[Snort-users] not write alert file

Josh Berry josh.berry at ...10221...
Mon Nov 17 08:37:42 EST 2003


Just because you have the icmp.rules enabled does not mean you are
alerting on every ping request.  There is not a signature in the default
icmp.rules file that fires on every ping.


> Dear Matt and all the snort user
>
> thanks to so early to reply.
> I'm glad to like it
>
>>At 03:30 AM 11/14/2003, Hideki Hirata wrote:
>>># ping (eth0_address in my server) (enter)
>>># ping (same subnet among other host ipaddress ) (enter)
>>>
>>>/var/log/snort/alert log not write.!!
>>>nothing write.
>>
>>why would pinging your snort box with a normal ping cause an alert?. did
>>you add the rules that do this? (by default they are NOT included when
>>using the default snort.conf).
>
> yes.! it was used default snort.conf
>
> actual file (/etc/snort.conf)
> ----------------------------------------------------------------------------
> #--------------------------------------------------
> #   http://www.snort.org     Snort 2.0.0 Ruleset
> #     Contact: snort-sigs at lists.sourceforge.net
> #--------------------------------------------------
> # $Id: snort.conf,v 1.124 2003/05/16 02:52:41 cazz Exp $
> #
> ###################################################
> # This file contains a sample snort configuration.
> # You can take the following steps to create your
> # own custom configuration:
> #
> #  1) Set the network variables for your network
> #  2) Configure preprocessors
> #  3) Configure output plugins
> #  4) Customize your rule set
> #
> ###################################################
> # Step #1: Set the network variables:
> #
> # You must change the following variables to reflect
> # your local network. The variable is currently
> # setup for an RFC 1918 address space.
> #
> # You can specify it explicitly as:
> #
> # var HOME_NET 10.1.1.0/24
> #
> # or use global variable $<interfacename>_ADDRESS
> # which will be always initialized to IP address and
> # netmask of the network interface which you run
> # snort at.  Under Windows, this must be specified
> # as $(<interfacename>_ADDRESS), such as:
> # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
> #
> # var HOME_NET $eth0_ADDRESS
> #
> # You can specify lists of IP addresses for HOME_NET
> # by separating the IPs with commas like this:
> #
> # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
> #
> # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
> #
> # or you can specify the variable to be any IP address
> # like this:
>
> var HOME_NET any
>
> # Set up the external network addresses as well.
> # A good start may be "any"
>
> var EXTERNAL_NET any
>
> # Configure your server lists.  This allows snort to only look for attacks
> # to systems that have a service up.  Why look for HTTP attacks if you are
> # not running a web server?  This allows quick filtering based on IP
> addresses
> # These configurations MUST follow the same configuration scheme as
> defined
> # above for $HOME_NET.
>
> # List of DNS servers on your network
> var DNS_SERVERS $HOME_NET
>
> # List of SMTP servers on your network
> var SMTP_SERVERS $HOME_NET
>
> # List of web servers on your network
> var HTTP_SERVERS $HOME_NET
>
> # List of sql servers on your network
> var SQL_SERVERS $HOME_NET
>
> # List of telnet servers on your network
> var TELNET_SERVERS $HOME_NET
>
> # Configure your service ports.  This allows snort to look for attacks
> # destined to a specific application only on the ports that application
> # runs on.  For example, if you run a web server on port 8081, set your
> # HTTP_PORTS variable like this:
> #
> # var HTTP_PORTS 8081
> #
> # Port lists must either be continuous [eg 80:8080], or a single port [eg
> 80].
> # We will adding support for a real list of ports in the future.
>
> # Ports you run web servers on
> var HTTP_PORTS 80
>
> # Ports you want to look for SHELLCODE on.
> var SHELLCODE_PORTS !80
>
> # Ports you do oracle attacks on
> var ORACLE_PORTS 1521
>
> # other variables
> #
> # AIM servers.  AOL has a habit of adding new AIM servers, so instead of
> # modifying the signatures when they do, we add them to this list of
> # servers.
> var AIM_SERVERS
> [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.
> 29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
>
> # Path to your rules files (this can be a relative path)
> var RULE_PATH /etc/snort/rules
>
> # Configure the snort decoder:
> # ============================
> #
> # Stop generic decode events:
> #
> # config disable_decode_alerts
> #
> # Stop Alerts on experimental TCP options
> #
> # config disable_tcpopt_experimental_alerts
> #
> # Stop Alerts on obsolete TCP options
> #
> # config disable_tcpopt_obsolete_alerts
> #
> # Stop Alerts on T/TCP alerts
> #
> # config disable_ttcp_alerts
> #
> # Stop Alerts on all other TCPOption type events:
> #
> # config disable_tcpopt_alerts
> #
> # Stop Alerts on invalid ip options
> #
> # config disable_ipopt_alerts
>
>
> # Configure the detection engine
> # ===============================
> #
> # Use a different pattern matcher in case you have a machine with very
> # limited resources:
> #
> # config detection: search-method lowmem
>
>
> ###################################################
> # Step #2: Configure preprocessors
> #
> # General configuration for preprocessors is of
> # the form
> # preprocessor <name_of_processor>: <configuration_options>
>
> # frag2: IP defragmentation support
> # -------------------------------
> # This preprocessor performs IP defragmentation.  This plugin will also
> detect
> # people launching fragmentation attacks (usually DoS) against hosts.  No
> # arguments loads the default configuration of the preprocessor, which is
> a
> # 60 second timeout and a 4MB fragment buffer.
>
> # The following (comma delimited) options are available for frag2
> #    timeout [seconds] - sets the number of [seconds] than an unfinished
> #                        fragment will be kept around waiting for
> completion,
> #                        if this time expires the fragment will be flushed
> #    memcap [bytes] - limit frag2 memory usage to [number] bytes
> #                      (default:  4194304)
> #
> #    min_ttl [number] - minimum ttl to accept
> #
> #    ttl_limit [number] - difference of ttl to accept without alerting
> #                         will cause false positves with router flap
> #
> # Frag2 uses Generator ID 113 and uses the following SIDS
> # for that GID:
> #  SID     Event description
> # -----   -------------------
> #   1       Oversized fragment (reassembled frag > 64k bytes)
> #   2       Teardrop-type attack
>
> preprocessor frag2
>
> # stream4: stateful inspection/stream reassembly for Snort
> #----------------------------------------------------------------------
> # Use in concert with the -z [all|est] command line switch to defeat
> # stick/snot against TCP rules.  Also performs full TCP stream
> # reassembly, stateful inspection of TCP streams, etc.  Can statefully
> # detect various portscan types, fingerprinting, ECN, etc.
>
> # stateful inspection directive
> # no arguments loads the defaults (timeout 30, memcap 8388608)
> # options (options are comma delimited):
> #   detect_scans - stream4 will detect stealth portscans and generate
> alerts
> #                  when it sees them when this option is set
> #   detect_state_problems - detect TCP state problems, this tends to be
> very
> #                           noisy because there are a lot of crappy ip
> stack
> #                           implementations out there
> #
> #   disable_evasion_alerts - turn off the possibly noisy mitigation of
> #                            overlapping sequences.
> #
> #
> #   min_ttl [number]       - set a minium ttl that snort will accept to
> #                            stream reassembly
> #
> #   ttl_limit [number]     - differential of the initial ttl on a session
> versus
> #                             the normal that someone may be playing
> games.
> #                             Routing flap may cause lots of false
> positives.
> #
> #   keepstats [machine|binary] - keep session statistics, add "machine" to
> #                         get them in a flat format for machine reading,
> add
> #                         "binary" to get them in a unified binary output
> #                         format
> #   noinspect - turn off stateful inspection only
> #   timeout [number] - set the session timeout counter to [number]
> seconds,
> #                      default is 30 seconds
> #   memcap [number] - limit stream4 memory usage to [number] bytes
> #   log_flushed_streams - if an event is detected on a stream this option
> will
> #                         cause all packets that are stored in the stream4
> #                         packet buffers to be flushed to disk.  This only
> #                         works when logging in pcap mode!
> #
> # Stream4 uses Generator ID 111 and uses the following SIDS
> # for that GID:
> #  SID     Event description
> # -----   -------------------
> #   1       Stealth activity
> #   2       Evasive RST packet
> #   3       Evasive TCP packet retransmission
> #   4       TCP Window violation
> #   5       Data on SYN packet
> #   6       Stealth scan: full XMAS
> #   7       Stealth scan: SYN-ACK-PSH-URG
> #   8       Stealth scan: FIN scan
> #   9       Stealth scan: NULL scan
> #   10      Stealth scan: NMAP XMAS scan
> #   11      Stealth scan: Vecna scan
> #   12      Stealth scan: NMAP fingerprint scan stateful detect
> #   13      Stealth scan: SYN-FIN scan
> #   14      TCP forward overlap
>
> preprocessor stream4: detect_scans, disable_evasion_alerts
>
> # tcp stream reassembly directive
> # no arguments loads the default configuration
> #   Only reassemble the client,
> #   Only reassemble the default list of ports (See below),
> #   Give alerts for "bad" streams
> #
> # Available options (comma delimited):
> #   clientonly - reassemble traffic for the client side of a connection
> only
> #   serveronly - reassemble traffic for the server side of a connection
> only
> #   both - reassemble both sides of a session
> #   noalerts - turn off alerts from the stream reassembly stage of stream4
> #   ports [list] - use the space separated list of ports in [list], "all"
> #                  will turn on reassembly for all ports, "default" will
> turn
> #                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110,
> 111
> #                  and 513
>
> preprocessor stream4_reassemble
>
> # http_decode: normalize HTTP requests
> # ------------------------------------
> # http_decode normalizes HTTP requests from remote
> # machines by converting any %XX character
> # substitutions to their ASCII equivalent. This is
> # very useful for doing things like defeating hostile
> # attackers trying to stealth themselves from IDSs by
> # mixing these substitutions in with the request.
> # Specify the port numbers you want it to analyze as arguments.
> #
> # Major code cleanups thanks to rfp
> #
> # unicode          - normalize unicode
> # iis_alt_unicode  - %u encoding from iis
> # double_encode    - alert on possible double encodings
> # iis_flip_slash   - normalize \ as /
> # full_whitespace  - treat \t as whitespace ( for apache )
> #
> # for that GID:
> #  SID     Event description
> # -----   -------------------
> #   1       UNICODE attack
> #   2       NULL byte attack
>
> preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
> iis_flip_slas
> h full_whitespace
>
> # rpc_decode: normalize RPC traffic
> # ---------------------------------
> # RPC may be sent in alternate encodings besides the usual
> # 4-byte encoding that is used by default.  This preprocessor
> # normalized RPC traffic in much the same way as the http_decode
> # preprocessor.  This plugin takes the ports numbers that RPC
> # services are running on as arguments.
> # The RPC decode preprocessor uses generator ID 106
> #
> # arguments: space separated list
> # alert_fragments - alert on any rpc fragmented TCP data
> # no_alert_multiple_requests - don't alert when >1 rpc query is in a
> packet
> # no_alert_large_fragments - don't alert when the fragmented
> #                            sizes exceed the current packet size
> # no_alert_incomplete - don't alert when a single segment
> #                       exceeds the current packet size
>
> preprocessor rpc_decode: 111 32771
>
> # bo: Back Orifice detector
> # -------------------------
> # Detects Back Orifice traffic on the network.  Takes no arguments in 2.0.
> #
> # The Back Orifice detector uses Generator ID 105 and uses the
> # following SIDS for that GID:
> #  SID     Event description
> # -----   -------------------
> #   1       Back Orifice traffic detected
>
> preprocessor bo
>
> # telnet_decode: Telnet negotiation string normalizer
> # ---------------------------------------------------
> # This preprocessor "normalizes" telnet negotiation strings from
> # telnet and ftp traffic.  It works in much the same way as the
> # http_decode preprocessor, searching for traffic that breaks up
> # the normal data stream of a protocol and replacing it with
> # a normalized representation of that traffic so that the "content"
> # pattern matching keyword can work without requiring modifications.
> # This preprocessor requires no arguments.
> # Portscan uses Generator ID 109 and does not generate any SID currently.
>
> preprocessor telnet_decode
>
> # Portscan: detect a variety of portscans
> # ---------------------------------------
> # portscan preprocessor by Patrick Mullen <p_mullen at ...245...>
> # This preprocessor detects UDP packets or TCP SYN packets going to
> # four different ports in less than three seconds. "Stealth" TCP
> # packets are always detected, regardless of these settings.
> # Portscan uses Generator ID 100 and uses the following SIDS for that GID:
> #  SID     Event description
> # -----   -------------------
> #   1       Portscan detect
> #   2       Inter-scan info
> #   3       Portscan End
>
> # preprocessor portscan: $HOME_NET 4 3 portscan.log
>
> # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
> # specific networks or hosts to reduce false alerts. It is typical
> # to see many false alerts from DNS servers so you may want to
> # add your DNS servers here. You can all multiple hosts/networks
> # in a whitespace-delimited list.
> #
> #preprocessor portscan-ignorehosts: 0.0.0.0
>
> # arpspoof
> #----------------------------------------
> # Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
> # unicast ARP requests, and specific ARP mapping monitoring.  To make use
> # of this preprocessor you must specify the IP and hardware address of
> hosts on
> # the same layer 2 segment as you.  Specify one host IP MAC combo per
> line.
> # Also takes a "-unicast" option to turn on unicast ARP request detection.
> # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
> #  SID     Event description
> # -----   -------------------
> #   1       Unicast ARP request
> #   2       Etherframe ARP mismatch (src)
> #   3       Etherframe ARP mismatch (dst)
> #   4       ARP cache overwrite attack
>
> #preprocessor arpspoof
> #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
>
> # Conversation
> #------------------------------------------
> # This preprocessor tracks conversations for tcp, udp and icmp traffic.
> It
> # is a prerequisite for running portscan2.
> #
> # allowed_ip_protcols 1 6 17
> #      list of allowed ip protcols ( defaults to any )
> #
> # timeout [num]
> #      conversation timeout ( defaults to 60 )
> #
> #
> # max_conversations [num]
> #      number of conversations to support at once (defaults to 65335)
> #
> #
> # alert_odd_protocols
> #      alert on protocols not listed in allowed_ip_protocols
> #
> # preprocessor conversation: allowed_ip_protocols all, timeout 60,
> max_conversat
> ions 3000
> #
> # Portscan2
> #-------------------------------------------
> # Portscan 2, detect portscans in a new and exciting way.  You must enable
> # spp_conversation in order to use this preprocessor.
> #
> # Available options:
> #       scanners_max [num]
> #       targets_max [num]
> #       target_limit [num]
> #       port_limit [num]
> #       timeout [num]
> #       log [logdir]
> #
> #preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit
> 5, por
> t_limit 20, timeout 60
>
> # Too many false alerts from portscan2? Tone it down with
> # portscan2-ignorehosts!
> #
> # A space delimited list of addresses in CIDR notation to ignore
> #
> # preprocessor portscan2-ignorehosts: 10.0.0.0/8 192.168.24.0/24
> #
>
> # Experimental Perf stats
> # -----------------------
> # No docs. Highly subject to change.
> #
> # preprocessor perfmonitor: console flow events time 10
>
> ####################################################################
> # Step #3: Configure output plugins
> #
> # Uncomment and configure the output plugins you decide to use.
> # General configuration for output plugins is of the form:
> #
> # output <name_of_plugin>: <configuration_options>
> #
> # alert_syslog: log alerts to syslog
> # ----------------------------------
> # Use one or more syslog facilities as arguments.  Win32 can also
> # optionally specify a particular hostname/port.  Under Win32, the
> # default hostname is '127.0.0.1', and the default port is 514.
> #
> # [Unix flavours should use this format...]
> # output alert_syslog: LOG_AUTH LOG_ALERT
> #
> # [Win32 can use any of these formats...]
> # output alert_syslog: LOG_AUTH LOG_ALERT
> # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
> # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
>
> # log_tcpdump: log packets in binary tcpdump format
> # -------------------------------------------------
> # The only argument is the output file name.
> #
> # output log_tcpdump: tcpdump.log
>
> # database: log to a variety of databases
> # ---------------------------------------
> # See the README.database file for more information about configuring
> # and using this plugin.
> #
> # output database: log, mysql, user=root password=test dbname=db
> host=localhost
> # output database: alert, postgresql, user=snort dbname=snort
> # output database: log, unixodbc, user=snort dbname=snort
> # output database: log, mssql, dbname=snort user=snort password=test
>
> # unified: Snort unified binary format alerting and logging
> # -------------------------------------------------------------
> # The unified output plugin provides two new formats for logging
> # and generating alerts from Snort, the "unified" format.  The
> # unified format is a straight binary format for logging data
> # out of Snort that is designed to be fast and efficient.  Used
> # with barnyard (the new alert/log processor), most of the overhead
> # for logging and alerting to various slow storage mechanisms
> # such as databases or the network can now be avoided.
> #
> # Check out the spo_unified.h file for the data formats.
> #
> # Two arguments are supported.
> #    filename - base filename to write to (current time_t is appended)
> #    limit    - maximum size of spool file in MB (default: 128)
> #
> # output alert_unified: filename snort.alert, limit 128
> # output log_unified: filename snort.log, limit 128
>
> # You can optionally define new rule types and associate one or
> # more output plugins specifically to that type.
> #
> # This example will create a type that will log to just tcpdump.
> # ruletype suspicious
> # {
> #   type log
> #   output log_tcpdump: suspicious.log
> # }
> #
> # EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
> # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
> #
> # This example will create a rule type that will log to syslog
> # and a mysql database.
> # ruletype redalert
> # {
> #   type alert
> #   output alert_syslog: LOG_AUTH LOG_ALERT
> #   output database: log, mysql, user=snort dbname=snort host=localhost
> # }
> #
> # EXAMPLE RULE FOR REDALERT RULETYPE
> # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
> #   (msg:"Someone is being LEET"; flags:A+;)
>
> #
> # Include classification & priority settings
> #
>
> include classification.config
>
> #
> # Include reference systems
> #
>
> include reference.config
>
> ####################################################################
> # Step #4: Customize your rule set
> #
> # Up to date snort rules are available at http://www.snort.org
> #
> # The snort web site has documentation about how to write your own
> # custom snort rules.
> #
> # The rules included with this distribution generate alerts based on
> # on suspicious activity. Depending on your network environment, your
> # security policies, and what you consider to be suspicious, some of
> # these rules may either generate false positives ore may be detecting
> # activity you consider to be acceptable; therefore, you are
> # encouraged to comment out rules that are not applicable in your
> # environment.
> #
> # Note that using all of the rules at the same time may lead to
> # serious packet loss on slower machines. YMMV, use with caution,
> # standard disclaimers apply. :)
> #
> # The following individuals contributed many of rules in this
> # distribution.
> #
> # Credits:
> #   Ron Gula <rgula at ...922...> of Network Security Wizards
> #   Max Vision <vision at ...4...>
> #   Martin Markgraf <martin at ...923...>
> #   Fyodor Yarochkin <fygrave at ...121...>
> #   Nick Rogness <nick at ...176...>
> #   Jim Forster <jforster at ...176...>
> #   Scott McIntyre <scott at ...315...>
> #   Tom Vandepoel <Tom.Vandepoel at ...271...>
> #   Brian Caswell <bmc at ...950...>
> #   Zeno <admin at ...4494...>
> #   Ryan Russell <ryan at ...35...>
> #
> #=========================================
> # Include all relevant rulesets here
> #
> # shellcode, policy, info, backdoor, and virus rulesets are
> # disabled by default.  These require tuning and maintance.
> # Please read the included specific file for more information.
> #=========================================
>
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
>
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
>
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/snmp.rules
>
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
>
> include $RULE_PATH/nntp.rules
> include $RULE_PATH/other-ids.rules
> # include $RULE_PATH/web-attacks.rules
> # include $RULE_PATH/backdoor.rules
> # include $RULE_PATH/shellcode.rules
> # include $RULE_PATH/policy.rules
> # include $RULE_PATH/porn.rules
> # include $RULE_PATH/info.rules
> # include $RULE_PATH/icmp-info.rules
> # include $RULE_PATH/virus.rules
> # include $RULE_PATH/chat.rules
> # include $RULE_PATH/multimedia.rules
> # include $RULE_PATH/p2p.rules
> include $RULE_PATH/experimental.rules
> include $RULE_PATH/local.rules
> -----------------------------------------------------------------------------------
>
>>
>>pinging on your loopback will likely cause alerts because it's address is
>>127.0.0.1, which is pretty unusual..
>
> and ping execution result.
> 1. to lo interface
> PING 127.0.0.1 (127.0.0.1) from 127.0.0.1 : 56(84) bytes of data.
> 64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=48 usec
> 64 bytes from 127.0.0.1: icmp_seq=1 ttl=255 time=32 usec
> 64 bytes from 127.0.0.1: icmp_seq=2 ttl=255 time=39 usec
> 64 bytes from 127.0.0.1: icmp_seq=3 ttl=255 time=31 usec
>
> 2.this machine eth interface (eth0)
> PING 10.252.30.79 (10.252.30.79) from 10.252.30.79 : 56(84) bytes of data.
> 64 bytes from 10.252.30.79: icmp_seq=0 ttl=255 time=47 usec
> 64 bytes from 10.252.30.79: icmp_seq=1 ttl=255 time=34 usec
> 64 bytes from 10.252.30.79: icmp_seq=2 ttl=255 time=37 usec
> 64 bytes from 10.252.30.79: icmp_seq=3 ttl=255 time=40 usec
>
>>  pinging a normal machine is pretty normal.. if you logged every such
>>incident you'd have a pretty noisy sensor.
>
> actually, you whitten with in accord.
> but not realize. why not execreason.???
> sorry.
> want to give advices.
>
> Regards.
>
> -----------------
>  Hideki Hirata
>   sphoenix at ...10569...
>   vega_1124_hdk at ...10570...
>  http://www7.freeweb.ne.jp/diary/sphoenix
>
>
> -------------------------------------------------------
> This SF. Net email is sponsored by: GoToMyPC
> GoToMyPC is the fast, easy and secure way to access your computer from
> any Web browser or wireless device. Click here to Try it Free!
> https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
josh.berry at ...10268...





More information about the Snort-users mailing list