[Snort-users] HTTP INSPECT fails on Mirror Port

Anand Raj Manickam anandrm at ...11827...
Tue Aug 5 04:05:24 EDT 2014


On Mon, Aug 4, 2014 at 9:19 PM, Russ Combs (rucombs) <rucombs at ...589...> wrote:
>
> ________________________________________
> From: Anand Raj Manickam [anandrm at ...11827...]
> Sent: Monday, August 04, 2014 11:38 AM
> To: Russ Combs (rucombs)
> Cc: James Lay; snort-devel at lists.sourceforge.net; snort-users at ...635...eforge.net
> Subject: Re: HTTP INSPECT fails on Mirror Port
>
> On Mon, Aug 4, 2014 at 8:49 PM, Russ Combs (rucombs) <rucombs at ...589...> wrote:
>>
>> ________________________________________
>> From: Anand Raj Manickam [anandrm at ...11827...]
>> Sent: Monday, August 04, 2014 11:12 AM
>> To: Russ Combs (rucombs)
>> Cc: James Lay; snort-devel at lists.sourceforge.net; snort-users at ...4626...ceforge.net
>> Subject: Re: HTTP INSPECT fails on Mirror Port
>>
>> On Mon, Aug 4, 2014 at 5:24 PM, Russ Combs (rucombs) <rucombs at ...589...> wrote:
>>>
>>> ________________________________________
>>> From: Anand Raj Manickam [anandrm at ...11827...]
>>> Sent: Monday, August 04, 2014 4:01 AM
>>> To: Russ Combs (rucombs)
>>> Cc: James Lay; snort-devel at lists.sourceforge.net; snort-users at ...974...rceforge.net
>>> Subject: Re: HTTP INSPECT fails on Mirror Port
>>>
>>> On Thu, Jul 31, 2014 at 5:28 PM, Russ Combs (rucombs) <rucombs at ...16624....> wrote:
>>>>
>>>> ________________________________________
>>>> From: Anand Raj Manickam [anandrm at ...11827...]
>>>> Sent: Thursday, July 31, 2014 7:21 AM
>>>> To: Russ Combs (rucombs)
>>>> Cc: James Lay; snort-devel at lists.sourceforge.net; snort-users at ...4422...urceforge.net
>>>> Subject: Re: HTTP INSPECT fails on Mirror Port
>>>>
>>>> I do not see any duplicate packets on the mirror port .
>>>> I have the screen shot of snort :
>>>>
>>>> http://pastebin.com/dcYa4v2G
>>>>
>>>> Live packet capture parallely
>>>>
>>>> * It looks like you fixed something because the duplicates in the pcap you sent are not shown below or in the shutdown counts.  However, those counts still show about half of the packets not processed by stream.  Of the 11 packets, only 6 are decoded as TCP and 5 are discarded by the decoder.  Most likely all traffic from your server is not decoded properly.
>>>>
>>> There is nothing fixed in the pcap , looks like sometimes there is a
>>> random behavior in the switch , where i do see some dup packets. I m
>>> sure why those packets are decoded.
>>>
>>>> * Please send an updated pcap.  Also, configure Snort to run in log mode and write a pcap (run Snort with -L but w/o -c).  You should see the same protocol breakdown counts, 11 total and 6 TCP.  Send that pcap too for comparison.
>>>
>>> This is the dump with the snort  -L -i eth0 (w/o -c)
>>> http://pastebin.com/RpQEMA8g
>>>
>>> I have attached the pcap - snort-L.pcap and the log file.
>>>
>>> * I don't see anything obvious in the pcap.  Try adding the following line to your conf and see if any alerts are generated:
>>>
>>> config autogenerate_preprocessor_decoder_rules
>>
>> + No dice.. I did add this config and rerun the test, i did not find
>> any logs either..
>>     snort  -L /var/log/snort/ -c /etc/snort.conf -i eth0
>>
>> * I meant add that to your conf and run in IPS mode (-c) not log mode (-L).
>   + No dice again.. i did try that.. The dump below
>    http://pastebin.com/vLftw765
>
> * You have something weird going on.  Now 6 are are eth:ip4:tcp and 4 are eth:other.  Previously they were eth:ip4:other.
>
> * At this point, since it happens only on your interface, I suggest compiling a debug version of Snort so you can catch it and see what's up.  You will need to set breakpoints in decode.c in DecodeEthPkt() and DecodeIPv4Proto() wherever pc.other++ happens and figure out what protocol it sees instead of IP and TCP respectively.

I have the gdb breaks set , i see that in Live packet capture mode ,
there appears to be a internal fragmentation of the packet though the
MTU is 1500, the max size of packet in this capture is only 556.
If you look at the pkt structs data , i see Characters  . But when i
played with pcap , i never saw character data. ( this is the reason
why pcap works )

I have the GDB dump below , with bt .

I have turned off all offload settings

# ethtool -k eth0
Offload parameters for eth0:
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp segmentation offload: off
udp fragmentation offload: off
generic segmentation offload: off


Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7494064 "\217\033", len=52,
p=0x56c63300 <s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
650 {
(gdb) bt
#0  DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620,
pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
#1  0x56591224 in ProcessPacket (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n", ft=0x0)
    at snort.c:1821
#2  0x56593a58 in PacketCallback (user=0x0, pkthdr=0xffffd620,
pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at snort.c:1704
#3  0x5666f489 in pcap_process_loop (user=0x57628770 "(\211bW",
pkth=0xffffd6bc, data=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n")
    at daq_pcap.c:361
#4  0xf7d9e8f2 in pcap_read_linux_mmap (handle=0x576289c8,
max_packets=0, callback=0x5666f400 <pcap_process_loop>,
user=0x57628770 "(\211bW") at ./pcap-linux.c:4071
#5  0xf7da09b2 in pcap_dispatch (p=0x576289c8, cnt=0,
callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at
./pcap.c:497
#6  0x5666fc26 in pcap_daq_acquire (handle=0x57628770, cnt=0,
callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at
daq_pcap.c:379
#7  0x5666eb1b in daq_acquire_with_meta (module=0x566bba60
<pcap_daq_module_data>, handle=0x57628770, cnt=0, callback=0x56593830
<PacketCallback>, metaback=0x0, user=0x0)
    at daq_mod_ops.c:133
#8  0x565b4f75 in DAQ_Acquire (max=0, callback=0x56593830
<PacketCallback>, user=0x0) at sfdaq.c:540
#9  0x565933bf in PacketLoop () at snort.c:3210
#10 0x565977f3 in SnortMain (argc=5, argv=0xffffd9e4) at snort.c:907
#11 0x56597bea in main (argc=841887793, argv=0x63410a0d) at snort.c:807
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300
<s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been
added, yet.</p>\n</body></html>\n") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7496064 "\217\033", len=52,
p=0x56c63300 <s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7496694 "\217\033", len=52,
p=0x56c63300 <s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7497042 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7497064 "", len=52, p=0x56c63300
<s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe7497672 "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 2, DecodeIP (pkt=0xe7497694 "\217\033", len=52,
p=0x56c63300 <s_packet>) at decode.c:2586
2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749803c "") at decode.c:650
650 {
(gdb) c
Continuing.

Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
pkthdr=0xffffd620, pkt=0xe749866c "") at decode.c:650
650 {
(gdb) c
Continuing.
c




>
>>
>>>
>>>
>>>>
>>>>  # tcpdump -i eth0 -nn -e
>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>>> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
>>>> 04:15:24.568286 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
>>>> (0x0800), length 74: 10.11.117.90.52465 > 192.168.1.110.80: Flags [S],
>>>> seq 1075122842, win 4380, options [mss 1460,sackOK,TS val 2417285661
>>>> ecr 0,nop,wscale 7], length 0
>>>> 04:15:24.568369 00:1d:92:68:18:1a > 00:17:54:00:61:4f, ethertype IPv4
>>>> (0x0800), length 74: 192.168.1.110.80 > 10.11.17.90.52465: Flags [S.],
>>>> seq 1484212294, ack 1075122843, win 14480, options [mss 1460,sackOK,TS
>>>> val 306401729 ecr 2417285661,nop,wscale 5], length 0
>>>> 04:15:24.568564 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
>>>> (0x0800), length 66: 10.11.17.90.52465 > 192.168.1.110.80: Flags [.],
>>>> ack 1, win 35, options [nop,nop,TS val 2417285661 ecr 306401729],
>>>> length 0
>>>> 04:15:24.568699 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
>>>> (0x0800), length 167: 10.11.17.90.52465 > 192.168.1.110.80: Flags
>>>> [P.], seq 1:102, ack 1, win 35, options [nop,nop,TS val 2417285661 ecr
>>>> 306401729], length 101
>>>> 04:15:24.568703 00:1d:92:68:18:1a > 00:17:54:00:61:4f, ethertype IPv4
>>>> (0x0800), length 66: 192.168.1.110.80 > 10.11.17.90.52465: Flags [.],
>>>> ack 102, win 453, options [nop,nop,TS val 306401729 ecr 2417285661],
>>>> length 0
>>>> 04:15:24.569410 00:1d:92:68:18:1a > 00:17:54:00:61:4f, ethertype IPv4
>>>> (0x0800), length 556: 192.168.1.110.80 > 10.11.17.90.52465: Flags
>>>> [P.], seq 1:491, ack 102, win 453, options [nop,nop,TS val 306401729
>>>> ecr 2417285661], length 490
>>>> 04:15:24.569722 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
>>>> (0x0800), length 66: 10.11.17.90.52465 > 192.168.1.110.80: Flags [.],
>>>> ack 491, win 43, options [nop,nop,TS val 2417285661 ecr 306401729],
>>>> length 0
>>>> 04:15:24.570059 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
>>>> (0x0800), length 66: 10.11.17.90.52465 > 192.168.1.110.80: Flags [F.],
>>>> seq 102, ack 491, win 43, options [nop,nop,TS val 2417285662 ecr
>>>> 306401729], length 0
>>>> 04:15:24.570137 00:1d:92:68:18:1a > 00:17:54:00:61:4f, ethertype IPv4
>>>> (0x0800), length 66: 192.168.1.110.80 > 10.11.17.90.52465: Flags [F.],
>>>> seq 491, ack 103, win 453, options [nop,nop,TS val 306401729 ecr
>>>> 2417285662], length 0
>>>> 04:15:24.570285 00:17:54:00:61:4f > 00:1d:92:68:18:1a, ethertype IPv4
>>>> (0x0800), length 66: 10.11.17.90.52465 > 192.168.1.110.80: Flags [.],
>>>> ack 492, win 43, options [nop,nop,TS val 2417285662 ecr 306401729],
>>>> length 0
>>>>
>>>>
>>>>
>>>> On Mon, Jul 28, 2014 at 9:27 PM, Russ Combs (rucombs) <rucombs at ...16731.....> wrote:
>>>>>
>>>>> ________________________________
>>>>> From: Anand Raj Manickam [anandrm at ...11827...]
>>>>> Sent: Friday, July 25, 2014 8:53 PM
>>>>>
>>>>> To: Russ Combs (rucombs)
>>>>> Cc: James Lay; snort-devel at lists.sourceforge.net;
>>>>> snort-users at lists.sourceforge.net
>>>>> Subject: HTTP INSPECT fails on Mirror Port
>>>>>
>>>>> Yes..the pap was captured in the same box running snort.
>>>>> The capture was on the port configured on mirror.
>>>>>
>>>>> * Looks like your mirror is sending two copies of all TCP packets to your
>>>>> sensor.  Not sure why you see different results but you might have better
>>>>> luck if you eliminate the duplicates.
>>>>>
>>>>>
>>>>> On Friday, July 25, 2014, Russ Combs (rucombs) <rucombs at ...589...> wrote:
>>>>>>
>>>>>>
>>>>>> ________________________________________
>>>>>> From: Anand Raj Manickam [anandrm at ...11827...]
>>>>>> Sent: Friday, July 25, 2014 1:42 AM
>>>>>> To: Russ Combs (rucombs)
>>>>>> Cc: James Lay; snort-devel at lists.sourceforge.net;
>>>>>> snort-users at lists.sourceforge.net
>>>>>> Subject: Re: [Snort-devel] [Snort-users] HTTP INSPECT fails on Mirror Port
>>>>>>
>>>>>> This is the shutdown dump on Network Tap mode
>>>>>> http://pastebin.com/ADWvJAZQ
>>>>>> The Shutdown dump on pcap readback mode http://pastebin.com/afVJbawK
>>>>>> The difference i see is in Stream5 Statistics and the invocation of
>>>>>> HTTP Inspect on pcap readback mode.
>>>>>>
>>>>>> * There is a bigger difference.  Check your protocol breakdown counts.
>>>>>> Half the packets from the network are discarded.
>>>>>>
>>>>>> * This is why I asked if your pcap was captured from the box you are
>>>>>> running Snort.  If you can capture a pcap there you can reproduce the
>>>>>> problem in read back and compare pcaps.
>>>>>>
>>>>>> On Thu, Jul 24, 2014 at 10:27 PM, Russ Combs (rucombs)
>>>>>> <rucombs at ...589...> wrote:
>>>>>> > Did you capture the pcap on the box where you are running Snort?  How do
>>>>>> > Snort's shutdown stats compare between pcap readback and network tap modes?
>>>>>> >
>>>>>> > ________________________________________
>>>>>> > From: Anand Raj Manickam [anandrm at ...11827...]
>>>>>> > Sent: Thursday, July 24, 2014 11:57 AM
>>>>>> > To: James Lay; snort-devel at lists.sourceforge.net
>>>>>> > Cc: snort-users at lists.sourceforge.net
>>>>>> > Subject: Re: [Snort-devel] [Snort-users] HTTP INSPECT fails on Mirror
>>>>>> > Port
>>>>>> >
>>>>>> > Hi,
>>>>>> > Can someone on dev list help me ?
>>>>>> >
>>>>>> > I have the snort configured on Mirror Port of a Switch . Snort fails
>>>>>> > to detect HTTP but , It does detect the TCP and Stream5.
>>>>>> > The Stream5 Stats only show that it Tracks . I have the http_inspect
>>>>>> > and http_inspect_server preprocessors are configured.
>>>>>> > But when configured on read from pcap file , with the same config the
>>>>>> > HTTP is detected .
>>>>>> > Can someone shed some light on whats missing in my configuration on
>>>>>> > live Mirror port mode?
>>>>>> >
>>>>>> > # snort --daq-list
>>>>>> > Available DAQ modules:
>>>>>> > pcap(v3): readback live multi unpriv
>>>>>> > nfq(v7): live inline multi
>>>>>> > ipfw(v3): live inline multi unpriv
>>>>>> > dump(v2): readback live inline multi unpriv
>>>>>> >
>>>>>> > The config file : http://pastebin.com/qUpTfRLY
>>>>>> > The Snort Stats : http://pastebin.com/ADWvJAZQ
>>>>>> >
>>>>>> > With a pcap file , the HTTP Inspect is fine :
>>>>>> >  snort  -c /snort-2.9.6.1/etc/snort.conf  -r /data/test.pcap
>>>>>> >
>>>>>> > Thanks,
>>>>>> >
>>>>>> > On Wed, Jul 23, 2014 at 5:24 PM, James Lay <jlay at ...13475...>
>>>>>> > wrote:
>>>>>> >> On Tue, 2014-07-22 at 18:33 +0530, Anand Raj Manickam wrote:
>>>>>> >>> Did try with
>>>>>> >>> For Snort :
>>>>>> >>> ./configure --with-dnet-includes=/opt/include/
>>>>>> >>> --with-dnet-libraries=/opt/lib --enable-sourcefire
>>>>>> >>> --enable-non-ether-decoders
>>>>>> >>> The behaviour is the same
>>>>>> >>>
>>>>>> >>> For DAQ : # ./configure --with-dnet-includes=/opt/include/
>>>>>> >>> --with-dnet-libraries=/opt/lib
>>>>>> >>> Build AFPacket DAQ module.. : no
>>>>>> >>> Build Dump DAQ module...... : yes
>>>>>> >>> Build IPFW DAQ module...... : yes
>>>>>> >>> Build IPQ DAQ module....... : no
>>>>>> >>> Build NFQ DAQ module....... : yes
>>>>>> >>> Build PCAP DAQ module...... : yes
>>>>>> >>>
>>>>>> >>> Not sure why AFPacket fails. But since the testbed is TAP mode , i did
>>>>>> >>> not care.
>>>>>> >>>
>>>>>> >>>
>>>>>> >>> On Mon, Jul 21, 2014 at 10:36 PM, James Lay <jlay at ...13475...>
>>>>>> >>> wrote:
>>>>>> >>> > On 2014-07-21 10:41, Anand Raj Manickam wrote:
>>>>>> >>> >> My understanding was you do not need afpacket for mirror port,
>>>>>> >>> >> since
>>>>>> >>> >> the setting was pcap - passive. Please correct me if i m wrong.
>>>>>> >>> >> snort was configured with ./configure --with-dnet-includes=/xyz
>>>>>> >>> >> --with-dnet-libraries=/xyz
>>>>>> >>> >> DAQ without any parameters
>>>>>> >>> >>
>>>>>> >>> >> On Mon, Jul 21, 2014 at 9:39 PM, James Lay
>>>>>> >>> >> <jlay at ...13475...>
>>>>>> >>> >> wrote:
>>>>>> >>> >>> On 2014-07-21 09:52, Anand Raj Manickam wrote:
>>>>>> >>> >>>> Hi James,
>>>>>> >>> >>>> I have attached the pcap.
>>>>>> >>> >>>> Thanks,
>>>>>> >>> >>>> Anand
>>>>>> >>> >
>>>>>> >>> > Technically I believe you are right, but at this stage, I'm playing
>>>>>> >>> > "spot the differences".  My snort config line:
>>>>>> >>> >
>>>>>> >>> > ./configure --prefix=/opt --enable-sourcefire
>>>>>> >>> > --with-dnet-libraries=/usr/local/lib --enable-non-ether-decoders
>>>>>> >>> >
>>>>>> >>> > and my daq config and and snippet of that output:
>>>>>> >>> >
>>>>>> >>> > ./configure --prefix=/usr
>>>>>> >>> >
>>>>>> >>> > Build AFPacket DAQ module.. : yes
>>>>>> >>> > Build Dump DAQ module...... : yes
>>>>>> >>> > Build IPFW DAQ module...... : yes
>>>>>> >>> > Build IPQ DAQ module....... : no
>>>>>> >>> > Build NFQ DAQ module....... : no
>>>>>> >>> > Build PCAP DAQ module...... : yes
>>>>>> >>> >
>>>>>> >>> > How does your differ?
>>>>>> >>> >
>>>>>> >>> > James
>>>>>> >>
>>>>>> >> At this point I'm out of ideas...perhaps one of the devs can assist.
>>>>>> >>
>>>>>> >> James
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >> ------------------------------------------------------------------------------
>>>>>> >> Want fast and easy access to all the code in your enterprise? Index and
>>>>>> >> search up to 200,000 lines of code with a free copy of Black Duck
>>>>>> >> Code Sight - the same software that powers the world's largest code
>>>>>> >> search on Ohloh, the Black Duck Open Hub! Try it now.
>>>>>> >> http://p.sf.net/sfu/bds
>>>>>> >> _______________________________________________
>>>>>> >> Snort-users mailing list
>>>>>> >> Snort-users at lists.sourceforge.net
>>>>>> >> Go to this URL to change user options or unsubscribe:
>>>>>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> >> Snort-users list archive:
>>>>>> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>> >>
>>>>>> >> Please visit http://blog.snort.org to stay current on all the latest
>>>>>> >> Snort news!
>>>>>> >
>>>>>> >
>>>>>> > ------------------------------------------------------------------------------
>>>>>> > Want fast and easy access to all the code in your enterprise? Index and
>>>>>> > search up to 200,000 lines of code with a free copy of Black Duck
>>>>>> > Code Sight - the same software that powers the world's largest code
>>>>>> > search on Ohloh, the Black Duck Open Hub! Try it now.
>>>>>> > http://p.sf.net/sfu/bds
>>>>>> > _______________________________________________
>>>>>> > Snort-devel mailing list
>>>>>> > Snort-devel at lists.sourceforge.net
>>>>>> > https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>>> > Archive:
>>>>>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>>>> >
>>>>>> > Please visit http://blog.snort.org for the latest news about Snort!
>>>>>> >




More information about the Snort-users mailing list