Rob | 18 May 2013 10:35
Picon

BotCC Rules and flags:S

Hi,

For the BotCC series of rules [1], is there a specific reason why the
flags are set to "S" and not "P" (or perhaps "+P")?

These hosts are sometimes compromised virtual hosts and the supporting
information to determine which URL was actually visited is not always
(easily) available. So, this might provide more chance of retaining this
info in the alert pcap.

Has ET considered this type of change? (and if so and it's been knocked
back, I'd like to know why.)

Thanks,
Rob

[1] http://rules.emergingthreats.net/blockrules/emerging-botcc.rules
rmkml | 17 May 2013 23:50
Picon
Favicon

change http_header to http_user_agent on few sig for suricata engine v13

Hi,

Can you check these sigs for replace http_header to http_user_agent please ?

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Generic - 
POST To .php w/Extended ASCII Characters"; flow:established,to_server; 
content:"POST"; http_method; content:".php"; http_uri; 
content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; 
http_header; content:" MSIE "; http_header; 
pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/P"; 
classtype:trojan-activity; sid:2016858; rev:8;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible 
Chrome Plugin install"; flow:to_server,established; 
content:"|2f|crx|2f|blobs"; http_uri; nocase; fast_pattern:only; content:" 
Chrome/"; http_header;

reference:url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; 
classtype:bad-unknown; sid:2016847; rev:2;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown 
Checkin"; flow:established,to_server; content:"POST"; http_method; 
pcre:"/\/[a-z]\/$/Ui"; content:"(compatible|3b|"; http_header; content:"
  MSIE "; distance:0; http_header; content:"(Compatible|3b|"; fast_pattern; 
distance:0; http_header; classtype:trojan-activity; sid:2016829; rev:2;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DEEP PANDA 
Checkin 3"; flow:established,to_server; content:"POST"; http_method; 
content:"/Catelog/login1.cgi"; http_uri; content:"User-Agent|3a| Mo
zilla/4.0|0d 0a|"; fast_pattern:5,20; http_header;
(Continue reading)

rmkml | 17 May 2013 23:37
Picon
Favicon

comment on sid 2016782 rev 14

Hi,

Maybe you have missed "i" on pcre ? or you don't need nocase on content ?
(don't remember fast_pattern include nocase ;) )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET 
CURRENT_EVENTS CoolEK Payload Download (8)"; flow:established,to_server; 
content:"/getqq.jpg"; http_uri; nocase; fast_pattern:only; pcre:"/getqq\.jpg$/U";
classtype:trojan-activity; sid:2016782; rev:14;)

Regards
 <at> Rmkml
rmkml | 17 May 2013 23:33
Picon
Favicon

comment on sid 2016792 rev 2

Hi,

Can you add "^" on pcre begin please?

alert tcp $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET WEB_SERVER Plesk 
Panel Possible HTTP_AUTH_LOGIN SQLi CVE-2012-1557"; 
flow:established,to_server;  content:"POST "; depth:5; 
content:"/enterprise/control/a
gent.php"; distance:0; content:"HTTP_AUTH_LOGIN|3a|"; distance:0; 
pcre:"/[^\r\n]*?[\x27\x22\t\\%\x00\x08\x26]/R"; 
reference:cve,CVE-2012-1557; classtype:attempted-user; sid:2016792; rev:2;)

Regards
 <at> Rmkml
rmkml | 17 May 2013 22:53
Picon
Favicon

comment on sid 2016844 rev 1

Hi,

Thx you All for new sigs and update.

Can you check why two first http_uri are splitted please ? (look pcre)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN 
Trojan-Downloader.Win32.AutoIt.mj Checkin"; flow:established,to_server; 
content:"GET"; http_method; nocase; content:"/downloads/IPFilter"; 
http_uri; nocase; content:".exe"; http_uri; nocase; 
pcre:"/\/downloads\/IPFilter\.exe$/Ui"; content:"User-Agent|3a| AutoIt"; depth:18;
http_header; 
reference:url,threatexpert.com/report.aspx?md5=c4e923564c564163620959f23691cc26; 
reference:md5,4a77d3575845cf24b72400816d0b95c2; classtype:trojan-activity; 
sid:2016844; rev:1;)

Regards
 <at> Rmkml
Russell Fulton | 17 May 2013 22:25
Picon
Picon
Favicon

http://doc.emergingthreats.net/


On 18/05/2013, at 8:21 AM, Will Metcalf
<wmetcalf@...> wrote:

> Hmmm works from here.
> 

And here…  

> 
> On Fri, May 17, 2013 at 3:20 PM, Josh Bitto <jbitto@...> wrote:
>  
> Is there a reason why it never loads? Do you have to have special access to be able to view this url? Just shows
transferring data and that’s it. Nothing ever comes up.
>  
>  
> Joshua Bitto
> Information Technologist
> KCC
>  
>  
>  
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@...
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
> The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!
(Continue reading)

Josh Bitto | 17 May 2013 22:20
Picon

http://doc.emergingthreats.net/

 
Is there a reason why it never loads? Do you have to have special access to be able to view this url? Just shows transferring data and that’s it. Nothing ever comes up.
 
 
Joshua Bitto
Information Technologist
KCC
 
 
 
<div>

<div>&nbsp;</div>
<div>Is there a reason why it never loads? Do you have to have special access to be able to view this url? Just shows transferring data and that&rsquo;s it. Nothing ever comes up.</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>Joshua Bitto</div>
<div>Information Technologist</div>
<div>KCC</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>&nbsp;</div>

</div>
Kevin Ross | 17 May 2013 20:21

SIG: ET INFO Content-Disposition Attachment With Filename Download Of Executable - Possible Drive-By Download

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Content-Disposition Attachment With Filename Download Of Executable - Possible Drive-By Download"; flow:established,to_client; content:"Content-Disposition|3A| attachment|3B| filename="; http_header; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:199111; rev:1;)

Idea from here http://blogs.rsa.com/common-indicators-used-to-find-evil/:

"Content-Disposition with filename.  This forces the save-as feature to download the file with that name and often indicates an automated download."

Regards,
Kevin
<div><div dir="ltr">
<div>
<div>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"ET INFO Content-Disposition Attachment With Filename Download Of Executable - Possible Drive-By Download"; flow:established,to_client; content:"Content-Disposition|3A| attachment|3B| filename="; http_header; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:199111; rev:1;)<br><br>
</div>Idea from here <a href="http://blogs.rsa.com/common-indicators-used-to-find-evil/">http://blogs.rsa.com/common-indicators-used-to-find-evil/</a>:<br><br>"Content-Disposition with filename.&nbsp; This forces the save-as feature to 
download the file with that name and often indicates an automated 
download."<br><br>
</div>Regards,<br>Kevin<br>
</div></div>
Josh Bitto | 17 May 2013 18:41
Picon

Outgoing Basic Auth Base64

I’m needing some clarification on this signature that came through…
 
[1:2006380:12] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [Classification: Potential Corporate Privacy Violation] [Priority: 1]
 
So to my understanding this rule has seen traffic leave my network to a destination host on port 80 with an unencrypted password. The weird thing is it’s happening at 3 in the morning where no one is in the office.
 
Joshua Bitto
Information Technologist
KCC
 
 
 
<div>

<div>I&rsquo;m needing some clarification on this signature that came through&hellip;</div>
<div>&nbsp;</div>
<div>[1:2006380:12] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [Classification: Potential Corporate Privacy Violation] [Priority: 1]</div>
<div>&nbsp;</div>
<div>So to my understanding this rule has seen traffic leave my network to a destination host on port 80 with an unencrypted password. The weird thing is it&rsquo;s happening at 3 in the morning where no one is in the office. </div>
<div>&nbsp;</div>
<div>Joshua Bitto</div>
<div>Information Technologist</div>
<div>KCC</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>&nbsp;</div>

</div>
Will Metcalf | 17 May 2013 00:56

Daily Ruleset Update Summary 05/16/2013

[***]          Summary:          [***]

2 new Open. 9 new Pro (2/7). Sweet Orange, SofosFO, Unknown_MM, etc.

[+++]          Added rules:          [+++]

  Open:
  2016859 - ET CURRENT_EVENTS Unknown_MM - Java Exploit - cee.jar (current_events.rules)
  2016860 - ET CURRENT_EVENTS Sweet Orange Landing Page May 16 2013 (current_events.rules)

  Pro:
  2806369 - ETPRO TROJAN W32.Wapomi.B Download 1 (trojan.rules)
  2806370 - ETPRO TROJAN W32.Wapomi.B Download 2 (trojan.rules)
  2806371 - ETPRO TROJAN W32.Wapomi.B Download 3 (trojan.rules)
  2806372 - ETPRO TROJAN Spy.Bancos.OQI Checkin (trojan.rules)
  2806373 - ETPRO TROJAN Trojan-Dropper.Win32.Mudrop Checkin (trojan.rules)
  2806374 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.vcn Checkin (trojan.rules)
  2806375 - ETPRO TROJAN Trojan.Win32.Runner.qc Checkin (trojan.rules)


 [///]     Modified active rules:     [///]

  2016705 - ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL April 01 2013 (current_events.rules)
  2016706 - ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page (1) (current_events.rules)
  2016816 - ET TROJAN Variant.Zusy.45802 Checkin (trojan.rules)


 [///]    Modified inactive rules:    [///]

  2804832 - ETPRO TROJAN PWS.Win32/Zbot.gen!AF CnC traffic (trojan.rules)


 [---]         Removed rules:         [---]

  2016834 - ET TROJAN Unknown Trojan POST (trojan.rules)
<div><div dir="ltr">
<div>[***] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Summary: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[***]</div>
<div><br></div>
<div>2 new Open. 9 new Pro (2/7). Sweet Orange, SofosFO, Unknown_MM, etc.</div>
<div><br></div>
<div>[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</div>
<div><br></div>
<div>&nbsp; Open:</div>
<div>&nbsp; 2016859 - ET CURRENT_EVENTS Unknown_MM - Java Exploit - cee.jar (current_events.rules)</div>
<div>&nbsp; 2016860 - ET CURRENT_EVENTS Sweet Orange Landing Page May 16 2013 (current_events.rules)</div>
<div><br></div>
<div>&nbsp; Pro:</div>
<div>&nbsp; 2806369 - ETPRO TROJAN W32.Wapomi.B Download 1 (trojan.rules)</div>
<div>&nbsp; 2806370 - ETPRO TROJAN W32.Wapomi.B Download 2 (trojan.rules)</div>
<div>&nbsp; 2806371 - ETPRO TROJAN W32.Wapomi.B Download 3 (trojan.rules)</div>
<div>&nbsp; 2806372 - ETPRO TROJAN Spy.Bancos.OQI Checkin (trojan.rules)</div>
<div>&nbsp; 2806373 - ETPRO TROJAN Trojan-Dropper.Win32.Mudrop Checkin (trojan.rules)</div>
<div>&nbsp; 2806374 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.vcn Checkin (trojan.rules)</div>
<div>&nbsp; 2806375 - ETPRO TROJAN Trojan.Win32.Runner.qc Checkin (trojan.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</div>
<div><br></div>
<div>&nbsp; 2016705 - ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL April 01 2013 (current_events.rules)</div>
<div>&nbsp; 2016706 - ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page (1) (current_events.rules)</div>
<div>&nbsp; 2016816 - ET TROJAN Variant.Zusy.45802 Checkin (trojan.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[///] &nbsp; &nbsp;Modified inactive rules: &nbsp; &nbsp;[///]</div>
<div><br></div>
<div>&nbsp; 2804832 - ETPRO TROJAN PWS.Win32/Zbot.gen!AF CnC traffic (trojan.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[---] &nbsp; &nbsp; &nbsp; &nbsp; Removed rules: &nbsp; &nbsp; &nbsp; &nbsp; [---]</div>
<div><br></div>
<div>&nbsp; 2016834 - ET TROJAN Unknown Trojan POST (trojan.rules)</div>
</div></div>
Bryan Manhollan | 16 May 2013 19:21
Picon
Favicon

Re: 6in4 tunnel

Josh,

Any time!

Respectively,

Bryan Manhollan
Security Analyst



From: jbitto-wuM2AiWoltz5bOWen2SBRQ@public.gmane.org
To: bryan.manhollan-PkbjNfxxIARBDgjK7y7TUQ@public.gmane.org
Date: Thu, 16 May 2013 10:18:29 -0700
Subject: RE: [Emerging-Sigs] 6in4 tunnel

We have several interfaces to monitor each vlan. Your explanation cleared things up for me thank you!

 

 

 

From: Bryan Manhollan [mailto:bryan.manhollan-PkbjNfxxIARBDgjK7y7TUQ@public.gmane.org]
Sent: Thursday, May 16, 2013 10:17 AM
To: Josh Bitto
Cc: emerging-sigs-QLpEr2logwxONy2houXFdO9NwHtMwxe5XqFh9Ls21Oc@public.gmane.org
Subject: RE: [Emerging-Sigs] 6in4 tunnel

 

Josh,

How many Snort sensors do you have in place on your network? If you have one sensor looking at the subnet your DNS servers are on, and another sensor looking at the subnet your IP in question is on, then yes, you will see this traffic fairly regularly.

Any IP outside the realm of a particular snort sensors configuration, regardless of it being internal or external of your network, will be defined as $EXTERNAL_NET. Well, by default that is. You can change this in the .conf file, but simply changing $EXTERNAL_NET to !10.0.0.0/8, !192.168.0.0/24, !172.16.0.0 -> 172.31.255.255 will cause you to miss a lot of internal traffic between sensors.

Respectively,

Bryan Manhollan
Security Analyst


From: jbitto <at> onlineschool.ca
CC: emerging-sigs-QLpEr2logwxONy2houXFdO9NwHtMwxe5XqFh9Ls21Oc@public.gmane.org
Date: Thu, 16 May 2013 09:52:19 -0700
Subject: Re: [Emerging-Sigs] 6in4 tunnel

Now to throw a monkey wrench into this….

 

I’m getting another alert for [1:2009702:5] ET POLICY DNS Update From External net [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP}

 

The source and destination are both within the internal network. Granted both are on different subnets, but from this description should it only fire if it is coming from outside the network?

 

Our firewall is pfsense and our DNS servers are on one subnet and the IP in question (partly) is on another, but that should really matter since they both are within the local network.

 

 

 

From: Bryan Manhollan [mailto:bryan.manhollan-PkbjNfxxIARBDgjK7y7TUQ@public.gmane.org]
Sent: Thursday, May 16, 2013 8:21 AM
To: Nathan
Cc: Josh Bitto; emerging-sigs-QLpEr2logwxONy2houXFdO9NwHtMwxe5XqFh9Ls21Oc@public.gmane.org
Subject: RE: [Emerging-Sigs] 6in4 tunnel

 

As did I. Have a good one.

Respectively,

Bryan Manhollan
Security Analyst

> From: nathan-TKskQ8pOXrd9pMjJd8zWoA@public.gmane.org
> To: bryan.manhollan-PkbjNfxxIARBDgjK7y7TUQ@public.gmane.org
> CC: jbitto-wuM2AiWoltz5bOWen2SBRQ@public.gmane.org; emerging-sigs <at> lists.emergingthreats.net
> Subject: Re: [Emerging-Sigs] 6in4 tunnel
> Date: Thu, 16 May 2013 10:19:25 -0500
>
> On 05/16/2013 10:17 AM, Bryan Manhollan wrote:
> > Afraid I'm not familiar enough with how IPv6 works yet to give much more insight on to why this occurs.
>
> Understood and I highly appreciated our exchange and discussion on this, thank you!
>
> Cheers,
> Nathan


_______________________________________________ Emerging-sigs mailing list Emerging-sigs-QLpEr2logwxONy2houXFdO9NwHtMwxe5XqFh9Ls21Oc@public.gmane.org https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!

<div><div dir="ltr">Josh,<br><br>Any time!<br><br>Respectively,<br><br>Bryan Manhollan<br>Security Analyst<br><br><br><br><div>From: jbitto@...<br>To: bryan.manhollan@...<br>Date: Thu, 16 May 2013 10:18:29 -0700<br>Subject: RE: [Emerging-Sigs] 6in4 tunnel<br><br><div class="ecxWordSection1">
<p class="ecxMsoNormal"><span>We have several interfaces to monitor each vlan. Your explanation cleared things up for me thank you!</span></p>
<p class="ecxMsoNormal"><span>&nbsp;</span></p>
<p class="ecxMsoNormal"><span>&nbsp;</span></p>
<p class="ecxMsoNormal"><span>&nbsp;</span></p>
<div><div><p class="ecxMsoNormal"><span>From:</span><span> Bryan Manhollan [mailto:bryan.manhollan@...] <br>Sent: Thursday, May 16, 2013 10:17 AM<br>To: Josh Bitto<br>Cc: emerging-sigs@...<br>Subject: RE: [Emerging-Sigs] 6in4 tunnel</span></p></div></div>
<p class="ecxMsoNormal">&nbsp;</p>
<div>
<p class="ecxMsoNormal"><span>Josh,<br><br>How many Snort sensors do you have in place on your network? If you have one sensor looking at the subnet your DNS servers are on, and another sensor looking at the subnet your IP in question is on, then yes, you will see this traffic fairly regularly. <br><br>Any IP outside the realm of a particular snort sensors configuration, regardless of it being internal or external of your network, will be defined as $EXTERNAL_NET. Well, by default that is. You can change this in the .conf file, but simply changing $EXTERNAL_NET to !10.0.0.0/8, !192.168.0.0/24, !172.16.0.0 -&gt; 172.31.255.255 will cause you to miss a lot of internal traffic between sensors. <br><br>Respectively,<br><br>Bryan Manhollan<br>Security Analyst<br><br><br></span></p>
<div>
<div class="ecxMsoNormal" align="center"><span></span></div>
<p class="ecxMsoNormal"><span>From: <a href="mailto:jbitto@...">jbitto <at> onlineschool.ca</a><br>CC: <a href="mailto:emerging-sigs@...s.net">emerging-sigs@...</a><br>Date: Thu, 16 May 2013 09:52:19 -0700<br>Subject: Re: [Emerging-Sigs] 6in4 tunnel</span></p>
<div>
<p class="ecxMsoNormal"><span>Now to throw a monkey wrench into this&hellip;.</span><span></span></p>
<p class="ecxMsoNormal"><span>&nbsp;</span><span></span></p>
<p class="ecxMsoNormal"><span>I&rsquo;m getting another alert for </span><span>[1:2009702:5] ET POLICY DNS Update From External net [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP}</span></p>
<p class="ecxMsoNormal"><span>&nbsp;</span></p>
<p class="ecxMsoNormal"><span>The source and destination are both within the internal network. Granted both are on different subnets, but from this description should it only fire if it is coming from outside the network?</span></p>
<p class="ecxMsoNormal"><span>&nbsp;</span></p>
<p class="ecxMsoNormal"><span>Our firewall is pfsense and our DNS servers are on one subnet and the IP in question (partly) is on another, but that should really matter since they both are within the local network.</span></p>
<p class="ecxMsoNormal"><span>&nbsp;</span></p>
<p class="ecxMsoNormal"><span>&nbsp;</span><span></span></p>
<p class="ecxMsoNormal"><span>&nbsp;</span><span></span></p>
<div><div><p class="ecxMsoNormal"><span>From:</span><span> Bryan Manhollan [<a href="mailto:bryan.manhollan@...">mailto:bryan.manhollan@...</a>] <br>Sent: Thursday, May 16, 2013 8:21 AM<br>To: Nathan<br>Cc: Josh Bitto; <a href="mailto:emerging-sigs@...ngthreats.net">emerging-sigs@...</a><br>Subject: RE: [Emerging-Sigs] 6in4 tunnel</span><span></span></p></div></div>
<p class="ecxMsoNormal"><span>&nbsp;</span></p>
<div>
<p class="ecxMsoNormal"><span>As did I. Have a good one.<br><br>Respectively,<br><br>Bryan Manhollan<br>Security Analyst<br><br></span></p>
<div><p class="ecxMsoNormal"><span>&gt; From: <a href="mailto:nathan <at> packetmail.net">nathan@...</a><br>&gt; To: <a href="mailto:bryan.manhollan@...">bryan.manhollan@...</a><br>&gt; CC: <a href="mailto:jbitto@...">jbitto@...</a>; <a href="mailto:emerging-sigs@...">emerging-sigs <at> lists.emergingthreats.net</a><br>&gt; Subject: Re: [Emerging-Sigs] 6in4 tunnel<br>&gt; Date: Thu, 16 May 2013 10:19:25 -0500<br>&gt; <br>&gt; On 05/16/2013 10:17 AM, Bryan Manhollan wrote:<br>&gt; &gt; Afraid I'm not familiar enough with how IPv6 works yet to give much more insight on to why this occurs.<br>&gt; <br>&gt; Understood and I highly appreciated our exchange and discussion on this, thank you!<br>&gt; <br>&gt; Cheers,<br>&gt; Nathan</span></p></div>
</div>
</div>
<p class="ecxMsoNormal"><span><br>_______________________________________________ Emerging-sigs mailing list <a href="mailto:Emerging-sigs@...">Emerging-sigs@...</a> <a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a> Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a> The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!</span></p>
</div>
</div>
</div>
</div> 		 	   		  </div></div>

Gmane