules
>>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:40 Afr.
>>>> centrale Ouest
>>>> Nmap scan report for 192.168.44.135
>>>> Host is up (0.0013s latency).
>>>> All 1000 scanned ports on 192.168.44.135 are closed
>>>> MAC Address: 00:0C:29:07:11:87 (VMware)
>>>>
>>>> Nmap done: 1 IP address (1 host up) scanned in 6.38 seconds
>>>>
>>>> [3647] 11/6/2010 -- 16:41:41 - (source-nfq.c:533) <Info>
>>>> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 2004, dropped 0
>>>>
>>>>
>>>> *****************************************************************************************
>>>> nmap -sS 192.168.44.135  with suricata and replacing alert by Drop
>>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:45 Afr.
>>>> centrale Ouest
>>>> Nmap scan report for 192.168.44.135
>>>> Host is up (0.00s latency).
>>>> All 1000 scanned ports on 192.168.44.135 are filtered
>>>> MAC Address: 00:0C:29:07:11:87 (VMware)
>>>>
>>>> Nmap done: 1 IP address (1 host up) scanned in 22.68 seconds
>>>>
>>>> [3701] 11/6/2010 -- 16:46:51 - (source-nfq.c:533) <Info>
>>>> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 0, dropped 2000
>>>>
>>>> *****************************************************************************************
>>>>
>>>> What can we conclude ?? ==>  [ we can't drop the Nmap scans !!! ?? ]
>>>>
>>>>
>>>>
>>>>
>>>> 2010/6/11 Anas.B <a.bouhsaina at gmail.com>
>>>>      Je n'ai pas 2010051 voici la régle que j'ai :
>>>>
>>>>      alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>>>> MALWARE Executable purporting to be .cfg file with no Referrer - Likely
>>>> Malware";
>>>>      flow:established,to_server; content:"GET "; nocase; depth:4;
>>>> content:!"|0d 0a|Referer\: "; nocase; uricontent:".cfg"; nocase;
>>>> pcre:"/\.cfg$/Ui";
>>>>      flowbits:set,ET.hidden.exe; flowbits:noalert;
>>>> classtype:trojan-activity;
>>>>      reference:url,
>>>> www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99;
>>>> reference:url,doc.emergingthreats.net/2010501;
>>>>      reference:url,
>>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL;
>>>> sid:2010501; rev:2;)
>>>>
>>>>      je n'ai pas compris l'offload de cksum (cela veut dire , la
>>>> vérification de CRC d'arrivé avec le CRC du départ ??)
>>>>      et aussi le renvoi de data compressé !
>>>>
>>>>      Snort et meilleur que Suricata ?
>>>>
>>>>
>>>>
>>>> 2010/6/11 rmkml <rmkml at free.fr>
>>>>      cherche dans les fichiers emerging que tu as si tu as déjà le sid
>>>> 2010051?
>>>>      visiblement elle est dans un fichier qui contient le mot malware...
>>>>      suricata ne vérifie pas le contenu des packets ayant un mauvais
>>>> cksum par défaut, donc si tu as une carte réseau qui fait de l'offload de
>>>>      cksum, alors tu vas avoir bcp de bad cksum... tu peux le vérifier
>>>> avec tcpdump...
>>>>      concernant le cache des navigateurs web, si tu vas sur l'url
>>>> http://www.google.com/install/ws.exe avec firefox ou ie, tu auras une
>>>> alerte avec
>>>>      suricata, mais si tu fais refresh de ton navigateur, en fait le
>>>> navigateur ne va pas essayer de nouveau l'url, puis il a certainement dans
>>>> son
>>>>      cache... c'est pour cela que j'utilise wget ou curl ou fetch
>>>>      Plus tard il faut aussi faire attention au renvoi de data
>>>> compresser des serveurs web...
>>>>
>>>> a+
>>>> Rmkml
>>>>
>>>>
>>>>
>>>> On Fri, 11 Jun 2010, Anas.B wrote:
>>>>
>>>>      Je dois la créer,
>>>>      oubien elle existe déja, ?
>>>>
>>>>      si oui dans quel fichier,
>>>>      si nn comment ?
>>>>
>>>>      en fait j'ai pas compris :
>>>>      - attention au cksum...
>>>>      et       - attention au cache des navigatuers web...
>>>>
>>>>      désolé, et merci bcp.
>>>>
>>>>
>>>>      2010/6/11 rmkml <rmkml at free.fr>
>>>>           heu bonne question,
>>>>           exemple peut être avec le sid 2010051,
>>>>           generer une alerte avec le client wget unix: (ou fetch ou
>>>> curl)
>>>>            wget http://www.google.com/install/ws.exe
>>>>           avoir une alerte:
>>>>           06/11-16:32:23.306483  [**] [1:2010051:2] ET CURRENT_EVENTS
>>>> MALWARE Likely Rogue Antivirus Download - ws.exe [**] [Classification: A
>>>>      Network Trojan
>>>>           was detected] [Priority: 1] {TCP} 10.50.1.40:34322 ->
>>>> a.b.c.d:80
>>>>            puis la passer en drop tjrs vérifier si tu as des drop de
>>>> packets ou pas...
>>>>           attention au cksum...
>>>>
>>>>      a+
>>>>      Rmkml
>>>>
>>>>
>>>>      On Fri, 11 Jun 2010, Anas.B wrote:
>>>>
>>>>           Bjr,
>>>>           oui je crois que t'a raison,
>>>>           quel genre de règle facile que je px bloquer ?
>>>>
>>>>           Merciiiiii
>>>>
>>>>           2010/6/11 rmkml <rmkml at free.fr>
>>>>                Bonjour Anas,
>>>>                suite à l'email de Victor, et je crois que les scan nmap
>>>> sont particulier, c-a-d que les scans ouvrent de multiples sessions,
>>>>      ce qui n'est
>>>>           pas un cas
>>>>                facile pour commencer...
>>>>                Essaye plus tot une attaque sur une regle, puis tu l'as
>>>> bloque... attention au cache des navigatuers web...
>>>>                a+
>>>>                Rmkml
>>>>
>>>>
>>>>
>>>>           On Fri, 11 Jun 2010, Anas.B wrote:
>>>>
>>>>
>>>>                Hello,
>>>>
>>>>                I've replaced "alert" by"drop"  where we have "Nmap"
>>>> rules in emerging-scan.rules file ,
>>>>
>>>>                but I've the same result in Nmap:
>>>>
>>>>                Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11
>>>> 14:49 Afr. centrale Ouest
>>>>                Nmap scan report for 192.168.44.135
>>>>                Host is up (0.00s latency).
>>>>                All 1000 scanned ports on 192.168.44.135 are filtered
>>>>                MAC Address: 00:0C:29:07:11:87 (VMware)
>>>>                as before !!!
>>>>
>>>>                why the packets aren't dropped ?
>>>>
>>>>                These are the commands applied :
>>>>                suricata -c /etc/suricata/suricata.yaml -q 0
>>>>
>>>>                and this is the iptables :
>>>>
>>>>                NFQUEUE    all  --  anywhere
>>>> anywhere            NFQUEUE num 0
>>>>
>>>>                Chain FORWARD (policy ACCEPT)
>>>>                target     prot opt source
>>>> destination
>>>>
>>>>                Chain OUTPUT (policy ACCEPT)
>>>>                target     prot opt source
>>>> destination
>>>>                NFQUEUE    all  --  anywhere
>>>> anywhere            NFQUEUE num 0
>>>>
>>>>
>>>>                Kindest regards :)
>>>>
>>>>                Anas
>>>>
>>>>                Nmap done: 1 IP address (1 host up) scanned in 23.16
>>>> seconds
>>>>
>>>>
>>>>                2010/6/9 Victor Julien <victor at inliniac.net>
>>>>                     All rules might be a bit much, but in essence, yes.
>>>> But be careful that
>>>>                     some rules might false positive.
>>>>
>>>>                     Cheers,
>>>>                     Victor
>>>>
>>>>                     Anas.B wrote:
>>>>                > I've just coppied the emerging rules ,
>>>>                >
>>>>                > should i copy snort rules also ?
>>>>                > should i convert all the rules from alert to Drop ?
>>>>                >
>>>>                >
>>>>                > Thxxx
>>>>                >
>>>>                >
>>>>                > 2010/6/9 Victor Julien <victor at inliniac.net <mailto:
>>>> victor at inliniac.net>>
>>>>                >
>>>>                >     Making progress :)
>>>>                >
>>>>                >     Do you have drop rules? Normally a rule is "alert
>>>> ip any any -> any any
>>>>                >     ... " etc. but you need "drop ip any any -> any
>>>> ...." Did you convert
>>>>                >     your rules?
>>>>                >
>>>>                >     The TmqDebugList statements are debug stuff, you
>>>> can ignore that.
>>>>                >
>>>>                >     Cheers,
>>>>                >     Victor
>>>>                >
>>>>                >     Anas.B wrote:
>>>>                >     > Thank you so much, for ur help :)
>>>>                >     >
>>>>                >     > this time I've these lines :
>>>>                >     >
>>>>                >     > 'pickup-queue', len 0
>>>>                >     > TmqDebugList: id 1, name 'decode-queue1', len 0
>>>>                >     > TmqDebugList: id 2, name 'stream-queue1', len 49
>>>>                >     > TmqDebugList: id 3, name 'verdict-queue', len 0
>>>>                >     > TmqDebugList: id 4, name 'respond-queue', len 1
>>>>                >     > TmqDebugList: id 5, name 'alert-queue1', len 0
>>>>                >     >
>>>>                >     > after an Nmap scan
>>>>                >     >
>>>>                >     >
>>>>                >     > after CTRL+C
>>>>                >     >
>>>>                >     > I've this :
>>>>                >     >
>>>>                >     > 4:33 - (suricata.c:1033) <Info> (main) -- signal
>>>> received
>>>>                >     > [8495] 9/6/2010 -- 16:04:33 - (suricata.c:1069)
>>>> <Info> (main) -- time
>>>>                >     > elapsed 176s
>>>>                >     > [8500] 9/6/2010 -- 16:04:33 - (source-nfq.c:522)
>>>> <Info>
>>>>                >     > (ReceiveNFQThreadExitStats) -- (ReceiveNFQ) Pkts
>>>> 6028, Bytes 256012,
>>>>                >     > Errors 0
>>>>                >     > [8502] 9/6/2010 -- 16:04:33 - (stream-tcp.c:2634)
>>>> <Info>
>>>>                >     > (StreamTcpExitPrintStats) -- (Stream1) Packets
>>>> 6014
>>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:172)
>>>> <Info>
>>>>                >     > (DetectExitPrintStats) -- (Detect1) (1byte) Pkts
>>>> 6028, Searched 0
>>>>                >     (0.0).
>>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:175)
>>>> <Info>
>>>>                >     > (DetectExitPrintStats) -- (Detect1) (2byte) Pkts
>>>> 6028, Searched 4
>>>>                >     (0.1).
>>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:178)
>>>> <Info>
>>>>                >     > (DetectExitPrintStats) -- (Detect1) (3byte) Pkts
>>>> 6028, Searched 0
>>>>                >     (0.0).
>>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:181)
>>>> <Info>
>>>>                >     > (DetectExitPrintStats) -- (Detect1) (4byte) Pkts
>>>> 6028, Searched 0
>>>>                >     (0.0).
>>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:184)
>>>> <Info>
>>>>                >     > (DetectExitPrintStats) -- (Detect1) (+byte) Pkts
>>>> 6028, Searched 0
>>>>                >     (0.0).
>>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:188)
>>>> <Info>
>>>>                >     > (DetectExitPrintStats) -- (Detect1) URI (1byte)
>>>> Uri's 0, Searched
>>>>                >     0 (-nan).
>>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:191)
>>>> <Info>
>>>>                >     > (DetectExitPrintStats) -- (Detect1) URI (2byte)
>>>> Uri's 0, Searched
>>>>                >     0 (-nan).
>>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:194)
>>>> <Info>
>>>>                >     > (DetectExitPrintStats) -- (Detect1) URI (3byte)
>>>> Uri's 0, Searched
>>>>                >     0 (-nan).
>>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:197)
>>>> <Info>
>>>>                >     > (DetectExitPrintStats) -- (Detect1) URI (4byte)
>>>> Uri's 0, Searched
>>>>                >     0 (-nan).
>>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:200)
>>>> <Info>
>>>>                >     > (DetectExitPrintStats) -- (Detect1) URI (+byte)
>>>> Uri's 0, Searched
>>>>                >     0 (-nan).
>>>>                >     > [8503] 9/6/2010 -- 16:04:33 - (detect.c:202)
>>>> <Info>
>>>>                >     > (DetectExitPrintStats) -- 4 sigs per mpm match on
>>>> avg needed
>>>>                >     inspection,
>>>>                >     > total mpm searches 2, less than 25 sigs need
>>>> inspect 2, more than 100
>>>>                >     > sigs need inspect 0, more than 1000 0 max 5
>>>>                >     > [8504] 9/6/2010 -- 16:04:33 - (source-nfq.c:533)
>>>> <Info>
>>>>                >     > (VerdictNFQThreadExitStats) -- (Verdict) Pkts
>>>> accepted 6028, dropped 0
>>>>                >     > [8506] 9/6/2010 -- 16:04:33 -
>>>> (alert-fastlog.c:256) <Info>
>>>>                >     > (AlertFastLogExitPrintStats) -- (Outputs) Alerts
>>>> 3792
>>>>                >     > [8506] 9/6/2010 -- 16:04:33 -
>>>> (alert-unified-log.c:304) <Info>
>>>>                >     > (AlertUnifiedLogThreadDeinit) -- Alert unified1
>>>> log module wrote
>>>>                >     3792 alerts
>>>>                >     > [8506] 9/6/2010 -- 16:04:33 -
>>>> (alert-unified-alert.c:281) <Info>
>>>>                >     > (AlertUnifiedAlertThreadDeinit) -- Alert unified1
>>>> alert module wrote
>>>>                >     > 3792 alerts
>>>>                >     > [8506] 9/6/2010 -- 16:04:33 -
>>>> (alert-unified2-alert.c:582) <Info>
>>>>                >     > (Unified2AlertThreadDeinit) -- Alert unified2
>>>> module wrote 3792 alerts
>>>>                >     > [8506] 9/6/2010 -- 16:04:33 - (log-httplog.c:391)
>>>> <Info>
>>>>                >     > (LogHttpLogExitPrintStats) -- (Outputs) HTTP
>>>> requests 0
>>>>                >     > [8506] 9/6/2010 -- 16:04:33 -
>>>> (alert-debuglog.c:254) <Info>
>>>>                >     > (AlertDebugLogExitPrintStats) -- (Outputs) Alerts
>>>> 3792
>>>>                >     > [8507] 9/6/2010 -- 16:04:33 - (flow.c:767) <Info>
>>>>                >     (FlowManagerThread) --
>>>>                >     > 6 new flows, 1000 established flows were timed
>>>> out, 0 flows in
>>>>                >     closed state
>>>>                >     > [8495] 9/6/2010 -- 16:04:33 - (flow.c:588) <Info>
>>>> (FlowPrintQueueInfo)
>>>>                >     > -- flowbits added: 0, removed: 0, max memory
>>>> usage: 0
>>>>                >     > [8495] 9/6/2010 -- 16:04:33 - (stream-tcp.c:365)
>>>> <Info>
>>>>                >     > (StreamTcpFreeConfig) -- Max memuse of stream
>>>> engine 15021952 (in
>>>>                >     use 0)
>>>>                >     > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2492)
>>>> <Info>
>>>>                >     > (SigAddressCleanupStage1) -- cleaning up
>>>> signature grouping
>>>>                >     structure...
>>>>                >     > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2509)
>>>> <Info>
>>>>                >     > (SigAddressCleanupStage1) -- cleaning up
>>>> signature grouping
>>>>                >     structure...
>>>>                >     > done
>>>>                >     >
>>>>                >     >
>>>>                >     > is this normal ?
>>>>                >     > (just alerts no Dropped !!!!)
>>>>                >     >
>>>>                >     > I've done the Nmap scan from Windows
>>>>                >     >
>>>>                >     >
>>>>                >     > Sorry for the inconvenience
>>>>                >     > Cheers
>>>>                >     >
>>>>                >     >
>>>>                >     >
>>>>                >     > 2010/6/9 Victor Julien <victor at inliniac.net
>>>>                >     <mailto:victor at inliniac.net> <mailto:
>>>> victor at inliniac.net
>>>>                >     <mailto:victor at inliniac.net>>>
>>>>                >     >
>>>>                >     >     In the config below you only send outgoing
>>>> HTTP traffic to
>>>>                >     Suricata. To
>>>>                >     >     inspect all do:
>>>>                >     >
>>>>                >     >     iptables -A INPUT -j NFQUEUE
>>>>                >     >     iptables -A OUTPUT -j NFQUEUE
>>>>                >     >
>>>>                >     >     Cheers,
>>>>                >     >     Victor
>>>>                >     >
>>>>                >     >     Anas.B wrote:
>>>>                >     >     > I didn't configure Iptables,
>>>>                >     >     >
>>>>                >     >     > now i have the two lines
>>>>                >     >     >
>>>>                >     >     > Chain INPUT (policy ACCEPT)
>>>>                >     >     > target     prot opt source
>>>> destination
>>>>                >     >     > NFQUEUE    tcp  --  anywhere
>>>> anywhere            tcp
>>>>                >     >     spt:www
>>>>                >     >     > NFQUEUE num 0
>>>>                >     >     >
>>>>                >     >     > Chain FORWARD (policy ACCEPT)
>>>>                >     >     > target     prot opt source
>>>> destination
>>>>                >     >     >
>>>>                >     >     > Chain OUTPUT (policy ACCEPT)
>>>>                >     >     > target     prot opt source
>>>> destination
>>>>                >     >     > NFQUEUE    tcp  --  anywhere
>>>> anywhere            tcp
>>>>                >     >     dpt:www
>>>>                >     >     > NFQUEUE num 0
>>>>                >     >     >
>>>>                >     >     > But still no alerts/Drop/reject  nmap scan
>>>>                >     >     >
>>>>                >     >     > Best Regards
>>>>                >     >     >
>>>>                >     >     > 2010/6/9 Victor Julien <
>>>> victor at inliniac.net
>>>>                >     <mailto:victor at inliniac.net>
>>>>                >     >     <mailto:victor at inliniac.net <mailto:
>>>> victor at inliniac.net>>
>>>>                >     <mailto:victor at inliniac.net <mailto:
>>>> victor at inliniac.net>
>>>>                >     >     <mailto:victor at inliniac.net <mailto:
>>>> victor at inliniac.net>>>>
>>>>                >     >     >
>>>>                >     >     >     In that case you'd need:
>>>>                >     >     >
>>>>                >     >     >     iptables -A OUTPUT -p tcp --dport 80 -j
>>>> NFQUEUE
>>>>                >     >     >     iptables -A INPUT -p tcp --sport 80 -j
>>>> NFQUEUE
>>>>                >     >     >
>>>>                >     >     >     This would send outgoing http traffic
>>>> (the vm browsing
>>>>                >     the web) to
>>>>                >     >     >     Suricata.
>>>>                >     >     >
>>>>                >     >     >     Cheers,
>>>>                >     >     >     Victor
>>>>                >     >     >
>>>>                >     >     >     Anas.B wrote:
>>>>                >     >     >     > No, I'm just trying this in local
>>>> Virtual Machine Ubuntu).
>>>>                >     >     >     >
>>>>                >     >     >     > since there is no much Doc, i'm a
>>>> little lost.
>>>>                >     >     >     >
>>>>                >     >     >     > thaks a lot
>>>>                >     >     >     >
>>>>                >     >     >     >
>>>>                >     >     >     > 2010/6/9 Victor Julien <
>>>> victor at inliniac.net
>>>>                >     <mailto:victor at inliniac.net>
>>>>                >     >     <mailto:victor at inliniac.net <mailto:
>>>> victor at inliniac.net>>
>>>>                >     >     >     <mailto:victor at inliniac.net <mailto:
>>>> victor at inliniac.net>
>>>>                >     <mailto:victor at inliniac.net <mailto:
>>>> victor at inliniac.net>>>
>>>>                >     >     <mailto:victor at inliniac.net <mailto:
>>>> victor at inliniac.net>
>>>>                >     <mailto:victor at inliniac.net <mailto:
>>>> victor at inliniac.net>>
>>>>                >     >     >     <mailto:victor at inliniac.net <mailto:
>>>> victor at inliniac.net>
>>>>                >     <mailto:victor at inliniac.net <mailto:
>>>> victor at inliniac.net>>>>>
>>>>                >     >     >     >
>>>>                >     >     >     >     Did you add the appropriate
>>>> iptables rules?
>>>>                >     >     >     >
>>>>                >     >     >     >     For example for getting port 80
>>>> to suricata:
>>>>                >     >     >     >
>>>>                >     >     >     >     iptables -A FORWARD -p tcp
>>>> --dport 80 -j NFQUEUE
>>>>                >     >     >     >
>>>>                >     >     >     >     Cheers,
>>>>                >     >     >     >     Victor
>>>>                >     >     >     >
>>>>                >     >     >     >     Anas.B wrote:
>>>>                >     >     >     >     >
>>>>                >     >     >     >     > Hello,
>>>>                >     >     >     >     >
>>>>                >     >     >     >     > I've just tested a nmap,
>>>>                >     >     >     >     >
>>>>                >     >     >     >     >  I noticed more unified files
>>>>                >     >     >     >     > and alerts in the file fast.log
>>>>                >     >     >     >     > new values in  alert-debug.log
>>>> and stats.log
>>>>                >     >     >     >     >
>>>>                >     >     >     >     > that means it works !!
>>>>                >     >     >     >     >
>>>>                >     >     >     >     > But with the command ==> *#
>>>> suricata -c
>>>>                >     >     >     >     /etc/suricata/suricata.yaml -q 0
>>>>                >     >     >     >     >
>>>>                >     >     >     >     > *I have no logs,
>>>>                >     >     >     >     > any suggestions
>>>>                >     >     >     >     >
>>>>                >     >     >     >     > thanks :)
>>>>                >     >     >     >     >
>>>>                >     >     >     >     >
>>>>                >     >     >     >     >
>>>>                >     >     >     >
>>>>                >     >     >
>>>>                >     >
>>>>                >
>>>> ------------------------------------------------------------------------
>>>>                >     >     >     >     >
>>>>                >     >     >     >     >
>>>> _______________________________________________
>>>>                >     >     >     >     > Oisf-users mailing list
>>>>                >     >     >     >     >
>>>> Oisf-users at openinfosecfoundation.org
>>>>                >     <mailto:Oisf-users at openinfosecfoundation.org>
>>>>                >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>>                >     <mailto:Oisf-users at openinfosecfoundation.org>>
>>>>                >     >     >     <mailto:
>>>> Oisf-users at openinfosecfoundation.org
>>>>                >     <mailto:Oisf-users at openinfosecfoundation.org>
>>>>                >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>>                >     <mailto:Oisf-users at openinfosecfoundation.org>>>
>>>>                >     >     >     >     <mailto:
>>>> Oisf-users at openinfosecfoundation.org
>>>>                >     <mailto:Oisf-users at openinfosecfoundation.org>
>>>>                >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>>                >     <mailto:Oisf-users at openinfosecfoundation.org>>
>>>>                >     >     >     <mailto:
>>>> Oisf-users at openinfosecfoundation.org
>>>>                >     <mailto:Oisf-users at openinfosecfoundation.org>
>>>>                >     >     <mailto:Oisf-users at openinfosecfoundation.org
>>>>                >     <mailto:Oisf-users at openinfosecfoundation.org>>>>
>>>>                >     >     >     >     >
>>>>                >     >     >
>>>>                >
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>                >     >     >     >
>>>>                >     >     >     >
>>>>                >     >     >     >     --
>>>>                >     >     >     >
>>>> ---------------------------------------------
>>>>                >     >     >     >     Victor Julien
>>>>                >     >     >     >     http://www.inliniac.net/
>>>>                >     >     >     >     PGP:
>>>> http://www.inliniac.net/victorjulien.asc
>>>>                >     >     >     >
>>>> ---------------------------------------------
>>>>                >     >     >     >
>>>>                >     >     >     >
>>>>                >     >     >
>>>>                >     >     >
>>>>                >     >     >     --
>>>>                >     >     >
>>>> ---------------------------------------------
>>>>                >     >     >     Victor Julien
>>>>                >     >     >     http://www.inliniac.net/
>>>>                >     >     >     PGP:
>>>> http://www.inliniac.net/victorjulien.asc
>>>>                >     >     >
>>>> ---------------------------------------------
>>>>                >     >     >
>>>>                >     >     >
>>>>                >     >
>>>>                >     >
>>>>                >     >     --
>>>>                >     >     ---------------------------------------------
>>>>                >     >     Victor Julien
>>>>                >     >     http://www.inliniac.net/
>>>>                >     >     PGP:
>>>> http://www.inliniac.net/victorjulien.asc
>>>>                >     >     ---------------------------------------------
>>>>                >     >
>>>>                >     >
>>>>                >
>>>>                >
>>>>                >     --
>>>>                >     ---------------------------------------------
>>>>                >     Victor Julien
>>>>                >     http://www.inliniac.net/
>>>>                >     PGP: http://www.inliniac.net/victorjulien.asc
>>>>                >     ---------------------------------------------
>>>>                >
>>>>                >
>>>>
>>>>
>>>>                --
>>>>                ---------------------------------------------
>>>>                Victor Julien
>>>>                http://www.inliniac.net/
>>>>                PGP: http://www.inliniac.net/victorjulien.asc
>>>>                ---------------------------------------------
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100614/e07c6d2e/attachment-0002.html>


More information about the Oisf-users mailing list