<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6">
</HEAD>
<BODY>
Ok....imma top post just because.  Here's what I have on my end that's working:<BR>
<BR>
<BR>
<TT>   ,,_     -*> Snort! <*-</TT><BR>
<TT>  o"  )~   Version 2.9.7.0 GRE (Build 149) </TT><BR>
<TT>   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team</TT><BR>
<TT>           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.</TT><BR>
<TT>           Copyright (C) 1998-2013 Sourcefire, Inc., et al.</TT><BR>
<TT>           Using libpcap version 1.1.1</TT><BR>
<TT>           Using PCRE version: 8.31 2012-07-06</TT><BR>
<TT>           Using ZLIB version: 1.2.8</TT><BR>
<BR>
<TT>snort --daq-list</TT><BR>
<TT>Available DAQ modules:</TT><BR>
<TT>pcap(v3): readback live multi unpriv</TT><BR>
<TT>nfq(v7): live inline multi</TT><BR>
<TT>ipfw(v3): live inline multi unpriv</TT><BR>
<TT>dump(v2): readback live inline multi unpriv</TT><BR>
<TT>afpacket(v5): live inline multi unpriv</TT><BR>
<BR>
config line (pfring lines won't be relevant for you I am guessing):<BR>
<TT>./configure --enable-non-ether-decoders --enable-sourcefire --enable-shared-rep --enable-control-socket --with-libpcap-includes=/opt/pfring/include --with-libpcap-libraries=/opt/pfring/lib --with-libpfring-includes=/opt/pfring/include --with-libpfring-libraries=/opt/pfring/lib --enable-open-appid</TT><BR>
<BR>
I can't imagine that this would make a difference, but per the README in the daq src:<BR>
<BR>
<TT>AFPACKET Module</TT><BR>
<TT>===============</TT><BR>
<BR>
<TT>afpacket functions similar to the pcap DAQ but with better performance:</TT><BR>
<BR>
<TT>    ./snort --daq afpacket -i <device></TT><BR>
<TT>            [--daq-var buffer_size_mb=<#MB>]</TT><BR>
<TT>            [--daq-var debug]</TT><BR>
<BR>
<TT>If you want to run afpacket in inline mode, you must craft the device string as</TT><BR>
<TT>one or more interface pairs, where each member of a pair is separated by a</TT><BR>
<TT>single colon and each pair is separated by a double colon like this:</TT><BR>
<BR>
I do see in your start that you specify interfaces first, then afpacket second, so reverse that to:<BR>
<BR>
<TT>sudo snort -c /etc/snort/snort.conf -Q --daq afpacket -i eth1:eth0 -k none -A fast</TT><BR>
<BR>
I would also try --daq-var debug if you still get things allowed after trying the above.  This test box is Ubuntu 14.04.2 LTS, so we are pretty much running the same thing.  Lastly, although seeing the wget session helps, try and get an actual packet capture...it will help.<BR>
<BR>
James<BR>
<BR>
On Sun, 2015-02-22 at 23:02 +0530, Rishabh Shah wrote:
<BLOCKQUOTE TYPE=CITE>
    Hi James,
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    Yes, I do have a capture on my Windows 7 PC which is sitting behind Snort(linux).
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    -> Snort command used: 
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    snort -c /etc/snort/snort.conf -Q -i eth1:eth0 --daq afpacket -k none -A fast
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    -> Traffic from Windows 7 pc: 
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    %wget <A HREF="http://cnn.com">cnn.com</A>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    --2015-02-22 22:54:36--  <A HREF="http://cnn.com/">http://cnn.com/</A>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    Resolving <A HREF="http://cnn.com">cnn.com</A> (<A HREF="http://cnn.com">cnn.com</A>)... 157.166.226.26, 157.166.226.25
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    Connecting to <A HREF="http://cnn.com">cnn.com</A> (<A HREF="http://cnn.com">cnn.com</A>)|157.166.226.26|:80... connected.
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    HTTP request sent, awaiting response... 301 Moved Permanently
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    Location: <A HREF="http://www.cnn.com/">http://www.cnn.com/</A> [following]
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    --2015-02-22 22:54:37--  <A HREF="http://www.cnn.com/">http://www.cnn.com/</A>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    Resolving <A HREF="http://www.cnn.com">www.cnn.com</A> (<A HREF="http://www.cnn.com">www.cnn.com</A>)... 103.245.222.185
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    Connecting to <A HREF="http://www.cnn.com">www.cnn.com</A> (<A HREF="http://www.cnn.com">www.cnn.com</A>)|103.245.222.185|:80... connected.
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    HTTP request sent, awaiting response... 302 Found
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    Location: <A HREF="http://edition.cnn.com/">http://edition.cnn.com/</A> [following]
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    --2015-02-22 22:54:38--  <A HREF="http://edition.cnn.com/">http://edition.cnn.com/</A>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    Resolving <A HREF="http://edition.cnn.com">edition.cnn.com</A> (<A HREF="http://edition.cnn.com">edition.cnn.com</A>)... 103.245.222.185
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    Reusing existing connection to <A HREF="http://www.cnn.com:80">www.cnn.com:80</A>.
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <B>HTTP request sent, awaiting response... 200 OK</B>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    Length: 214393 (209K) [text/html]
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    Saving to: ‘index.html.6’
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    100%[================================================================================>] 214,393      321KB/s   in 0.7s
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    2015-02-22 22:54:39 (321 KB/s) - ‘index.html.6’ saved [214393/214393]
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    Alert on Snort:
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <B>02/22-22:54:36.628789  [Drop] [**] [1:1112111:1] you are blocked [**] [Priority: 0] {TCP} <A HREF="http://192.168.10.1:54980">192.168.10.1:54980</A> -> <A HREF="http://103.245.222.185:80">103.245.222.185:80</A></B>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    On Sun, Feb 22, 2015 at 9:29 PM, James Lay <<A HREF="mailto:jlay@...13475...">jlay@...13475...</A>> wrote:
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BLOCKQUOTE>
        On Sun, 2015-02-22 at 20:47 +0530, Rishabh Shah wrote: <BR>
        <BLOCKQUOTE TYPE=CITE>
            Hi James,<BR>
            <BR>
            <BR>
            Thanks for looking in to this. In your case, the HTTP request is getting blocked by snort. But the same is not happening in my case. Any other command output that could help you figure out this issue?<BR>
            <BR>
            On Sun, Feb 22, 2015 at 7:55 PM, James Lay <<A HREF="mailto:jlay@...13475...">jlay@...13475...</A>> wrote:<BR>
            <BLOCKQUOTE>
                On Sat, 2015-02-21 at 20:04 +0530, Rishabh Shah wrote: <BR>
                <BLOCKQUOTE TYPE=CITE>
                    Hi Snort-Experts,<BR>
                    <BR>
                    <BR>
                    I am running Snort-2.9.7 in Ubuntu 14.04.1 LTS (64-bit). Snort is unable to drop packets, despite a drop alert being generated:<BR>
                    02/21-14:48:11.602240  [Drop] [**] [1:1112111:1] you are blocked [**] [Priority: 0] {TCP} <A HREF="http://192.168.10.1:53013/">192.168.10.1:53013</A> -> <A HREF="http://157.166.226.25/">157.166.226.25:80</A><BR>
                    <BR>
                    <BR>
                    -> Following rule in snort.rules file is getting triggered for the above alert log.<BR>
                    drop tcp any any -> any 80 (msg: "you are blocked"; sid: 1112111; rev: 1;)<BR>
                    <BR>
                    <BR>
                </BLOCKQUOTE>
                <BR>
                <BLOCKQUOTE TYPE=CITE>
                    <BR>
                    ===============================================================================<BR>
                    Action Stats:<BR>
                         Alerts:            7 (  1.118%)<BR>
                         Logged:            7 (  1.118%)<BR>
                         Passed:            0 (  0.000%)<BR>
                    Limits:<BR>
                          Match:            0<BR>
                          Queue:            0<BR>
                            Log:            0<BR>
                          Event:            0<BR>
                          Alert:            0<BR>
                    Verdicts:<BR>
                          Allow:          231 ( 36.435%)<BR>
                          Block:            0 (  0.000%)<BR>
                        Replace:            0 (  0.000%)<BR>
                      Whitelist:            0 (  0.000%)<BR>
                    <B><FONT SIZE="4">  Blacklist:          394 ( 62.145%)</FONT></B><BR>
                         Ignore:            0 (  0.000%)<BR>
                          Retry:            0 (  0.000%)<BR>
                    ===============================================================================<BR>
                    <BR>
                </BLOCKQUOTE>
                <BR>
                Interestingly, Blacklist means getting dropped/blocked/not-allowed-through/whatever you want to call it.  Case in point below:<BR>
                <BR>
                start line:<BR>
                <TT>sudo snort -c snort.conf -Q --daq afpacket -i eth1:eth2 -A console -k none</TT><BR>
                <BR>
                <TT>[ Number of patterns truncated to 20 bytes: 0 ]</TT><BR>
                <TT>afpacket DAQ configured to inline.</TT><BR>
                <TT>Acquiring network traffic from "eth1:eth2".</TT><BR>
                <TT>Reload thread starting...</TT><BR>
                <TT>Reload thread started, thread 0x7f383d236700 (3419)</TT><BR>
                <BR>
                <TT>        --== Initialization Complete ==--</TT><BR>
                <BR>
                snort rule:<BR>
                <TT>drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get"; content:"index"; http_uri; sid:1000003; rev:1;)</TT><BR>
                <BR>
                wget from remote box:<BR>
                <TT>[07:09:05 $] wget <A HREF="http://192.168.1.73/index.html">http://192.168.1.73/index.html</A></TT><BR>
                <TT>--2015-02-22 07:09:44--  <A HREF="http://192.168.1.73/index.html">http://192.168.1.73/index.html</A></TT><BR>
                <TT>Connecting to 192.168.1.73:80... connected.</TT><BR>
                <TT>HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.</TT><BR>
                <TT>Retrying.</TT><BR>
                <BR>
                <TT>--2015-02-22 07:09:45--  (try: 2)  <A HREF="http://192.168.1.73/index.html">http://192.168.1.73/index.html</A></TT><BR>
                <TT>Connecting to 192.168.1.73:80... connected.</TT><BR>
                <TT>HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.</TT><BR>
                <TT>Retrying.</TT><BR>
                <BR>
                <TT>--2015-02-22 07:09:47--  (try: 3)  <A HREF="http://192.168.1.73/index.html">http://192.168.1.73/index.html</A></TT><BR>
                <TT>Connecting to 192.168.1.73:80... connected.</TT><BR>
                <TT>HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.</TT><BR>
                <TT>Retrying.</TT><BR>
                <BR>
                tshark on ips box:<BR>
                <TT>31 2015-02-22 07:09:46.143340  192.168.1.2 -> 192.168.1.73 TCP 74 43815→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201101 TSecr=0 WS=128</TT><BR>
                <TT>32 2015-02-22 07:09:46.143469 192.168.1.73 -> 192.168.1.2  TCP 74 80→43815 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=54730 TSecr=1201101 WS=16</TT><BR>
                <TT>33 2015-02-22 07:09:46.144245  192.168.1.2 -> 192.168.1.73 TCP 66 43815→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201101 TSecr=54730</TT><BR>
                <TT>34 2015-02-22 07:09:46.145281  192.168.1.2 -> 192.168.1.73 HTTP 186 GET /index.html HTTP/1.1 </TT><BR>
                <TT>35 2015-02-22 07:09:46.145388 192.168.1.73 -> 192.168.1.2  TCP 66 80→43815 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=54731 TSecr=1201101</TT><BR>
                <TT>36 2015-02-22 07:09:46.145893  192.168.1.2 -> 192.168.1.73 TCP 54 43815→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0</TT><BR>
                <TT>37 2015-02-22 07:09:49.147339  192.168.1.2 -> 192.168.1.73 TCP 74 43817→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201852 TSecr=0 WS=128</TT><BR>
                <TT>38 2015-02-22 07:09:49.147486 192.168.1.73 -> 192.168.1.2  TCP 74 80→43817 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=55481 TSecr=1201852 WS=16</TT><BR>
                <TT>39 2015-02-22 07:09:49.148246  192.168.1.2 -> 192.168.1.73 TCP 66 43817→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201852 TSecr=55481</TT><BR>
                <TT>40 2015-02-22 07:09:49.149275  192.168.1.2 -> 192.168.1.73 HTTP 186 GET /index.html HTTP/1.1 </TT><BR>
                <TT>41 2015-02-22 07:09:49.149381 192.168.1.73 -> 192.168.1.2  TCP 66 80→43817 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=55482 TSecr=1201852</TT><BR>
                <TT>42 2015-02-22 07:09:49.150088 192.168.1.73 -> 192.168.1.2  HTTP 557 HTTP/1.1 200 OK  (text/html)</TT><BR>
                <TT>43 2015-02-22 07:09:49.151366  192.168.1.2 -> 192.168.1.73 TCP 54 43817→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0</TT><BR>
                <TT>46 2015-02-22 07:09:53.153356  192.168.1.2 -> 192.168.1.73 TCP 74 43818→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1202853 TSecr=0 WS=128</TT><BR>
                <TT>47 2015-02-22 07:09:53.153489 192.168.1.73 -> 192.168.1.2  TCP 74 80→43818 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=56483 TSecr=1202853 WS=16</TT><BR>
                <TT>48 2015-02-22 07:09:53.154244  192.168.1.2 -> 192.168.1.73 TCP 66 43818→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1202853 TSecr=56483</TT><BR>
                <TT>49 2015-02-22 07:09:53.155285  192.168.1.2 -> 192.168.1.73 HTTP 186 GET /index.html HTTP/1.1 </TT><BR>
                <TT>50 2015-02-22 07:09:53.155395 192.168.1.73 -> 192.168.1.2  TCP 66 80→43818 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=56483 TSecr=1202854</TT><BR>
                <TT>51 2015-02-22 07:09:53.155921  192.168.1.2 -> 192.168.1.73 TCP 54 43818→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0</TT><BR>
                <BR>
                snort result using console:<BR>
                <TT>02/22-07:09:46.145218  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get [**] [Priority: 0] {TCP} <A HREF="http://192.168.1.2:43815">192.168.1.2:43815</A> -> <A HREF="http://192.168.1.73:80">192.168.1.73:80</A></TT><BR>
                <TT>02/22-07:09:49.149219  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get [**] [Priority: 0] {TCP} <A HREF="http://192.168.1.2:43817">192.168.1.2:43817</A> -> <A HREF="http://192.168.1.73:80">192.168.1.73:80</A></TT><BR>
                <TT>02/22-07:09:53.155221  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get [**] [Priority: 0] {TCP} <A HREF="http://192.168.1.2:43818">192.168.1.2:43818</A> -> <A HREF="http://192.168.1.73:80">192.168.1.73:80</A></TT><BR>
                <BR>
                and lastly, snort stats after kill:<BR>
                <TT>===============================================================================</TT><BR>
                <TT>Packet I/O Totals:</TT><BR>
                <TT>   Received:           57</TT><BR>
                <TT>   Analyzed:           57 (100.000%)</TT><BR>
                <TT>    Dropped:            0 (  0.000%)</TT><BR>
                <TT>   Filtered:            0 (  0.000%)</TT><BR>
                <TT>Outstanding:            0 (  0.000%)</TT><BR>
                <TT>   Injected:           12                  <----------- injected RST I am guessing</TT><BR>
                <TT>===============================================================================</TT><BR>
                <BR>
                <TT>===============================================================================</TT><BR>
                <TT>Action Stats:</TT><BR>
                <TT>     Alerts:            6 ( 10.526%)</TT><BR>
                <TT>     Logged:            6 ( 10.526%)</TT><BR>
                <TT>     Passed:            0 (  0.000%)</TT><BR>
                <TT>Limits:</TT><BR>
                <TT>      Match:            0</TT><BR>
                <TT>      Queue:            0</TT><BR>
                <TT>        Log:            0</TT><BR>
                <TT>      Event:            0</TT><BR>
                <TT>      Alert:            0</TT><BR>
                <TT>Verdicts:</TT><BR>
                <TT>      Allow:           50 ( 87.719%)</TT><BR>
                <TT>      Block:            0 (  0.000%)</TT><BR>
                <TT>    Replace:            0 (  0.000%)</TT><BR>
                <TT>  Whitelist:            0 (  0.000%)</TT><BR>
                <TT>  Blacklist:            7 ( 12.281%)</TT><BR>
                <TT>     Ignore:            0 (  0.000%)</TT><BR>
                <TT>      Retry:            0 (  0.000%)</TT><BR>
                <BR>
                And there ya go.<BR>
                <BR>
                <FONT COLOR="#888888">James</FONT> <BR>
                <BR>
                ------------------------------------------------------------------------------<BR>
                Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server<BR>
                from Actuate! Instantly Supercharge Your Business Reports and Dashboards<BR>
                with Interactivity, Sharing, Native Excel Exports, App Integration & more<BR>
                Get technology previously reserved for billion-dollar corporations, FREE<BR>
                <A HREF="http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk">http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk</A><BR>
                _______________________________________________<BR>
                Snort-users mailing list<BR>
                <A HREF="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</A><BR>
                Go to this URL to change user options or unsubscribe:<BR>
                <A HREF="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</A><BR>
                Snort-users list archive:<BR>
                <A HREF="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</A><BR>
                <BR>
                Please visit <A HREF="http://blog.snort.org">http://blog.snort.org</A> to stay current on all the latest Snort news! <BR>
            </BLOCKQUOTE>
            <BR>
            <BR>
            <BR>
            <BR>
            -- <BR>
            Regards,<BR>
            Rishabh Shah.
<PRE>
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
<A HREF="http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk">http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk</A>
_______________________________________________
Snort-users mailing list
<A HREF="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</A>
Go to this URL to change user options or unsubscribe:
<A HREF="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</A>
Snort-users list archive:
<A HREF="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</A>

Please visit <A HREF="http://blog.snort.org">http://blog.snort.org</A> to stay current on all the latest Snort news!
</PRE>
        </BLOCKQUOTE>
        <BR>
        <BR>
    </BLOCKQUOTE>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BLOCKQUOTE>
        Rishabh,<BR>
        <BR>
        How are you confirming that this isn't getting dropped/blocked/blacklisted?  Do you have a capture, or can you capture on the IPS to see what the traffic is looking like?<BR>
        <BR>
        <FONT COLOR="#888888">James</FONT>
    </BLOCKQUOTE>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BLOCKQUOTE>
        <BR>
        ------------------------------------------------------------------------------<BR>
        Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server<BR>
        from Actuate! Instantly Supercharge Your Business Reports and Dashboards<BR>
        with Interactivity, Sharing, Native Excel Exports, App Integration & more<BR>
        Get technology previously reserved for billion-dollar corporations, FREE<BR>
        <A HREF="http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk">http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk</A><BR>
        _______________________________________________<BR>
        Snort-users mailing list<BR>
        <A HREF="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</A><BR>
        Go to this URL to change user options or unsubscribe:<BR>
        <A HREF="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</A><BR>
        Snort-users list archive:<BR>
        <A HREF="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</A><BR>
        <BR>
        Please visit <A HREF="http://blog.snort.org">http://blog.snort.org</A> to stay current on all the latest Snort news!
    </BLOCKQUOTE>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    <BR>
    <BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    -- 
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    Regards,
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
    Rishabh Shah.
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<PRE>
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
<A HREF="http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk">http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk</A>
_______________________________________________
Snort-users mailing list
<A HREF="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</A>
Go to this URL to change user options or unsubscribe:
<A HREF="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</A>
Snort-users list archive:
<A HREF="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</A>

Please visit <A HREF="http://blog.snort.org">http://blog.snort.org</A> to stay current on all the latest Snort news!
</PRE>
</BLOCKQUOTE>
<BR>
<BR>
</BODY>
</HTML>