[Oisf-users] Fwd: IPS
Pablo
pablo.rincon.crespo at gmail.com
Mon Jun 14 11:15:33 UTC 2010
On my last mail I wrote the rule of the example without a protocol (my
apologizes, I forgot it).
2010/6/14 Will Metcalf <william.metcalf at gmail.com>
> Hmm are you sure there is a logged alert as when I try to process this
> rule it is rejected by the rule parser as there is no protocol
> specified.
> SigParseBasics: pcre_exec failed: ret -1, sigstr "drop any any -> any
> any (msg:"drop google"; content:"google";sid:1;)"
> [19453] 14/6/2010 -- 06:06:59 - (detect.c:322) <Error>
> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
> parsing signature "drop any any -> any any (msg:"drop google";
> content:"google";sid:1;)" from file blah.rules at line 1
>
> However for me the same NFQUEUE rules with the same rule + a protocol
> specified prevents me from visiting www.google.com.
>
> drop tcp any any -> any any (msg:"drop google"; content:"google";sid:1;)
>
> Regards,
>
> Will
>
>
> On Mon, Jun 14, 2010 at 4:12 AM, Anas.B <a.bouhsaina at gmail.com> wrote:
> > Good morning,
> >
> > I've tryied this rule in a new file "facebook.rules"
> > drop any any -> any any (msg:"drop google"; content:"google";sid:1;)
> >
> > The alert is logged, but no drops !
> >
> >
> >>>
> >>> On Fri, 11 Jun 2010, Anas.B wrote:
> >>>
> >>>> This the results of my experience :
> >>>> (Strange !!!)
> >>>>
> >>>>
> *****************************************************************************************
> >>>> nmap -sS 192.168.44.135 without runingsuricata
> >>>>
> >>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:33 Afr.
> centrale
> >>>> Ouest
> >>>> Nmap scan report for 192.168.44.135
> >>>> Host is up (0.00s latency).
> >>>> All 1000 scanned ports on 192.168.44.135 are filtered
> >>>> MAC Address: 00:0C:29:07:11:87 (VMware)
> >>>>
> >>>> Nmap done: 1 IP address (1 host up) scanned in 22.33 seconds
> >>>>
> >>>>
> *****************************************************************************************
> >>>> nmap -sS 192.168.44.135 with suricata but without Drop rules
> >>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:40 Afr.
> centrale
> >>>> Ouest
> >>>> Nmap scan report for 192.168.44.135
> >>>> Host is up (0.0013s latency).
> >>>> All 1000 scanned ports on 192.168.44.135 are closed
> >>>> MAC Address: 00:0C:29:07:11:87 (VMware)
> >>>>
> >>>> Nmap done: 1 IP address (1 host up) scanned in 6.38 seconds
> >>>>
> >>>> [3647] 11/6/2010 -- 16:41:41 - (source-nfq.c:533) <Info>
> >>>> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 2004, dropped 0
> >>>>
> >>>>
> >>>>
> *****************************************************************************************
> >>>> nmap -sS 192.168.44.135 with suricata and replacing alert by Drop
> >>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11 16:45 Afr.
> centrale
> >>>> Ouest
> >>>> Nmap scan report for 192.168.44.135
> >>>> Host is up (0.00s latency).
> >>>> All 1000 scanned ports on 192.168.44.135 are filtered
> >>>> MAC Address: 00:0C:29:07:11:87 (VMware)
> >>>>
> >>>> Nmap done: 1 IP address (1 host up) scanned in 22.68 seconds
> >>>>
> >>>> [3701] 11/6/2010 -- 16:46:51 - (source-nfq.c:533) <Info>
> >>>> (VerdictNFQThreadExitStats) -- (Verdict) Pkts accepted 0, dropped 2000
> >>>>
> >>>>
> *****************************************************************************************
> >>>>
> >>>> What can we conclude ?? ==> [ we can't drop the Nmap scans !!! ?? ]
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> 2010/6/11 Anas.B <a.bouhsaina at gmail.com>
> >>>> Je n'ai pas 2010051 voici la régle que j'ai :
> >>>>
> >>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> >>>> MALWARE Executable purporting to be .cfg file with no Referrer -
> Likely
> >>>> Malware";
> >>>> flow:established,to_server; content:"GET "; nocase; depth:4;
> >>>> content:!"|0d 0a|Referer\: "; nocase; uricontent:".cfg"; nocase;
> >>>> pcre:"/\.cfg$/Ui";
> >>>> flowbits:set,ET.hidden.exe; flowbits:noalert;
> >>>> classtype:trojan-activity;
> >>>>
> >>>> reference:url,
> www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99;
> >>>> reference:url,doc.emergingthreats.net/2010501;
> >>>>
> >>>> reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL
> ;
> >>>> sid:2010501; rev:2;)
> >>>>
> >>>> je n'ai pas compris l'offload de cksum (cela veut dire , la
> >>>> vérification de CRC d'arrivé avec le CRC du départ ??)
> >>>> et aussi le renvoi de data compressé !
> >>>>
> >>>> Snort et meilleur que Suricata ?
> >>>>
> >>>>
> >>>>
> >>>> 2010/6/11 rmkml <rmkml at free.fr>
> >>>> cherche dans les fichiers emerging que tu as si tu as déjà le sid
> >>>> 2010051?
> >>>> visiblement elle est dans un fichier qui contient le mot
> malware...
> >>>> suricata ne vérifie pas le contenu des packets ayant un mauvais
> >>>> cksum par défaut, donc si tu as une carte réseau qui fait de l'offload
> de
> >>>> cksum, alors tu vas avoir bcp de bad cksum... tu peux le vérifier
> >>>> avec tcpdump...
> >>>> concernant le cache des navigateurs web, si tu vas sur l'url
> >>>> http://www.google.com/install/ws.exe avec firefox ou ie, tu auras une
> alerte
> >>>> avec
> >>>> suricata, mais si tu fais refresh de ton navigateur, en fait le
> >>>> navigateur ne va pas essayer de nouveau l'url, puis il a certainement
> dans
> >>>> son
> >>>> cache... c'est pour cela que j'utilise wget ou curl ou fetch
> >>>> Plus tard il faut aussi faire attention au renvoi de data
> >>>> compresser des serveurs web...
> >>>>
> >>>> a+
> >>>> Rmkml
> >>>>
> >>>>
> >>>>
> >>>> On Fri, 11 Jun 2010, Anas.B wrote:
> >>>>
> >>>> Je dois la créer,
> >>>> oubien elle existe déja, ?
> >>>>
> >>>> si oui dans quel fichier,
> >>>> si nn comment ?
> >>>>
> >>>> en fait j'ai pas compris :
> >>>> - attention au cksum...
> >>>> et - attention au cache des navigatuers web...
> >>>>
> >>>> désolé, et merci bcp.
> >>>>
> >>>>
> >>>> 2010/6/11 rmkml <rmkml at free.fr>
> >>>> heu bonne question,
> >>>> exemple peut être avec le sid 2010051,
> >>>> generer une alerte avec le client wget unix: (ou fetch ou
> >>>> curl)
> >>>> wget http://www.google.com/install/ws.exe
> >>>> avoir une alerte:
> >>>> 06/11-16:32:23.306483 [**] [1:2010051:2] ET CURRENT_EVENTS
> >>>> MALWARE Likely Rogue Antivirus Download - ws.exe [**] [Classification:
> A
> >>>> Network Trojan
> >>>> was detected] [Priority: 1] {TCP} 10.50.1.40:34322 ->
> >>>> a.b.c.d:80
> >>>> puis la passer en drop tjrs vérifier si tu as des drop de
> >>>> packets ou pas...
> >>>> attention au cksum...
> >>>>
> >>>> a+
> >>>> Rmkml
> >>>>
> >>>>
> >>>> On Fri, 11 Jun 2010, Anas.B wrote:
> >>>>
> >>>> Bjr,
> >>>> oui je crois que t'a raison,
> >>>> quel genre de règle facile que je px bloquer ?
> >>>>
> >>>> Merciiiiii
> >>>>
> >>>> 2010/6/11 rmkml <rmkml at free.fr>
> >>>> Bonjour Anas,
> >>>> suite à l'email de Victor, et je crois que les scan
> nmap
> >>>> sont particulier, c-a-d que les scans ouvrent de multiples sessions,
> >>>> ce qui n'est
> >>>> pas un cas
> >>>> facile pour commencer...
> >>>> Essaye plus tot une attaque sur une regle, puis tu l'as
> >>>> bloque... attention au cache des navigatuers web...
> >>>> a+
> >>>> Rmkml
> >>>>
> >>>>
> >>>>
> >>>> On Fri, 11 Jun 2010, Anas.B wrote:
> >>>>
> >>>>
> >>>> Hello,
> >>>>
> >>>> I've replaced "alert" by"drop" where we have "Nmap"
> >>>> rules in emerging-scan.rules file ,
> >>>>
> >>>> but I've the same result in Nmap:
> >>>>
> >>>> Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-11
> >>>> 14:49 Afr. centrale Ouest
> >>>> Nmap scan report for 192.168.44.135
> >>>> Host is up (0.00s latency).
> >>>> All 1000 scanned ports on 192.168.44.135 are filtered
> >>>> MAC Address: 00:0C:29:07:11:87 (VMware)
> >>>> as before !!!
> >>>>
> >>>> why the packets aren't dropped ?
> >>>>
> >>>> These are the commands applied :
> >>>> suricata -c /etc/suricata/suricata.yaml -q 0
> >>>>
> >>>> and this is the iptables :
> >>>>
> >>>> NFQUEUE all -- anywhere
> >>>> anywhere NFQUEUE num 0
> >>>>
> >>>> Chain FORWARD (policy ACCEPT)
> >>>> target prot opt source
> >>>> destination
> >>>>
> >>>> Chain OUTPUT (policy ACCEPT)
> >>>> target prot opt source
> >>>> destination
> >>>> NFQUEUE all -- anywhere
> >>>> anywhere NFQUEUE num 0
> >>>>
> >>>>
> >>>> Kindest regards :)
> >>>>
> >>>> Anas
> >>>>
> >>>> Nmap done: 1 IP address (1 host up) scanned in 23.16
> >>>> seconds
> >>>>
> >>>>
> >>>> 2010/6/9 Victor Julien <victor at inliniac.net>
> >>>> All rules might be a bit much, but in essence,
> yes.
> >>>> But be careful that
> >>>> some rules might false positive.
> >>>>
> >>>> Cheers,
> >>>> Victor
> >>>>
> >>>> Anas.B wrote:
> >>>> > I've just coppied the emerging rules ,
> >>>> >
> >>>> > should i copy snort rules also ?
> >>>> > should i convert all the rules from alert to Drop ?
> >>>> >
> >>>> >
> >>>> > Thxxx
> >>>> >
> >>>> >
> >>>> > 2010/6/9 Victor Julien <victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>
> >>>> >
> >>>> > Making progress :)
> >>>> >
> >>>> > Do you have drop rules? Normally a rule is "alert
> >>>> ip any any -> any any
> >>>> > ... " etc. but you need "drop ip any any -> any
> >>>> ...." Did you convert
> >>>> > your rules?
> >>>> >
> >>>> > The TmqDebugList statements are debug stuff, you
> >>>> can ignore that.
> >>>> >
> >>>> > Cheers,
> >>>> > Victor
> >>>> >
> >>>> > Anas.B wrote:
> >>>> > > Thank you so much, for ur help :)
> >>>> > >
> >>>> > > this time I've these lines :
> >>>> > >
> >>>> > > 'pickup-queue', len 0
> >>>> > > TmqDebugList: id 1, name 'decode-queue1', len 0
> >>>> > > TmqDebugList: id 2, name 'stream-queue1', len
> 49
> >>>> > > TmqDebugList: id 3, name 'verdict-queue', len 0
> >>>> > > TmqDebugList: id 4, name 'respond-queue', len 1
> >>>> > > TmqDebugList: id 5, name 'alert-queue1', len 0
> >>>> > >
> >>>> > > after an Nmap scan
> >>>> > >
> >>>> > >
> >>>> > > after CTRL+C
> >>>> > >
> >>>> > > I've this :
> >>>> > >
> >>>> > > 4:33 - (suricata.c:1033) <Info> (main) --
> signal
> >>>> received
> >>>> > > [8495] 9/6/2010 -- 16:04:33 - (suricata.c:1069)
> >>>> <Info> (main) -- time
> >>>> > > elapsed 176s
> >>>> > > [8500] 9/6/2010 -- 16:04:33 -
> (source-nfq.c:522)
> >>>> <Info>
> >>>> > > (ReceiveNFQThreadExitStats) -- (ReceiveNFQ)
> Pkts
> >>>> 6028, Bytes 256012,
> >>>> > > Errors 0
> >>>> > > [8502] 9/6/2010 -- 16:04:33 -
> (stream-tcp.c:2634)
> >>>> <Info>
> >>>> > > (StreamTcpExitPrintStats) -- (Stream1) Packets
> >>>> 6014
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:172)
> >>>> <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) (1byte)
> Pkts
> >>>> 6028, Searched 0
> >>>> > (0.0).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:175)
> >>>> <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) (2byte)
> Pkts
> >>>> 6028, Searched 4
> >>>> > (0.1).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:178)
> >>>> <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) (3byte)
> Pkts
> >>>> 6028, Searched 0
> >>>> > (0.0).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:181)
> >>>> <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) (4byte)
> Pkts
> >>>> 6028, Searched 0
> >>>> > (0.0).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:184)
> >>>> <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) (+byte)
> Pkts
> >>>> 6028, Searched 0
> >>>> > (0.0).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:188)
> >>>> <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) URI (1byte)
> >>>> Uri's 0, Searched
> >>>> > 0 (-nan).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:191)
> >>>> <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) URI (2byte)
> >>>> Uri's 0, Searched
> >>>> > 0 (-nan).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:194)
> >>>> <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) URI (3byte)
> >>>> Uri's 0, Searched
> >>>> > 0 (-nan).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:197)
> >>>> <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) URI (4byte)
> >>>> Uri's 0, Searched
> >>>> > 0 (-nan).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:200)
> >>>> <Info>
> >>>> > > (DetectExitPrintStats) -- (Detect1) URI (+byte)
> >>>> Uri's 0, Searched
> >>>> > 0 (-nan).
> >>>> > > [8503] 9/6/2010 -- 16:04:33 - (detect.c:202)
> >>>> <Info>
> >>>> > > (DetectExitPrintStats) -- 4 sigs per mpm match
> on
> >>>> avg needed
> >>>> > inspection,
> >>>> > > total mpm searches 2, less than 25 sigs need
> >>>> inspect 2, more than 100
> >>>> > > sigs need inspect 0, more than 1000 0 max 5
> >>>> > > [8504] 9/6/2010 -- 16:04:33 -
> (source-nfq.c:533)
> >>>> <Info>
> >>>> > > (VerdictNFQThreadExitStats) -- (Verdict) Pkts
> >>>> accepted 6028, dropped 0
> >>>> > > [8506] 9/6/2010 -- 16:04:33 -
> >>>> (alert-fastlog.c:256) <Info>
> >>>> > > (AlertFastLogExitPrintStats) -- (Outputs)
> Alerts
> >>>> 3792
> >>>> > > [8506] 9/6/2010 -- 16:04:33 -
> >>>> (alert-unified-log.c:304) <Info>
> >>>> > > (AlertUnifiedLogThreadDeinit) -- Alert unified1
> >>>> log module wrote
> >>>> > 3792 alerts
> >>>> > > [8506] 9/6/2010 -- 16:04:33 -
> >>>> (alert-unified-alert.c:281) <Info>
> >>>> > > (AlertUnifiedAlertThreadDeinit) -- Alert
> unified1
> >>>> alert module wrote
> >>>> > > 3792 alerts
> >>>> > > [8506] 9/6/2010 -- 16:04:33 -
> >>>> (alert-unified2-alert.c:582) <Info>
> >>>> > > (Unified2AlertThreadDeinit) -- Alert unified2
> >>>> module wrote 3792 alerts
> >>>> > > [8506] 9/6/2010 -- 16:04:33 -
> (log-httplog.c:391)
> >>>> <Info>
> >>>> > > (LogHttpLogExitPrintStats) -- (Outputs) HTTP
> >>>> requests 0
> >>>> > > [8506] 9/6/2010 -- 16:04:33 -
> >>>> (alert-debuglog.c:254) <Info>
> >>>> > > (AlertDebugLogExitPrintStats) -- (Outputs)
> Alerts
> >>>> 3792
> >>>> > > [8507] 9/6/2010 -- 16:04:33 - (flow.c:767)
> <Info>
> >>>> > (FlowManagerThread) --
> >>>> > > 6 new flows, 1000 established flows were timed
> >>>> out, 0 flows in
> >>>> > closed state
> >>>> > > [8495] 9/6/2010 -- 16:04:33 - (flow.c:588)
> <Info>
> >>>> (FlowPrintQueueInfo)
> >>>> > > -- flowbits added: 0, removed: 0, max memory
> >>>> usage: 0
> >>>> > > [8495] 9/6/2010 -- 16:04:33 -
> (stream-tcp.c:365)
> >>>> <Info>
> >>>> > > (StreamTcpFreeConfig) -- Max memuse of stream
> >>>> engine 15021952 (in
> >>>> > use 0)
> >>>> > > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2492)
> >>>> <Info>
> >>>> > > (SigAddressCleanupStage1) -- cleaning up
> >>>> signature grouping
> >>>> > structure...
> >>>> > > [8495] 9/6/2010 -- 16:04:33 - (detect.c:2509)
> >>>> <Info>
> >>>> > > (SigAddressCleanupStage1) -- cleaning up
> >>>> signature grouping
> >>>> > structure...
> >>>> > > done
> >>>> > >
> >>>> > >
> >>>> > > is this normal ?
> >>>> > > (just alerts no Dropped !!!!)
> >>>> > >
> >>>> > > I've done the Nmap scan from Windows
> >>>> > >
> >>>> > >
> >>>> > > Sorry for the inconvenience
> >>>> > > Cheers
> >>>> > >
> >>>> > >
> >>>> > >
> >>>> > > 2010/6/9 Victor Julien <victor at inliniac.net
> >>>> > <mailto:victor at inliniac.net>
> >>>> <mailto:victor at inliniac.net
> >>>> > <mailto:victor at inliniac.net>>>
> >>>> > >
> >>>> > > In the config below you only send outgoing
> >>>> HTTP traffic to
> >>>> > Suricata. To
> >>>> > > inspect all do:
> >>>> > >
> >>>> > > iptables -A INPUT -j NFQUEUE
> >>>> > > iptables -A OUTPUT -j NFQUEUE
> >>>> > >
> >>>> > > Cheers,
> >>>> > > Victor
> >>>> > >
> >>>> > > Anas.B wrote:
> >>>> > > > I didn't configure Iptables,
> >>>> > > >
> >>>> > > > now i have the two lines
> >>>> > > >
> >>>> > > > Chain INPUT (policy ACCEPT)
> >>>> > > > target prot opt source
> >>>> destination
> >>>> > > > NFQUEUE tcp -- anywhere
> >>>> anywhere tcp
> >>>> > > spt:www
> >>>> > > > NFQUEUE num 0
> >>>> > > >
> >>>> > > > Chain FORWARD (policy ACCEPT)
> >>>> > > > target prot opt source
> >>>> destination
> >>>> > > >
> >>>> > > > Chain OUTPUT (policy ACCEPT)
> >>>> > > > target prot opt source
> >>>> destination
> >>>> > > > NFQUEUE tcp -- anywhere
> >>>> anywhere tcp
> >>>> > > dpt:www
> >>>> > > > NFQUEUE num 0
> >>>> > > >
> >>>> > > > But still no alerts/Drop/reject nmap
> scan
> >>>> > > >
> >>>> > > > Best Regards
> >>>> > > >
> >>>> > > > 2010/6/9 Victor Julien <
> victor at inliniac.net
> >>>> > <mailto:victor at inliniac.net>
> >>>> > > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>
> >>>> > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>
> >>>> > > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>>>
> >>>> > > >
> >>>> > > > In that case you'd need:
> >>>> > > >
> >>>> > > > iptables -A OUTPUT -p tcp --dport 80
> -j
> >>>> NFQUEUE
> >>>> > > > iptables -A INPUT -p tcp --sport 80
> -j
> >>>> NFQUEUE
> >>>> > > >
> >>>> > > > This would send outgoing http traffic
> >>>> (the vm browsing
> >>>> > the web) to
> >>>> > > > Suricata.
> >>>> > > >
> >>>> > > > Cheers,
> >>>> > > > Victor
> >>>> > > >
> >>>> > > > Anas.B wrote:
> >>>> > > > > No, I'm just trying this in local
> >>>> Virtual Machine Ubuntu).
> >>>> > > > >
> >>>> > > > > since there is no much Doc, i'm a
> >>>> little lost.
> >>>> > > > >
> >>>> > > > > thaks a lot
> >>>> > > > >
> >>>> > > > >
> >>>> > > > > 2010/6/9 Victor Julien
> >>>> <victor at inliniac.net
> >>>> > <mailto:victor at inliniac.net>
> >>>> > > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>
> >>>> > > > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>
> >>>> > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>>
> >>>> > > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>
> >>>> > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>
> >>>> > > > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>
> >>>> > <mailto:victor at inliniac.net
> >>>> <mailto:victor at inliniac.net>>>>>
> >>>> > > > >
> >>>> > > > > Did you add the appropriate
> >>>> iptables rules?
> >>>> > > > >
> >>>> > > > > For example for getting port 80
> >>>> to suricata:
> >>>> > > > >
> >>>> > > > > iptables -A FORWARD -p tcp
> >>>> --dport 80 -j NFQUEUE
> >>>> > > > >
> >>>> > > > > Cheers,
> >>>> > > > > Victor
> >>>> > > > >
> >>>> > > > > Anas.B wrote:
> >>>> > > > > >
> >>>> > > > > > Hello,
> >>>> > > > > >
> >>>> > > > > > I've just tested a nmap,
> >>>> > > > > >
> >>>> > > > > > I noticed more unified files
> >>>> > > > > > and alerts in the file
> fast.log
> >>>> > > > > > new values in
> alert-debug.log
> >>>> and stats.log
> >>>> > > > > >
> >>>> > > > > > that means it works !!
> >>>> > > > > >
> >>>> > > > > > But with the command ==> *#
> >>>> suricata -c
> >>>> > > > > /etc/suricata/suricata.yaml -q
> 0
> >>>> > > > > >
> >>>> > > > > > *I have no logs,
> >>>> > > > > > any suggestions
> >>>> > > > > >
> >>>> > > > > > thanks :)
> >>>> > > > > >
> >>>> > > > > >
> >>>> > > > > >
> >>>> > > > >
> >>>> > > >
> >>>> > >
> >>>> >
> >>>>
> ------------------------------------------------------------------------
> >>>> > > > > >
> >>>> > > > > >
> >>>> _______________________________________________
> >>>> > > > > > Oisf-users mailing list
> >>>> > > > > >
> >>>> Oisf-users at openinfosecfoundation.org
> >>>> > <mailto:Oisf-users at openinfosecfoundation.org>
> >>>> > > <mailto:
> Oisf-users at openinfosecfoundation.org
> >>>> > <mailto:Oisf-users at openinfosecfoundation.org>>
> >>>> > > >
> >>>> <mailto:Oisf-users at openinfosecfoundation.org
> >>>> > <mailto:Oisf-users at openinfosecfoundation.org>
> >>>> > > <mailto:
> Oisf-users at openinfosecfoundation.org
> >>>> > <mailto:Oisf-users at openinfosecfoundation.org>>>
> >>>> > > > >
> >>>> <mailto:Oisf-users at openinfosecfoundation.org
> >>>> > <mailto:Oisf-users at openinfosecfoundation.org>
> >>>> > > <mailto:
> Oisf-users at openinfosecfoundation.org
> >>>> > <mailto:Oisf-users at openinfosecfoundation.org>>
> >>>> > > >
> >>>> <mailto:Oisf-users at openinfosecfoundation.org
> >>>> > <mailto:Oisf-users at openinfosecfoundation.org>
> >>>> > > <mailto:
> Oisf-users at openinfosecfoundation.org
> >>>> > <mailto:Oisf-users at openinfosecfoundation.org>>>>
> >>>> > > > > >
> >>>> > > >
> >>>> >
> >>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>>> > > > >
> >>>> > > > >
> >>>> > > > > --
> >>>> > > > >
> >>>> ---------------------------------------------
> >>>> > > > > Victor Julien
> >>>> > > > > http://www.inliniac.net/
> >>>> > > > > PGP:
> >>>> http://www.inliniac.net/victorjulien.asc
> >>>> > > > >
> >>>> ---------------------------------------------
> >>>> > > > >
> >>>> > > > >
> >>>> > > >
> >>>> > > >
> >>>> > > > --
> >>>> > > >
> >>>> ---------------------------------------------
> >>>> > > > Victor Julien
> >>>> > > > http://www.inliniac.net/
> >>>> > > > PGP:
> >>>> http://www.inliniac.net/victorjulien.asc
> >>>> > > >
> >>>> ---------------------------------------------
> >>>> > > >
> >>>> > > >
> >>>> > >
> >>>> > >
> >>>> > > --
> >>>> > >
> ---------------------------------------------
> >>>> > > Victor Julien
> >>>> > > http://www.inliniac.net/
> >>>> > > PGP:
> http://www.inliniac.net/victorjulien.asc
> >>>> > >
> ---------------------------------------------
> >>>> > >
> >>>> > >
> >>>> >
> >>>> >
> >>>> > --
> >>>> > ---------------------------------------------
> >>>> > Victor Julien
> >>>> > http://www.inliniac.net/
> >>>> > PGP: http://www.inliniac.net/victorjulien.asc
> >>>> > ---------------------------------------------
> >>>> >
> >>>> >
> >>>>
> >>>>
> >>>> --
> >>>> ---------------------------------------------
> >>>> Victor Julien
> >>>> http://www.inliniac.net/
> >>>> PGP: http://www.inliniac.net/victorjulien.asc
> >>>> ---------------------------------------------
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>
> >
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
Best regards,
--
Pablo Rincón Crespo
Security researcher and developer
Open Information Security Foundation (OISF)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100614/3faf771d/attachment-0002.html>
More information about the Oisf-users
mailing list