Abdallah Jabbour | 4 May 00:34 2015
Picon

Re: Snort-users Digest, Vol 108, Issue 2

yes they do !

On Sun, May 3, 2015 at 2:00 PM, <snort-users-request <at> lists.sourceforge.net> wrote:
Send Snort-users mailing list submissions to
        snort-users <at> lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request <at> lists.sourceforge.net

You can reach the person managing the list at
        snort-users-owner <at> lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim your response.

Today's Topics:

   1. Re: snort inline mode in CentOS 6.6 (James Lay)


----------------------------------------------------------------------

Message: 1
Date: Sat, 02 May 2015 07:25:22 -0600
From: James Lay <jlay <at> slave-tothe-box.net>
Subject: Re: [Snort-users] snort inline mode in CentOS 6.6
To: snort-users <at> lists.sourceforge.net
Message-ID: <1430573122.4447.1.camel <at> JamesiMac>
Content-Type: text/plain; charset="utf-8"

On Sat, 2015-05-02 at 12:46 +0200, Abdallah Jabbour wrote:
> Hello ,
>
>
>
> i have installed snort on CentOS6.6 in a KVM Guest machine , it a
> router/ firewall using iptables , i followed the installation and
> configuration steps and tested the configuration file validity ( using
> -T command line arg )
>
>
>
> i enabled inline mode :
>
>
> in configuration file : i added and uncommented the following lines :
>
>  config policy_mode:inline
>
>  config daq: afpacket
>  config daq_dir: /usr/lib64/daq/
>  config daq_mode: inline
>  config daq_var: buffer_size_mb=128
>
>
> and also in /etc/sysconfig/snort
>
>
> INTERFACE=eth0:eth1
>
>
> and start the snort service
>
>
> the network connection ( locally and to the internet ) is dropped i
> cannot ping any host on the network .
>
>
> i added some rules to /etc/snort/rules/local.rules
>
> to see if alerting is working , i can see alerts being written
> to /var/log/snort/alert after i reboot the machine ( since there is no
> network connectivity ) .
>
>
> i know that inline mode will put the network interfaces eth0 and eth1
> in promiscuous mode and will bridge the network connection to get the
> network traffic . is there anything i am missing my setup  ?
>
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Snort-users mailing list
> Snort-users <at> lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


To eth0 and eth1 have IP addresses assigned?

James
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

------------------------------

_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 108, Issue 2
*******************************************

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
James Lay | 3 May 15:35 2015
Picon

README.sfportscan doc update

Per README.sfportscan:

Example configuration:

preprocessor flow: stats_interval 0 hash 2
preprocessor sfportscan: proto { all } \
    scan_type { all } \
    sense_level { low }


Yea that goes boom:

ERROR: snort.conf(165) Unknown preprocessor: "flow".
Fatal Error, Quitting..

and:
Documentation last updated 2004-09-08

Have there really been no changes to any of sfportscan for 11 years?  Wow

James
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Chris | 3 May 15:31 2015
Picon

Trigger anomalies (on LXC container versus host)

I'm observing a problematic difference in behaviour between two
instances of Snort that are configured identically (recursive diff'ed
their config dirs, and compared their initialisation outputs) aside
from the required differences (interfaces names) as one is running
inside an LXC container, listening to its single virtual interface, and
the other instance is on the hypervisor/base OS listening to the bridge
interface that all the containers are attached to. The container
receives traffic through NAT'ing rules on the hypervisor.

What I see is that certain rules aren't being triggered on the
container instance of Snort, but are being triggered on the hypervisor.
This is despite being able to see the packets that trigger these rules
appear on both machines (hypervisor and container) using tcpdump to
view the respective interfaces that Snort is configured to listen on.
Specifically, the rules that I've noticed are being ignored are those
that involve HTTP header inspection, like GET /test.cgi.

Like I said, I can see what look like the EXACT SAME packets on these
respective interfaces, so I've tried the following troubleshooting
without any luck.

 * Switching off Snort on the hypervisor in case it was interfering.

 * Creating a rule that triggers for any packet that is considered to
   be web traffic (i.e. EXTERNAL any -> HTTP HTTP_PORT) and this
   triggers for those packets without issue, so it's not a problem with
   those variables being misconfigured.

 * Wondering whether LXC doesn't properly isolate the interfaces
   somehow, so I tried configuring the container Snort to use the
   bridge interface on the hypervisor, however it correctly wasn't able
   to use it (as it didn't exist inside the container, of course).

So I'm stuck as to where to go next. The container is where I want Snort
to be running, as it's my load balancer (including SSL termination) so
that's where I would like to detect and block rogue traffic. The only
reason that I run it on the hypervisor is to just see whether any
concerning traffic is bypassing the load balancer, and whether
undesirable traffic is being generated by services behind it.

Thanks for your time, I really hope someone can shed some light on this
frustrating situation. Very happy to answer any questions about the
setup, including configuration specifics, though they're essentially
vanilla installions on Debian Wheezy straight out of apt.

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Abdallah Jabbour | 2 May 12:46 2015
Picon

snort inline mode in CentOS 6.6

Hello ,

i have installed snort on CentOS6.6 in a KVM Guest machine , it a router/ firewall using iptables , i followed the installation and configuration steps and tested the configuration file validity ( using -T command line arg )


i enabled inline mode :

in configuration file : i added and uncommented the following lines :
 config policy_mode:inline

 config daq: afpacket
 config daq_dir: /usr/lib64/daq/
 config daq_mode: inline
 config daq_var: buffer_size_mb=128

and also in /etc/sysconfig/snort

INTERFACE=eth0:eth1

and start the snort service

the network connection ( locally and to the internet ) is dropped i cannot ping any host on the network .

i added some rules to /etc/snort/rules/local.rules
to see if alerting is working , i can see alerts being written to /var/log/snort/alert after i reboot the machine ( since there is no network connectivity ) .

i know that inline mode will put the network interfaces eth0 and eth1 in promiscuous mode and will bridge the network connection to get the network traffic . is there anything i am missing my setup  ?

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Brian Diehl | 30 Apr 16:25 2015

https://www.snort.org/downloads/registered/snortrules-snapshot-2962.tar.gz.md5

Hello,
 
I only occasionally update my rules files on my Snort Scanner.  I’m running on a Ubuntu install.  I’m now getting the following errors:
 
bdiehl <at> ubuntu2:~/Downloads/pulledpork-0.7.0$ sudo  ./pulledpork.pl -c etc/pulledpork.conf
 
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
  <at> _/        /  66\_  cummingsj <at> gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Config File Variable Debug etc/pulledpork.conf
        snort_path = /usr/local/bin/snort
        black_list = /etc/snort/rules/black_list.rules
        IPRVersion = /etc/snort/rules/iplists
        rule_path = /etc/snort/rules/snort.rules
        ignore = deleted.rules,experimental.rules,local.rules
        snort_control = /usr/local/bin/snort_control
        rule_url = ARRAY(0x2f616e8)
        sid_msg_version = 1
        sid_changelog = /var/log/sid_changes.log
        sid_msg = /etc/snort/sid-msg.map
        config_path = /etc/snort/snort.conf
        temp_path = /tmp
        distro = Ubuntu-10-4
        sorule_path = /usr/local/lib/snort_dynamicrules/
        version = 0.7.0
        local_rules = /etc/snort/rules/local.rules
MISC (CLI and Autovar) Variable Debug:
        arch Def is: x86-64
        Config Path is: etc/pulledpork.conf
        Distro Def is: Ubuntu-10-4
        Disabled policy specified
        local.rules path is: /etc/snort/rules/local.rules
        Rules file is: /etc/snort/rules/snort.rules
        sid changes will be logged to: /var/log/sid_changes.log
        sid-msg.map Output Path is: /etc/snort/sid-msg.map
        Snort Version is: 2.9.6.2
        Snort Config File: /etc/snort/snort.conf
        Snort Path is: /usr/local/bin/snort
        SO Output Path is: /usr/local/lib/snort_dynamicrules/
        Will process SO rules
        Extra Verbose Flag is Set
        Verbose Flag is Set
Checking latest MD5 for snortrules-snapshot-2962.tar.gz....
        Fetching md5sum for: snortrules-snapshot-2962.tar.gz.md5
        A 404 error occurred, please verify your filenames and urls for your tarball!
        Error 404 when fetching https://www.snort.org/downloads/registered/snortrules-snapshot-2962.tar.gz.md5 at ./pulledpork.pl line 465
        main::md5file('f3242df71d4050bf9e7dd67f4d3f7f4c2e70d457', 'snortrules-snapshot-2962.tar.gz', '/tmp/', 'https://www.snort.org/downloads/registered/') called at ./pulledpork.pl line 1849
 
When I go out to the downloads page I see that all the md5 rules are now combined down into one MD5 file.  However, pulledpork doesn’t know about this.  I checked the pulledpork download page and version 0.7.0 is still the current version.  What is the correct solution to this problem?
 
Thanks in advance.
 
Brian Diehl
Christensen Farms IT Manager
Phone: 507-794-8585
 
 
 
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Snort Releases | 30 Apr 16:19 2015

Snort++ Build 150 Available Now

Snort++ build 150 is now available on snort.org.  This is the latest 
monthly update of the downloads.  You can also get the latest updates 
from github (snortadmin/snort3) which is updated weekly.

New features:

* pop and imap inspectors ported
* added publish-subscribe handling of data events
* added data_log plugin example for pub-sub
* added build of snort_manual.text if w3m is installed
* added default_snort_manual.text w/o w3m

Bug fixes and enhancements:

* fix http_inspect mpse search
* fixed urg rule option
* change daq.var to daq.vars to support multiple params; reported by 
Sancho Panza
* ensure unknown sources are analyzed
* fixed default validation issue reported by Sancho Panza
* fixed xcode static analysis issues
* change PT_DATA to IT_PASSIVE; supports named instances, reload, and 
consumers

You can also get the latest updates from github (snortadmin/snort3) 
which is updated weekly.

Please submit bugs, questions, and feedback to bugs <at> snort.org or the 
Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

rohit Kulkarni | 29 Apr 14:57 2015
Picon

(no subject)

Hello all,

I am new to both snort and snort-users mailing list. I am using snort_inline as IPS with openappid integration. I would like to use both openappid and snort for application based QOS. I found vary little information on google about it. Is it possible to do it using snort and openappid ? if not is there any other way to do application based QOS using any open-source technologies available ?

Thanks in advance.

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Robert Lasota | 28 Apr 15:46 2015
Picon

Odp: Re: Odp: Re: Odp: Re: Odp: Re: Snort inline with Squid

Dnia Wtorek, 28 Kwietnia 2015 03:10 James Lay <jlay <at> slave-tothe-box.net> napisał(a)


 
Ah...yes with inline, drop will not pass the traffic, where as alert will.  My last bit of advice would be to change your test rule from drop to alert.  I've not used the react option, so I'll defer to someone else on the list for that bit.

James



I've changed drop to alert and nothing's change. Still just waiting.... in browser. React option AFAIK is the only way to display alert page in browser in inline mode so we must say that your ideas don't work..sorry. However many thanks for trying.

 

Generally I'm wondering... whether till now nobody use this tandem ? (Squid+Snort on Linux) because I can't find anything about this case in google - strange. Propably I'm the first.

 

Last question: do you know possibly if there is way in iptables to turning on double flow ? or is it way to inject back packets from one table to another ?

 

Robert

 


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Michael B | 28 Apr 08:10 2015
Picon

Maximum oversize_dir_length



 Hello,


The default http_inspect oversize_dir_length is set to 500, but on what is this based? I'm getting a lot of "Oversize reguest-uri directory" warnings if I use this value. I've searched around on the Internet and it is mentioned that IE sets the limit at around 2000 characters, so why isn't this value used by default? Am I missing something?


Regards
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Michael Steele | 28 Apr 06:20 2015

Strange events happening after installing PulledPork

I’m not sure what’s going on. I just setup a new PulledPork instance, and its set to security for the rule set.

 

My previous instance ran a full set of rules for testing and I didn’t see the events below being logged

 

I’m getting hundreds of the events below. I’m only seeing this after setting up PulledPork 0.7.0

 

04/28-00:11:04.389178  [**] [1:1620:6] Snort Alert [1:1620:6] [**]

04/28-00:11:04.758601  [**] [1:1620:6] Snort Alert [1:1620:6] [**]

04/28-00:11:04.781636  [**] [1:1620:6] Snort Alert [1:1620:6] [**] [Classification: Detection of a Non-Standard Protocol or Event] [Priority: 2] {UDP} 192.168.0.2:57503 -> 239.255.255.250:1900

04/28-00:11:05.758296  [**] [1:1620:6] Snort Alert [1:1620:6] [**]

04/28-00:11:06.192448  [**] [1:1620:6] Snort Alert [1:1620:6] [**] [Classification: Detection of a Non-Standard Protocol or Event] [Priority: 2] {UDP} 192.168.0.2:55549 -> 192.168.0.255:32412

 

Any ideas why I’m getting these with PulledPork?

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
For Sinton | 28 Apr 05:54 2015

Re: False positives on mysql traffic


Hello
here is pcap traffic:
0000000: 41 00 00 00 03 53 45 4c 45 43 54 20 74   5f 5f 30 2e 2a 0a 46 52 4f 4d 20 0a 76  A....SELECT.t__0.*.FROM..v
000001A: 69 65 77 73 5f 76 69 65 77 20 74 5f 5f   30 0a 57 48 45 52 45 20 20 28 6e 61 6d  iews_view.t__0.WHERE..(nam
0000034: 65 20 49 4e 20 20 28 27 70 6f 6c 6c 73   27 29 29 20                             e.IN..('polls')).

----- Исходное сообщение -----
От: snort-users-request <at> lists.sourceforge.net
Кому: "forsin" <forsin <at> inbox.kg>
Отправленные: Вторник, 28 Апрель 2015 г 9:52:50
Тема: Welcome to the "Snort-users" mailing list

Welcome to the Snort-users <at> lists.sourceforge.net mailing list! This
list is for general discussion of Snort usage, problems, design, etc.

Do not use this list, or the members of this list to market your or
any other products to.  We value our Community's privacy and their
right not to receive unsolicited email.  Any attempts to do so will
result in your being banned from the lists indefinitely.

To post to this list, send your email to:

  snort-users <at> lists.sourceforge.net

General information about the mailing list is at:

  https://lists.sourceforge.net/lists/listinfo/snort-users

If you ever want to unsubscribe or change your options (eg, switch to
or from digest mode, change your password, etc.), visit your
subscription page at:

  https://lists.sourceforge.net/lists/options/snort-users/forsin%40inbox.kg

You can also make such adjustments via email by sending a message to:

  Snort-users-request <at> lists.sourceforge.net

with the word `help' in the subject or body (don't include the
quotes), and you will get back a message with instructions.

You must know your password to change your options (including changing
the password, itself) or to unsubscribe.  It is:

  gbplfghj

Normally, Mailman will remind you of your lists.sourceforge.net
mailing list passwords once every month, although you can disable this
if you prefer.  This reminder will also include instructions on how to
unsubscribe or change your account options.  There is also a button on
your options page that will email your current password to you.

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane