[Snort-users] Snort 2.8.0.1 segfaults on a specific rule - parser bug (?)

Joel Esler joel.esler at ...1935...
Tue Jan 15 12:04:55 EST 2008


Looks like an error in the bleeding rule.  The Destination end of the  
connection has no ip's set.

Joel

On Jan 15, 2008, at 11:15 AM, Andreas Maus wrote:

> Hi list!
>
> After an upgrade of the bleedingedge ruleset I discovered that
> Snort (2.8.0 and 2.8.0.1) dumps core on a specific rule.
>
> This rule can be found in bleeding-botcc.rules. There is only
> on rule so finding that rule was easy ;)
>
> The offending rule is:
>
> alert ip $HOME_NET any -> [] any (msg:"BLEEDING-EDGE DROP Known Bot  
> C&C Server Traffic (group 1) "; reference:url,www.shadowserver.org;  
> threshold: type limit, track by_src, seconds 3600, count
> :trojan-activity; sid:2404000; rev:1026;)
>
> I guess it is the "-> []" part that triggers the core dump
> (I will also post a mail to the appropiate mailinglist - snort-sigs ?
> about this).
>
> Anyway I don't think it is the desired behavior to just SIGSEGV.
> An error will be o.k.
>
> The outout from snort was:
>
> Running in Test mode with config file: /etc/snort/snort.conf
> Running in IDS mode
>
>        --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /etc/snort/snort.conf
> PortVar 'HTTP_PORTS' defined :  [ 80]
> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535]
> PortVar 'ORACLE_PORTS' defined :  [ 1521]
> -------------------------------------------------
> Keyword     |       Preprocessor @
> -------------------------------------------------
> rpc_decode   :       0x45f6fe
> bo           :       0x45e7aa
> stream4      :       0x4612d2
> stream4_reassemble:       0x462ab8
> stream4_external:       0x462457
> arpspoof     :       0x45daf5
> arpspoof_detect_host:       0x45dc46
> http_inspect :       0x4796a2
> http_inspect_server:       0x4796a2
> PerfMonitor  :       0x471b42
> flow         :       0x47d90e
> flow-portscan:       0x48d955
> sfportscan   :       0x4809cc
> frag3_global :       0x4811d2
> frag3_engine :       0x48130f
> stream5_global:       0x488594
> stream5_tcp  :       0x488fbd
> stream5_udp  :       0x489034
> stream5_icmp :       0x4890ab
> -------------------------------------------------
>
> -------------------------------------------------
> Keyword     |      Plugin Registered @
> -------------------------------------------------
> content      :      0x4521af
> offset       :      0x452616
> depth        :      0x45278d
> nocase       :      0x452927
> rawbytes     :      0x4529f9
> uricontent   :      0x452281
> http_client_body:      0x45235e
> http_uri     :      0x4524ba
> distance     :      0x452aae
> within       :      0x452c3c
> replace      :      0x45075b
> flags        :      0x455433
> itype        :      0x44e943
> icode        :      0x44de9f
> ttl          :      0x4560bf
> id           :      0x44f8df
> ack          :      0x455223
> seq          :      0x455c17
> dsize        :      0x44d86b
> ipopts       :      0x450277
> rpc          :      0x454223
> icmp_id      :      0x44e4b3
> icmp_seq     :      0x44e6fb
> session      :      0x4549d3
> tos          :      0x44ffd3
> fragbits     :      0x44ef53
> fragoffset   :      0x44f542
> window       :      0x455dfe
> ip_proto     :      0x44facf
> sameip       :      0x44fe0b
> flow         :      0x4567ea
> byte_test    :      0x456f0b
> byte_jump    :      0x45790b
> isdataat     :      0x458e8f
> pcre         :      0x4582f2
> flowbits     :      0x45941a
> asn1         :      0x45a27f
> ftpbounce    :      0x45a8db
> urilen       :      0x45adea
> -------------------------------------------------
>
> -------------------------------------------------
> Keyword     |          Output @
> -------------------------------------------------
> alert_syslog :       0x440aa3
> log_tcpdump  :       0x44732f
> database     :       0x442f3b
> alert_fast   :       0x43fcfb
> alert_full   :       0x44049b
> alert_unixsock:       0x4417e3
> alert_CSV    :       0x441dd3
> log_null     :       0x447247
> log_unified  :       0x4499be
> alert_unified:       0x449667
> unified      :       0x447bcf
> log_unified2 :       0x44b80a
> alert_unified2:       0x44b77f
> unified2     :       0x44a643
> log_ascii    :       0x44b8e7
> alert_sf_socket:       0x44c53f
> alert_sf_socket_sid:       0x44c883
> alert_test   :       0x44d0fb
> -------------------------------------------------
>
> Detection:
>   Search-Method = Low-Mem
> ,-----------[Flow Config]----------------------
> | Stats Interval:  0
> | Hash Method:     2
> | Memcap:          10485760
> | Rows  :          4096
> | Overhead Bytes:  32776(%0.31)
> `----------------------------------------------
> Frag3 global config:
>    Max frags: 65536
>    Fragment memory cap: 4194304 bytes
> Frag3 engine config:
>    Target-based policy: FIRST
>    Fragment timeout: 60 seconds
>    Fragment min_ttl:   1
>    Fragment ttl_limit: 5
>    Fragment Problems: 1
> Stream4 config:
>    Stateful inspection: ACTIVE
>    Session statistics: INACTIVE
>    Session timeout: 30 seconds
>    Session memory cap: 8388608 bytes
>    Session count max: 8192 sessions
>    Session cleanup count: 5
>    State alerts: INACTIVE
>    Evasion alerts: INACTIVE
>    Scan alerts: INACTIVE
>    Log Flushed Streams: INACTIVE
>    MinTTL: 1
>    TTL Limit: 5
>    Async Link: 0
>    State Protection: 0
>    Self preservation threshold: 50
>    Self preservation period: 90
>    Suspend threshold: 200
>    Suspend period: 30
>    Enforce TCP State: INACTIVE
>    Midstream Drop Alerts: INACTIVE
>    Allow Blocking of TCP Sessions in Inline: ACTIVE
> WARNING /etc/snort/snort.conf(439) => flush_behavior set in config  
> file, using old static flushpoints (0)
> Stream4_reassemble config:
>    Server reassembly: INACTIVE
>    Client reassembly: ACTIVE
>    Reassembler alerts: ACTIVE
>    Zero out flushed packets: INACTIVE
>    Flush stream on alert: INACTIVE
>    flush_data_diff_size: 500
>    Reassembler Packet Preferance : Favor Old
>    Packet Sequence Overlap Limit: -1
>    Flush behavior: Small (<255 bytes)
>    Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433  
> 1521 3306
>    Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143  
> 445 513 1433 1521 3306
> PerfMonitor config:
>    Time:           300 seconds
>    Flow Stats:     INACTIVE
>    Event Stats:    INACTIVE
>    Max Perf Stats: INACTIVE
>    Console Mode:   INACTIVE
>    File Mode:      /var/log/snort/snort.stats
>    SnortFile Mode: INACTIVE
>    Packet Count:   10000
>    Dump Summary:   No
> HttpInspect Config:
>    GLOBAL CONFIG
>      Max Pipeline Requests:    0
>      Inspection Type:          STATELESS
>      Detect Proxy Usage:       NO
>      IIS Unicode Map Filename: /etc/snort/unicode.map
>      IIS Unicode Map Codepage: 1252
>    DEFAULT SERVER CONFIG:
>      Server profile: All
>      Ports: 80 8080 8180
>      Flow Depth: 300
>      Max Chunk Length: 500000
>      Inspect Pipeline Requests: YES
>      URI Discovery Strict Mode: NO
>      Allow Proxy Usage: NO
>      Disable Alerting: NO
>      Oversize Dir Length: 500
>      Only inspect URI: NO
>      Ascii: YES alert: NO
>      Double Decoding: YES alert: YES
>      %U Encoding: YES alert: YES
>      Bare Byte: YES alert: YES
>      Base36: OFF
>      UTF 8: OFF
>      IIS Unicode: YES alert: YES
>      Multiple Slash: YES alert: NO
>      IIS Backslash: YES alert: NO
>      Directory Traversal: YES alert: NO
>      Web Root Traversal: YES alert: YES
>      Apache WhiteSpace: YES alert: NO
>      IIS Delimiter: YES alert: NO
>      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>      Non-RFC Compliant Characters: NONE
>      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
> rpc_decode arguments:
>    Ports to decode RPC on: 111 32771
>    alert_fragments: INACTIVE
>    alert_large_fragments: ACTIVE
>    alert_incomplete: ACTIVE
>    alert_multiple_requests: ACTIVE
> Portscan Detection Config:
>    Detect Protocols:  TCP UDP ICMP IP
>    Detect Scan Type:  portscan portsweep decoy_portscan  
> distributed_portscan
>    Sensitivity Level: Medium
>    Memcap (in bytes): 10000000
>    Number of Nodes:   31347
>    Ignore Scanner IP List:
>        213.146.114.84 / 255.255.255.255
>        88.198.22.244 / 255.255.255.255
>
> PortVar 'SSH_PORTS' defined :  [ 22]
> Tagged Packet Limit: 256
> Loading dynamic engine /usr/local/lib/snort_dynamicengine/ 
> libsf_engine.so... done
> Loading all dynamic preprocessor libs from /usr/local/lib/ 
> snort_dynamicpreprocessor/...
>  Loading dynamic preprocessor library /usr/local/lib/ 
> snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
>  Loading dynamic preprocessor library /usr/local/lib/ 
> snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
>  Loading dynamic preprocessor library /usr/local/lib/ 
> snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>  Loading dynamic preprocessor library /usr/local/lib/ 
> snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
>  Loading dynamic preprocessor library /usr/local/lib/ 
> snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>  Loading dynamic preprocessor library /usr/local/lib/ 
> snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.so...  
> done
>  Finished Loading all dynamic preprocessor libs from /usr/local/lib/ 
> snort_dynamicpreprocessor/
> FTPTelnet Config:
>    GLOBAL CONFIG
>      Inspection Type: stateful
>      Check for Encrypted Traffic: YES alert: YES
>      Continue to check encrypted data: NO
>    TELNET CONFIG:
>      Ports: 23
>      Are You There Threshold: 200
>      Normalize: YES
>      Detect Anomalies: NO
>    FTP CONFIG:
>      FTP Server: default
>        Ports: 21
>        Check for Telnet Cmds: YES alert: YES
>        Identify open data channels: YES
>      FTP Client: default
>        Check for Bounce Attacks: YES alert: YES
>        Check for Telnet Cmds: YES alert: YES
>        Max Response Length: 256
>
> SMTP Config:
>    Ports: 25
>    Inspection Type: Stateful
>    Normalize: EXPN RCPT VRFY
>    Ignore Data: No
>    Ignore TLS Data: No
>    Ignore SMTP Alerts: No
>    Max Command Line Length: Unlimited
>    Max Specific Command Line Length:
>       ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
>       RCPT:300 VRFY:255
>    Max Header Line Length: Unlimited
>    Max Response Line Length: Unlimited
>    X-Link2State Alert: Yes
>    Drop on X-Link2State Alert: No
>    Alert on commands: None
>
> DCE/RPC Decoder config:
>    Autodetect ports ENABLED
>    SMB fragmentation ENABLED
>    DCE/RPC fragmentation ENABLED
>    Max Frag Size: 3000 bytes
>    Memcap: 100000 KB
>    Alert if memcap exceeded DISABLED
>
> DNS config:
>    DNS Client rdata txt Overflow Alert: ACTIVE
>    Obsolete DNS RR Types Alert: INACTIVE
>    Experimental DNS RR Types Alert: INACTIVE
>    Ports: 53
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> Segmentation fault (core dumped)
>
> The backtrace is from the core file is:
>
> debian3164m:/tmp/snort-2.8.0.1# ocal/bin/snort  core
> GNU gdb 6.4.90-debian
> Copyright (C) 2006 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and  
> you are
> welcome to change it and/or distribute copies of it under certain  
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for  
> details.
> This GDB was configured as "x86_64-linux-gnu"...Using host  
> libthread_db library "/lib/libthread_db.so.1".
>
> Reading symbols from /usr/lib/libmysqlclient.so.14...done.
> Loaded symbols for /usr/lib/libmysqlclient.so.14
> Reading symbols from /lib/libcrypt.so.1...done.
> Loaded symbols for /lib/libcrypt.so.1
> Reading symbols from /usr/lib/libz.so.1...done.
> Loaded symbols for /usr/lib/libz.so.1
> Reading symbols from /usr/lib/libpcre.so.3...done.
> Loaded symbols for /usr/lib/libpcre.so.3
> Reading symbols from /usr/lib/libpcap.so.0.8...done.
> Loaded symbols for /usr/lib/libpcap.so.0.8
> Reading symbols from /lib/libm.so.6...done.
> Loaded symbols for /lib/libm.so.6
> Reading symbols from /lib/libnsl.so.1...done.
> Loaded symbols for /lib/libnsl.so.1
> Reading symbols from /lib/libdl.so.2...done.
> Loaded symbols for /lib/libdl.so.2
> Reading symbols from /usr/lib/libnet.so.0...done.
> Loaded symbols for /usr/lib/libnet.so.0
> Reading symbols from /lib/libc.so.6...done.
> Loaded symbols for /lib/libc.so.6
> Reading symbols from /lib/ld-linux-x86-64.so.2...done.
> Loaded symbols for /lib64/ld-linux-x86-64.so.2
> Reading symbols from /lib/libnss_files.so.2...done.
> Loaded symbols for /lib/libnss_files.so.2
> Reading symbols from /usr/local/lib/snort_dynamicengine/ 
> libsf_engine.so...done.
> Loaded symbols for /usr/local/lib/snort_dynamicengine/libsf_engine.so
> Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/ 
> libsf_ftptelnet_preproc.so...done.
> Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor// 
> libsf_ftptelnet_preproc.so
> Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/ 
> libsf_smtp_preproc.so...done.
> Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor// 
> libsf_smtp_preproc.so
> Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/ 
> libsf_ssh_preproc.so...done.
> Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor// 
> libsf_ssh_preproc.so
> Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/ 
> libsf_dcerpc_preproc.so...done.
> Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor// 
> libsf_dcerpc_preproc.so
> Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/ 
> libsf_dns_preproc.so...done.
> Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor// 
> libsf_dns_preproc.so
> Reading symbols from /usr/local/lib/snort_dynamicpreprocessor/ 
> lib_sfdynamic_preprocessor_example.so...done.
> Loaded symbols for /usr/local/lib/snort_dynamicpreprocessor// 
> lib_sfdynamic_preprocessor_example.so
> Core was generated by `/usr/local/bin/snort -p -u snort -g snort -b - 
> i eth0 -l /var/log/snort -c /etc/'.
> Program terminated with signal 11, Segmentation fault.
> #0  0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at  
> parser.c:1556
> 1556        if(!addrset->iplist || !addrset->neg_iplist)
> (gdb) bt
> #0  0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at  
> parser.c:1556
> #1  0x0000000000417d63 in ParseRule (rule_file=0x12edb30,
>    prule=0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING- 
> EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadowserver.org 
> ; threshold: type limit, track by_src, se
> count 1; clas"..., inclevel=1, parse_rule_lines=1) at parser.c:2090
> #2  0x0000000000415bda in ParseRulesFile (file=0x40dd840 "/etc/snort/ 
> rules/bleeding-botcc.rules", inclevel=1, parse_rule_lines=1) at  
> parser.c:732
> #3  0x000000000041734e in ParseRule (rule_file=0x12ed8f0,  
> prule=0x135fc70 "include $RULE_PATH/bleeding-botcc.rules",  
> inclevel=0, parse_rule_lines=1) at parser.c:1749
> #4  0x0000000000415ba9 in ParseRulesFile (file=0x12c39e0 "/etc/snort/ 
> snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:730
> #5  0x000000000042593e in SnortMain (argc=23, argv=0x7fbffff958) at  
> snort.c:913
> #6  0x0000000000424fe7 in main (argc=23, argv=0x7fbffff958) at  
> snort.c:388
> (gdb) bt full
> #0  0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at  
> parser.c:1556
>        idx = (IpAddrNode *) 0x0
>        neg_idx = (IpAddrNode *) 0x0
> #1  0x0000000000417d63 in ParseRule (rule_file=0x12edb30,
>    prule=0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING- 
> EDGE DROP Known Bot C&C Server Traffic (group 1) \"; reference:url,www.shadowserver.org 
> ; threshold: type limit, track by_src, se
> count 1; clas"..., inclevel=1, parse_rule_lines=1) at parser.c:2090
>        toks = (char **) 0x404ac50
>        num_toks = 10
>        rule_type = 2
>        protocol = 2048
>        tmp = 0x100000000 <Address 0x100000000 out of bounds>
>        proto_node = {rule_func = 0x0, head_node_number = 0, type =  
> 2, sip = 0x40b9d20, dip = 0x0, proto = 2048, src_portobject =  
> 0x12f3430, dst_portobject = 0x0, not_sp_flag = 0, hsp = 0, lsp = 0,
>  not_dp_flag = 0, hdp = 0, ldp = 0, flags = 4, active_flag = 0,  
> activation_counter = 0, countdown = 0, activate_list = 0x0, right =  
> 0x0, down = 0x0, listhead = 0x0}
>        node = (RuleListNode *) 0x12d91c0
>        rule = 0x40df030 "alert ip $HOME_NET any -> [] any (msg: 
> \"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \";  
> reference:url,www.shadowserver.org; threshold: type limit, track by_sr
> 600, count 1; clas"...
>        preprocessor_rule = 0
> #2  0x0000000000415bda in ParseRulesFile (file=0x40dd840 "/etc/snort/ 
> rules/bleeding-botcc.rules", inclevel=1, parse_rule_lines=1) at  
> parser.c:732
>        thefp = (FILE *) 0x12edb30
>        index = 0x1377c90 "alert ip $HOME_NET any -> [] any (msg: 
> \"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \";  
> reference:url,www.shadowserver.org; threshold: type limit, track by_s
> 3600, count 1; clas"...
>        stored_file_name = 0x12ef640 "/etc/snort/snort.conf"
>        stored_file_line = 1025
>        saved_line = 0x0
>        continuation = 0
>        new_line = 0x0
>        file_stat = {st_dev = 2050, st_ino = 8127365, st_nlink = 1,  
> st_mode = 33184, st_uid = 0, st_gid = 106, pad0 = 0, st_rdev = 0,  
> st_size = 2257, st_blksize = 4096, st_blocks = 8, st_atim = {
>    tv_sec = 1200413549, tv_nsec = 311419820}, st_mtim = {tv_sec =  
> 1200413430, tv_nsec = 165384706}, st_ctim = {tv_sec = 1200413430,  
> tv_nsec = 173383232}, __unused = {0, 0, 0}}
>        rule = 0x1367c80 ""
>        buf = 0x1377c90 "alert ip $HOME_NET any -> [] any (msg: 
> \"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \";  
> reference:url,www.shadowserver.org; threshold: type limit, track  
> by_src
> 00, count 1; clas"...
> #3  0x000000000041734e in ParseRule (rule_file=0x12ed8f0,  
> prule=0x135fc70 "include $RULE_PATH/bleeding-botcc.rules",  
> inclevel=0, parse_rule_lines=1) at parser.c:1749
>        toks = (char **) 0x40e03a0
>        num_toks = 2
>        rule_type = 4
>        protocol = 0
>        tmp = 0x40dd840 "/etc/snort/rules/bleeding-botcc.rules"
>        proto_node = {rule_func = 0x0, head_node_number = 0, type =  
> 0, sip = 0x0, dip = 0x0, proto = 0, src_portobject = 0x0,  
> dst_portobject = 0x0, not_sp_flag = 0, hsp = 0, lsp = 0, not_dp_flag  
> = 0
>  ldp = 0, flags = 0, active_flag = 0, activation_counter = 0,  
> countdown = 0, activate_list = 0x0, right = 0x0, down = 0x0,  
> listhead = 0x0}
>        node = (RuleListNode *) 0x12d91c0
>        rule = 0x40b96c0 "include /etc/snort/rules/bleeding- 
> botcc.rules"
>        preprocessor_rule = 0
> #4  0x0000000000415ba9 in ParseRulesFile (file=0x12c39e0 "/etc/snort/ 
> snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:730
>        thefp = (FILE *) 0x12ed8f0
>        index = 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules"
>        stored_file_name = 0x0
>        stored_file_line = 0
>        saved_line = 0x0
>        continuation = 0
>        new_line = 0x0
>        file_stat = {st_dev = 2050, st_ino = 8127287, st_nlink = 1,  
> st_mode = 33184, st_uid = 0, st_gid = 106, pad0 = 0, st_rdev = 0,  
> st_size = 41827, st_blksize = 4096, st_blocks = 88, st_atim = {
>    tv_sec = 1200413549, tv_nsec = 329416502}, st_mtim = {tv_sec =  
> 1200404707, tv_nsec = 503702715}, st_ctim = {tv_sec = 1200404707,  
> tv_nsec = 512701056}, __unused = {0, 0, 0}}
>        rule = 0x1346e60 ""
>        buf = 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules"
> #5  0x000000000042593e in SnortMain (argc=23, argv=0x7fbffff958) at  
> snort.c:913
>        set = {__val = {0 <repeats 16 times>}}
> #6  0x0000000000424fe7 in main (argc=23, argv=0x7fbffff958) at  
> snort.c:388
> No locals.
> (gdb) quit
>
> Despite fixing the rule, is there a known workaround ?
>
> Maybe this issue will be fixed in 2.8.0.2 ;)
>
> So long,
>
> Andreas.
>
> -- 
> "Things that try to look like things often do
> look more like things than things. Well-known fact."
> Granny Weatherwax - "Wyrd sisters"
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list