<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Got it.  A fix will be out Tuesday.  As you discovered, rule options
    must be lower case.  Same with Lua config by the way.<br>
    <br>
    Thanks<br>
    Russ<br>
    <br>
    <div class="moz-cite-prefix">On 11/23/17 12:12 AM, Noah Dietrich
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CA+N0JEwMcnpi4c+ddU4Bu8Fp=rRxPyzLr8d_w+8YV-tO7G49TA@mail.gmail.com">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <div dir="ltr">Hi Russ,
        <div><br>
        </div>
        <div>Regarding the segfault, after a little further testing the
          issue appears to occur whenever you don't use all lowercase
          for your rule options (msg, gid, sid, et cetera).</div>
        <div><br>
        </div>
        <div>for example, this rule works:</div>
        <div>     alert icmp any any -> $HOME_NET any (msg:"ICMP test
          detected"; sid:10000001; rev:001; gid:1;
          classtype:icmp-event;)<br>
        </div>
        <div>but any of the following throw a segfault:</div>
        <div>     alert icmp any any -> $HOME_NET any (msg:"ICMP test
          detected"; sid:10000001; rev:001; <font color="#cc0000">GID</font>:1;
          classtype:icmp-event;)<br>
        </div>
        <div>     alert icmp any any -> $HOME_NET any (msg:"ICMP test
          detected"; <font color="#cc0000">Sid</font>:10000001;
          rev:001; gid:1; classtype:icmp-event;)<br>
        </div>
        <div>     alert icmp any any -> $HOME_NET any (<font
            color="#cc0000">Msg</font>:"ICMP test detected";
          sid:10000001; rev:001; gid:1; classtype:icmp-event;)<br>
        </div>
        <div><br>
        </div>
        <div>let me know if you need more information.  my configuration
          and output is below.</div>
        <div>Thanks,</div>
        <div>noah</div>
        <div><br>
        </div>
        <div>Details of my configuration:</div>
        <div><br>
        </div>
        <div>snort3 build 240 on Ubuntu 16 x64 with all the additional
          software installed (let me know if I've missed any optional
          software packages):</div>
        <div>
          <div>noah@snort3:/etc/snort$ /bin/snort -V</div>
          <div><br>
          </div>
          <div>   ,,_     -*> Snort++ <*-</div>
          <div>  o"  )~   Version 3.0.0 (Build 240) from 2.9.8-383</div>
          <div>   ''''    By Martin Roesch & The Snort Team</div>
          <div>           <a href="http://snort.org/contact#team"
              moz-do-not-send="true">http://snort.org/contact#team</a></div>
          <div>           Copyright (C) 2014-2017 Cisco and/or its
            affiliates. All rights reserved.</div>
          <div>           Copyright (C) 1998-2013 Sourcefire, Inc., et
            al.</div>
          <div>           Using DAQ version 2.2.2</div>
          <div>           Using LuaJIT version 2.0.4</div>
          <div>           Using OpenSSL 1.0.2g  1 Mar 2016</div>
          <div>           Using libpcap version 1.7.4</div>
          <div>           Using PCRE version 8.38 2015-11-23</div>
          <div>           Using ZLIB version 1.2.8</div>
          <div>           Using FlatBuffers 1.7.0</div>
          <div>           Using Hyperscan version 4.6.0 2017-11-18</div>
          <div>           Using LZMA version 5.1.0alpha</div>
        </div>
        <div><br>
        </div>
        <div><b><u>Files used:</u></b></div>
        <div>
          <div>noah@snort3:/etc/snort$ tree</div>
          <div>.</div>
          <div>├── builtin_rules</div>
          <div>├── file_magic.lua</div>
          <div>├── lists</div>
          <div>├── rules</div>
          <div>│   ├── ips.include</div>
          <div>│   ├── local.rules</div>
          <div>│   ├── sid-msg.map</div>
          <div>│   └── snort3-community.rules</div>
          <div>├── snort_defaults.lua</div>
          <div>├── snort.lua</div>
          <div>└── so_rules</div>
          <div><br>
          </div>
          <div><u style="font-weight:bold"># snort_defaults.lua </u>(relevant
            sections):</div>
          <div><br>
          </div>
          <div><span style="white-space:pre">     </span>---------------------------------------------------------------------------</div>
          <div><span style="white-space:pre">     </span>-- default paths</div>
          <div><span style="white-space:pre">     </span>---------------------------------------------------------------------------</div>
          <div><span style="white-space:pre">     </span>-- Path to your
            rules files (this can be a relative path)</div>
          <div><br>
          </div>
          <div><span style="white-space:pre">     </span>RULE_PATH =
            '/etc/snort/rules'</div>
          <div><span style="white-space:pre">     </span>BUILTIN_RULE_PATH =
            '/etc/snort/builtin_rules'</div>
          <div><span style="white-space:pre">     </span>PLUGIN_RULE_PATH =
            '/etc/snort/so_rules'</div>
          <div><br>
          </div>
          <div><span style="white-space:pre">     </span>-- If you are using
            reputation preprocessor set these</div>
          <div><span style="white-space:pre">     </span>WHITE_LIST_PATH =
            '/etc/snort/lists'</div>
          <div><span style="white-space:pre">     </span>BLACK_LIST_PATH =
            '/etc/snort/lists'</div>
          <div><br>
          </div>
          <div><b><u># snort.lua</u> </b>(relevant sections)</div>
          <div><span style="white-space:pre">     </span>---------------------------------------------------------------------------</div>
          <div><span style="white-space:pre">     </span>-- 2. configure
            defaults</div>
          <div><span style="white-space:pre">     </span>---------------------------------------------------------------------------</div>
          <div><br>
          </div>
          <div><span style="white-space:pre">     </span>-- HOME_NET and
            EXTERNAL_NET must be set now</div>
          <div><span style="white-space:pre">     </span>-- setup the
            network addresses you are protecting</div>
          <div><span style="white-space:pre">     </span>HOME_NET = '<a
              href="http://10.0.0.0/24" moz-do-not-send="true">10.0.0.0/24</a>'</div>
          <div><br>
          </div>
          <div><span style="white-space:pre">     </span>-- set up the
            external network addresses.</div>
          <div><span style="white-space:pre">     </span>-- (leave as "any"
            in most situations)</div>
          <div><span style="white-space:pre">     </span>EXTERNAL_NET =
            'any'</div>
          <div><br>
          </div>
          <div><span style="white-space:pre">     </span>dofile(conf_dir ..
            '/snort_defaults.lua')</div>
          <div><span style="white-space:pre">     </span>dofile(conf_dir ..
            '/file_magic.lua')</div>
          <div><br>
          </div>
          <div><span style="white-space:pre">     </span>appid =</div>
          <div><span style="white-space:pre">     </span>{</div>
          <div><span style="white-space:pre">     </span>    -- appid
            requires this to use appids in rules</div>
          <div><span style="white-space:pre">     </span>   
            app_detector_dir = '/lib',</div>
          <div><span style="white-space:pre">     </span>    log_stats =
            true,</div>
          <div><span style="white-space:pre">     </span>}</div>
          <div><br>
          </div>
          <div><span style="white-space:pre">     </span>ips =</div>
          <div><span style="white-space:pre">     </span>{</div>
          <div><span style="white-space:pre">     </span>    -- use this to
            enable decoder and inspector alerts</div>
          <div><span style="white-space:pre">     </span>    --
            enable_builtin_rules = true,</div>
          <div><br>
          </div>
          <div><span style="white-space:pre">     </span>    -- use include
            for rules files; be sure to set your path</div>
          <div><span style="white-space:pre">     </span>    -- note that
            rules files can include other rules files</div>
          <div><span style="white-space:pre">     </span>    --include =
            'snort3_community.rules'</div>
          <div><span style="white-space:pre">     </span>    include =
            RULE_PATH .. '/ips.include',</div>
          <div><span style="white-space:pre">     </span>}</div>
          <div><br>
          </div>
          <div><br>
          </div>
          <div><b><u># ips.include</u></b></div>
          <div><span style="white-space:pre">     </span>#include
            rules/snort3-community.rules</div>
          <div><span style="white-space:pre">     </span>include
            rules/local.rules</div>
          <div><br>
          </div>
          <div><b><u># local.rules</u></b></div>
          <div><span style="white-space:pre">     </span>alert icmp any any
            -> $HOME_NET any (msg:"ICMP test detected"; sid:10000001;
            rev:001; GID:1; classtype:icmp-event;)</div>
        </div>
        <div><br>
        </div>
        <div><b><u># Running Snort (and getting segfault):</u></b></div>
        <div>
          <div>noah@snort3:/etc/snort$ sudo /bin/snort -c
            /etc/snort/snort.lua --warn-all</div>
          <div>--------------------------------------------------</div>
          <div>o")~   Snort++ 3.0.0-240</div>
          <div>--------------------------------------------------</div>
          <div>Loading /etc/snort/snort.lua:</div>
          <div><span style="white-space:pre">     </span>ssh</div>
          <div><span style="white-space:pre">     </span>pop</div>
          <div><span style="white-space:pre">     </span>binder</div>
          <div><span style="white-space:pre">     </span>stream_tcp</div>
          <div><span style="white-space:pre">     </span>gtp_inspect</div>
          <div><span style="white-space:pre">     </span>dce_http_proxy</div>
          <div><span style="white-space:pre">     </span>stream_icmp</div>
          <div><span style="white-space:pre">     </span>normalizer</div>
          <div><span style="white-space:pre">     </span>ftp_server</div>
          <div><span style="white-space:pre">     </span>stream_udp</div>
          <div><span style="white-space:pre">     </span>modbus</div>
          <div><span style="white-space:pre">     </span>ips</div>
          <div><span style="white-space:pre">     </span>ssl</div>
          <div><span style="white-space:pre">     </span>latency</div>
          <div><span style="white-space:pre">     </span>wizard</div>
          <div><span style="white-space:pre">     </span>appid</div>
          <div><span style="white-space:pre">     </span>file_id</div>
          <div><span style="white-space:pre">     </span>ftp_data</div>
          <div><span style="white-space:pre">     </span>back_orifice</div>
          <div><span style="white-space:pre">     </span>smtp</div>
          <div><span style="white-space:pre">     </span>port_scan</div>
          <div><span style="white-space:pre">     </span>dce_http_server</div>
          <div><span style="white-space:pre">     </span>dce_tcp</div>
          <div><span style="white-space:pre">     </span>dce_smb</div>
          <div><span style="white-space:pre">     </span>telnet</div>
          <div><span style="white-space:pre">     </span>classifications</div>
          <div><span style="white-space:pre">     </span>sip</div>
          <div><span style="white-space:pre">     </span>rpc_decode</div>
          <div><span style="white-space:pre">     </span>http_inspect</div>
          <div><span style="white-space:pre">     </span>stream_ip</div>
          <div><span style="white-space:pre">     </span>stream_user</div>
          <div><span style="white-space:pre">     </span>dnp3</div>
          <div><span style="white-space:pre">     </span>ftp_client</div>
          <div><span style="white-space:pre">     </span>stream</div>
          <div><span style="white-space:pre">     </span>references</div>
          <div><span style="white-space:pre">     </span>arp_spoof</div>
          <div><span style="white-space:pre">     </span>dns</div>
          <div><span style="white-space:pre">     </span>dce_udp</div>
          <div><span style="white-space:pre">     </span>imap</div>
          <div><span style="white-space:pre">     </span>stream_file</div>
          <div>Finished /etc/snort/snort.lua.</div>
          <div><font color="#cc0000">Loading
              /etc/snort/rules/ips.include:</font></div>
          <div><font color="#cc0000">Loading rules/local.rules:</font></div>
          <div><font color="#cc0000">Segmentation fault (core dumped)</font></div>
          <div>noah@snort3:/etc/snort$</div>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>When i fix the rules to have all lowercase option names, i
          don't get a segfault:</div>
        <div><br>
        </div>
        <div>
          <div>noah@snort3:/etc/snort$ sudo /bin/snort -c
            /etc/snort/snort.lua --warn-all</div>
          <div>--------------------------------------------------</div>
          <div>o")~   Snort++ 3.0.0-240</div>
          <div>--------------------------------------------------</div>
          <div>Loading /etc/snort/snort.lua:</div>
          <div><span style="white-space:pre">     </span>ssh</div>
          <div><span style="white-space:pre">     </span>pop</div>
          <div><span style="white-space:pre">     </span>binder</div>
          <div><span style="white-space:pre">     </span>stream_tcp</div>
          <div><span style="white-space:pre">     </span>gtp_inspect</div>
          <div><span style="white-space:pre">     </span>dce_http_proxy</div>
          <div><span style="white-space:pre">     </span>stream_icmp</div>
          <div><span style="white-space:pre">     </span>normalizer</div>
          <div><span style="white-space:pre">     </span>ftp_server</div>
          <div><span style="white-space:pre">     </span>stream_udp</div>
          <div><span style="white-space:pre">     </span>modbus</div>
          <div><span style="white-space:pre">     </span>ips</div>
          <div><span style="white-space:pre">     </span>ssl</div>
          <div><span style="white-space:pre">     </span>latency</div>
          <div><span style="white-space:pre">     </span>wizard</div>
          <div><span style="white-space:pre">     </span>appid</div>
          <div><span style="white-space:pre">     </span>file_id</div>
          <div><span style="white-space:pre">     </span>ftp_data</div>
          <div><span style="white-space:pre">     </span>back_orifice</div>
          <div><span style="white-space:pre">     </span>smtp</div>
          <div><span style="white-space:pre">     </span>port_scan</div>
          <div><span style="white-space:pre">     </span>dce_http_server</div>
          <div><span style="white-space:pre">     </span>dce_tcp</div>
          <div><span style="white-space:pre">     </span>dce_smb</div>
          <div><span style="white-space:pre">     </span>telnet</div>
          <div><span style="white-space:pre">     </span>classifications</div>
          <div><span style="white-space:pre">     </span>sip</div>
          <div><span style="white-space:pre">     </span>rpc_decode</div>
          <div><span style="white-space:pre">     </span>http_inspect</div>
          <div><span style="white-space:pre">     </span>stream_ip</div>
          <div><span style="white-space:pre">     </span>stream_user</div>
          <div><span style="white-space:pre">     </span>dnp3</div>
          <div><span style="white-space:pre">     </span>ftp_client</div>
          <div><span style="white-space:pre">     </span>stream</div>
          <div><span style="white-space:pre">     </span>references</div>
          <div><span style="white-space:pre">     </span>arp_spoof</div>
          <div><span style="white-space:pre">     </span>dns</div>
          <div><span style="white-space:pre">     </span>dce_udp</div>
          <div><span style="white-space:pre">     </span>imap</div>
          <div><span style="white-space:pre">     </span>stream_file</div>
          <div>Finished /etc/snort/snort.lua.</div>
          <div>Loading /etc/snort/rules/ips.include:</div>
          <div>Loading rules/local.rules:</div>
          <div>Finished rules/local.rules.</div>
          <div>Finished /etc/snort/rules/ips.include.</div>
          <div>--------------------------------------------------</div>
          <div>rule counts</div>
          <div>       total rules loaded: 1</div>
          <div>               text rules: 1</div>
          <div>            option chains: 1</div>
          <div>            chain headers: 1</div>
          <div>--------------------------------------------------</div>
          <div>port rule counts</div>
          <div>             tcp     udp    icmp      ip</div>
          <div>     any       0       0       1       0</div>
          <div>   total       0       0       1       0</div>
          <div>WARNING: port rule 1:10000001:1 has no fast pattern</div>
          <div>WARNING: legacy mode fast pattern searching enabled</div>
          <div>--------------------------------------------------</div>
          <div>pcap DAQ configured to passive.</div>
          <div>--------------------------------------------------</div>
          <div>memory (heap)</div>
          <div>    main thread usage: 26400128</div>
          <div>    allocations: 138043</div>
          <div>    deallocations: 77420</div>
          <div>    thread cap: 0</div>
          <div>    preemptive threshold: 0</div>
          <div><br>
          </div>
          <div>Snort successfully validated the configuration (with 2
            warnings).</div>
          <div>o")~   Snort exiting</div>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Mon, Nov 20, 2017 at 5:24 PM, Russ <span
            dir="ltr"><<a href="mailto:rucombs@cisco.com"
              target="_blank" moz-do-not-send="true">rucombs@cisco.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF"> Hey Noah, responses
              inline.<br>
              <br>
              Thanks<br>
              Russ<span class=""><br>
                <br>
                <div class="m_-2321849879318008401moz-cite-prefix">On
                  11/19/17 3:36 AM, Noah Dietrich wrote:<br>
                </div>
                <blockquote type="cite">
                  <div dir="ltr">Hello,
                    <div><br>
                    </div>
                    <div>While working with Snort3 (build 240), I have
                      found some issues, and have a few questions and
                      requests. I am happy to submit these through
                      Github if you'd like.</div>
                  </div>
                </blockquote>
              </span> This is fine.  Whatever works for you.<span
                class=""><br>
                <blockquote type="cite">
                  <div dir="ltr">
                    <div><br>
                    </div>
                    <div>1.  What is the difference between <b>ips.include</b>
                      and <b>ips.rules</b>?  From the manual and
                      examples, it looks like ips.include is for legacy
                      rules (although snort3 community rules load fine),
                      while ips.rules is for local rules in the same
                      file.  can you clarify?</div>
                  </div>
                </blockquote>
              </span> ips.include = filename of Snort 3.0 rules you want
              to load.  Like Snort 2.X, you can put include statements
              in that file to include other files.  Snort 3.0 will not
              load Snort 2.X rules (but you can use snort2lua to convert
              them).<br>
              <br>
              ips.rules = string variable containing rules directly in
              the Lua file.  This is good for simple rules or test
              configurations or enabling specific builtins like this:<br>
              <br>
              local_rules =<br>
              [[<br>
              block ( gid:119; sid:16; )<br>
              block ( gid:119; sid:32; )<br>
              ]]<br>
              <br>
              ips = { rules = local_rules }<span class=""><br>
                <br>
                <blockquote type="cite">
                  <div dir="ltr">
                    <div>2.  For best practices, are you expecting
                      people to set <b>$RULE_HOME</b> in <b>snort_defaults.lua</b>,
                      or should this be overwritten in <b>snort.lua</b>? 
                      Should this be moved to snort.lua, since the word
                      'defaults' seems to indicate something the user
                      shouldn't change.</div>
                  </div>
                </blockquote>
              </span> I am not familiar with RULE_HOME, but obviously
              those files are just starting points and should be
              modified to meet your needs.  That said, my suggestion
              would be to just edit snort.lua and copy/paste/tweak stuff
              from snort_defaults.lua into snort.lua or elsewhere.  That
              way you can more easily absorb any changes to
              snort_defaults.lua.<span class=""><br>
                <blockquote type="cite">
                  <div dir="ltr">
                    <div>3.  If $RULE_HOME is set, when referencing rule
                      files, you are now required to have all rules
                      under that folder (with no explicit paths to other
                      locations). This seems like a bug.  It would be
                      nice if relative files would use the $RULES_HOME
                      directory, while full paths to rule files would
                      not use $RULE_HOME.</div>
                  </div>
                </blockquote>
              </span> Are you referring to RULE_PATH?  Regardless, there
              is no restriction on where your rules are located or on
              including one file from another.  Snort++ intentionally
              doesn't start guessing about the location of stuff so I
              wouldn't call that a bug.  Sounds like adding a command
              line option that says look for all rules files starting
              with a given path will do what you want.<span class=""><br>
                <blockquote type="cite">
                  <div dir="ltr">
                    <div>4.  When using <b>ips.include</b> with a file
                      that lists all rule files (example below), the
                      file paths don't seem to be relative to
                      $RULE_HOME, but are relative to the snort.lua
                      file, which seems odd.</div>
                  </div>
                </blockquote>
              </span> By default, everything should be relative to your
              current working directory, which seems normal.  :)  How is
              this different from #3?<span class=""><br>
                <blockquote type="cite">
                  <div dir="ltr">
                    <div>5.  It would be nice to be able to specify
                      multiple rule files in your snort.lua, rather than
                      listing them all in ips.include (or whatever). The
                      current method of lincluding a list of rule files
                      in a text file referenced from <b>ips.include </b>seems
                      like a kludge and adds an extra layer of work and
                      increases the chance of an issue when configuring
                      your rules.  A comma-seperated list of files
                      (relative to $RULE_HOME or full paths) would be
                      helpful.</div>
                  </div>
                </blockquote>
              </span> Would this work for you (assuming the new command
              line option mentioned in #3)?<br>
              <br>
              local_rules =<br>
              [[<br>
              include one.rules<br>
              include two.rules<br>
              # ...<br>
              ]]<br>
              <br>
              ips = { rules = local_rules }<span class=""><br>
                <blockquote type="cite">
                  <div dir="ltr">
                    <div>6.  Not sure if this is an issue or not, but if
                      you specify the GID keyword in a rule loaded with
                      <b>ips.include</b>, snort3 will segfault.</div>
                  </div>
                </blockquote>
              </span> Oops.  Any segfault is an issue but I'm unable to
              reproduce that.  Can you isolate it and send the rule?<br>
              <blockquote type="cite">
                <div>
                  <div class="h5">
                    <div dir="ltr">
                      <div><br>
                      </div>
                      <div>Thank you,</div>
                      <div>Noah</div>
                      <div><br>
                      </div>
                      <div><br>
                      </div>
                      <div>Here is how my system is configured for the
                        above questions (relevant sections only):</div>
                      <div><br>
                      </div>
                      <div><b><u>/etc/snort/snort_defaults.lua:</u></b></div>
                      <div>
                        <div>RULE_PATH = '/etc/snort/rules'</div>
                      </div>
                      <div><br>
                      </div>
                      <div><b><u>/etc/snort/</u></b><b><u>snort.lua</u></b></div>
                      <div>
                        <div>ips =</div>
                        <div>{</div>
                        <div>    enable_builtin_rules = true,<br>
                        </div>
                        <div>    include = RULE_PATH .. '/ips.include',<br>
                        </div>
                        <div>}</div>
                      </div>
                      <div><br>
                      </div>
                      <div><b><u>/etc/snort/rules/ips.include</u></b><br>
                      </div>
                      <div>
                        <div>include rules/snort3-community.rules</div>
                        <div>include rules/local.rules</div>
                        <div
                          style="text-decoration-line:underline;font-weight:bold"><br>
                        </div>
                      </div>
                      <div
                        style="text-decoration-line:underline;font-weight:bold">ls
                        -l /etc/snort/rules</div>
                      <div>
                        <div>-rw-r--r-- 1 root root      64 Nov 19
                          09:33              ips.include<br>
                        </div>
                        <div>-rw-r--r-- 1 root root    1389 Nov 19
                          09:36            local.rules</div>
                        <div>-rw-r--r-- 1 root root  376241 Nov 18
                          13:42          sid-msg.map</div>
                        <div>-rw-r--r-- 1 root root 1504089 Nov 18
                          13:36         snort3-community.rules</div>
                        <div
                          style="text-decoration-line:underline;font-weight:bold"><br>
                        </div>
                        <div><b><u><br>
                            </u></b></div>
                        <div>
                          <div><b><u>noah@snort3:/etc/snort$ /bin/snort
                                -V</u></b></div>
                          <div><br>
                          </div>
                          <div>   ,,_     -*> Snort++ <*-</div>
                          <div>  o"  )~   Version 3.0.0 (Build 240) from
                            2.9.8-383</div>
                          <div>   ''''    By Martin Roesch & The
                            Snort Team</div>
                          <div>           <a
                              href="http://snort.org/contact#team"
                              target="_blank" moz-do-not-send="true">http://snort.org/contact#team</a></div>
                          <div>           Copyright (C) 2014-2017 Cisco
                            and/or its affiliates. All rights reserved.</div>
                          <div>           Copyright (C) 1998-2013
                            Sourcefire, Inc., et al.</div>
                          <div>           Using DAQ version 2.2.2</div>
                          <div>           Using LuaJIT version 2.0.4</div>
                          <div>           Using OpenSSL 1.0.2g  1 Mar
                            2016</div>
                          <div>           Using libpcap version 1.7.4</div>
                          <div>           Using PCRE version 8.38
                            2015-11-23</div>
                          <div>           Using ZLIB version 1.2.8</div>
                          <div>           Using FlatBuffers 1.7.0</div>
                          <div>           Using Hyperscan version 4.6.0
                            2017-11-18</div>
                          <div>           Using LZMA version 5.1.0alpha</div>
                          <div
                            style="font-weight:bold;text-decoration-line:underline"><br>
                          </div>
                        </div>
                        <div
                          style="text-decoration-line:underline;font-weight:bold"><br>
                        </div>
                      </div>
                    </div>
                    <br>
                    <fieldset
                      class="m_-2321849879318008401mimeAttachmentHeader"></fieldset>
                    <br>
                  </div>
                </div>
                <pre>______________________________<wbr>_________________
Snort-devel mailing list
<a class="m_-2321849879318008401moz-txt-link-abbreviated" href="mailto:Snort-devel@lists.snort.org" target="_blank" moz-do-not-send="true">Snort-devel@lists.snort.org</a>
<a class="m_-2321849879318008401moz-txt-link-freetext" href="https://lists.snort.org/mailman/listinfo/snort-devel" target="_blank" moz-do-not-send="true">https://lists.snort.org/<wbr>mailman/listinfo/snort-devel</a>

Please visit <a class="m_-2321849879318008401moz-txt-link-freetext" href="http://blog.snort.org" target="_blank" moz-do-not-send="true">http://blog.snort.org</a> for the latest news about Snort!</pre>
              </blockquote>
              <br>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>