Snort mailing list archives
Not Picking up Much WHY "I am pulling out my hair"
From: "Elijah Savage" <esavage () digitalrage org>
Date: Sun, 12 Oct 2003 20:23:39 -0400
I have setup snort2.0 and Barnyard0.1.0 on my adsl link on my firewall it is logging to a mysql database on a different machine which is running ACID but the only thing I seem to be picking up is icmp stuff. I have turned on all the rules, as a drastic measure from the inside I went and visited some pr0n sites and it was not picked up. I am monitoring the outside interface on the firewall fxp0. I am at a lost. I have essentially left everything at the default except for the home net and uncommenting all the rules trying to make sure everything is working. I know my config files are large and can be cut down and tuned but I just want to get it working first. In Acid I got 100% ICMP traffic and 0% TCP 0%UDP, if anyone can help me understand what I might be doing wrong it would be greatly appreciated. This is how I start snort and Barnyard. /usr/local/bin/snort -i fxp0 -t /var/log/snort -c /etc/snort/snort.conf -u XXX -g XXX -D /usr/local/bin/barnyard -D -w barn.waldo -c /etc/snort/barnyard.conf -d /var/log/snort -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -f snort.log #-------------------------------------------------- # http://www.snort.org Snort 2.0.0 Ruleset # Contact: snort-sigs () lists sourceforge net #-------------------------------------------------- # $Id: snort.conf,v 1.124 2003/05/16 02:52:41 cazz Exp $ # ################################################### # This file contains a sample snort configuration. # You can take the following steps to create your # own custom configuration: # # 1) Set the network variables for your network # 2) Configure preprocessors # 3) Configure output plugins # 4) Customize your rule set # ################################################### # Step #1: Set the network variables: # # You must change the following variables to reflect # your local network. The variable is currently # setup for an RFC 1918 address space. # # You can specify it explicitly as: # # var HOME_NET 10.1.1.0/24 # # or use global variable $<interfacename>_ADDRESS # which will be always initialized to IP address and # netmask of the network interface which you run # snort at. Under Windows, this must be specified # as $(<interfacename>_ADDRESS), such as: # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS) # # var HOME_NET $eth0_ADDRESS # # You can specify lists of IP addresses for HOME_NET # by separating the IPs with commas like this: # # var HOME_NET [10.1.1.0/24,192.168.1.0/24] # # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! # # or you can specify the variable to be any IP address # like this: var HOME_NET [192.168.X.X/24,192.168.X.X/24] # Set up the external network addresses as well. # A good start may be "any" var EXTERNAL_NET any # Configure your server lists. This allows snort to only look for attacks # to systems that have a service up. Why look for HTTP attacks if you are # not running a web server? This allows quick filtering based on IP addresses # These configurations MUST follow the same configuration scheme as defined # above for $HOME_NET. # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # Configure your service ports. This allows snort to look for attacks # destined to a specific application only on the ports that application # runs on. For example, if you run a web server on port 8081, set your # HTTP_PORTS variable like this: # # var HTTP_PORTS 8081 # # Port lists must either be continuous [eg 80:8080], or a single port [eg 80]. # We will adding support for a real list of ports in the future. # Ports you run web servers on var HTTP_PORTS 80 # Ports you want to look for SHELLCODE on. var SHELLCODE_PORTS !80 # Ports you do oracle attacks on var ORACLE_PORTS 1521 # other variables # # AIM servers. AOL has a habit of adding new AIM servers, so instead of # modifying the signatures when they do, we add them to this list of # servers. var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12. 29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] # Path to your rules files (this can be a relative path) var RULE_PATH /etc/snort/rules # Configure the snort decoder: # ============================ # # Stop generic decode events: # # config disable_decode_alerts # # Stop Alerts on experimental TCP options # # config disable_tcpopt_experimental_alerts # # Stop Alerts on obsolete TCP options # # config disable_tcpopt_obsolete_alerts # # Stop Alerts on T/TCP alerts # # config disable_ttcp_alerts # # Stop Alerts on all other TCPOption type events: # # config disable_tcpopt_alerts # # Stop Alerts on invalid ip options # # config disable_ipopt_alerts # Configure the detection engine # =============================== # # Use a different pattern matcher in case you have a machine with very # limited resources: # config detection: search-method lowmem ################################################### # Step #2: Configure preprocessors # # General configuration for preprocessors is of # the form # preprocessor <name_of_processor>: <configuration_options> # frag2: IP defragmentation support # ------------------------------- # This preprocessor performs IP defragmentation. This plugin will also detect # people launching fragmentation attacks (usually DoS) against hosts. No # arguments loads the default configuration of the preprocessor, which is a # 60 second timeout and a 4MB fragment buffer. # The following (comma delimited) options are available for frag2 # timeout [seconds] - sets the number of [seconds] than an unfinished # fragment will be kept around waiting for completion, # if this time expires the fragment will be flushed # memcap [bytes] - limit frag2 memory usage to [number] bytes # (default: 4194304) # # min_ttl [number] - minimum ttl to accept # # ttl_limit [number] - difference of ttl to accept without alerting # will cause false positves with router flap # # Frag2 uses Generator ID 113 and uses the following SIDS # for that GID: # SID Event description # ----- ------------------- # 1 Oversized fragment (reassembled frag > 64k bytes) # 2 Teardrop-type attack preprocessor frag2 # stream4: stateful inspection/stream reassembly for Snort #---------------------------------------------------------------------- # Use in concert with the -z [all|est] command line switch to defeat # stick/snot against TCP rules. Also performs full TCP stream # reassembly, stateful inspection of TCP streams, etc. Can statefully # detect various portscan types, fingerprinting, ECN, etc. # stateful inspection directive # no arguments loads the defaults (timeout 30, memcap 8388608) # options (options are comma delimited): # detect_scans - stream4 will detect stealth portscans and generate alerts # when it sees them when this option is set # detect_state_problems - detect TCP state problems, this tends to be very # noisy because there are a lot of crappy ip stack # implementations out there # # disable_evasion_alerts - turn off the possibly noisy mitigation of # overlapping sequences. # # # min_ttl [number] - set a minium ttl that snort will accept to # stream reassembly # # ttl_limit [number] - differential of the initial ttl on a session versus # the normal that someone may be playing games. # Routing flap may cause lots of false positives. # # keepstats [machine|binary] - keep session statistics, add "machine" to # get them in a flat format for machine reading, add # "binary" to get them in a unified binary output # format # noinspect - turn off stateful inspection only # timeout [number] - set the session timeout counter to [number] seconds, # default is 30 seconds # memcap [number] - limit stream4 memory usage to [number] bytes # log_flushed_streams - if an event is detected on a stream this option will # cause all packets that are stored in the stream4 # packet buffers to be flushed to disk. This only # works when logging in pcap mode! # # Stream4 uses Generator ID 111 and uses the following SIDS # for that GID: # SID Event description # ----- ------------------- # 1 Stealth activity # 2 Evasive RST packet # 3 Evasive TCP packet retransmission # 4 TCP Window violation # 5 Data on SYN packet # 6 Stealth scan: full XMAS # 7 Stealth scan: SYN-ACK-PSH-URG # 8 Stealth scan: FIN scan # 9 Stealth scan: NULL scan # 10 Stealth scan: NMAP XMAS scan # 11 Stealth scan: Vecna scan # 12 Stealth scan: NMAP fingerprint scan stateful detect # 13 Stealth scan: SYN-FIN scan # 14 TCP forward overlap preprocessor stream4: detect_scans, disable_evasion_alerts # tcp stream reassembly directive # no arguments loads the default configuration # Only reassemble the client, # Only reassemble the default list of ports (See below), # Give alerts for "bad" streams # # Available options (comma delimited): # clientonly - reassemble traffic for the client side of a connection only # serveronly - reassemble traffic for the server side of a connection only # both - reassemble both sides of a session # noalerts - turn off alerts from the stream reassembly stage of stream4 # ports [list] - use the space separated list of ports in [list], "all" # will turn on reassembly for all ports, "default" will turn # on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111 # and 513 preprocessor stream4_reassemble # http_decode: normalize HTTP requests # ------------------------------------ # http_decode normalizes HTTP requests from remote # machines by converting any %XX character # substitutions to their ASCII equivalent. This is # very useful for doing things like defeating hostile # attackers trying to stealth themselves from IDSs by # mixing these substitutions in with the request. # Specify the port numbers you want it to analyze as arguments. # # Major code cleanups thanks to rfp # # unicode - normalize unicode # iis_alt_unicode - %u encoding from iis # double_encode - alert on possible double encodings # iis_flip_slash - normalize \ as / # full_whitespace - treat \t as whitespace ( for apache ) # # for that GID: # SID Event description # ----- ------------------- # 1 UNICODE attack # 2 NULL byte attack preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slas h full_whitespace # rpc_decode: normalize RPC traffic # --------------------------------- # RPC may be sent in alternate encodings besides the usual # 4-byte encoding that is used by default. This preprocessor # normalized RPC traffic in much the same way as the http_decode # preprocessor. This plugin takes the ports numbers that RPC # services are running on as arguments. # The RPC decode preprocessor uses generator ID 106 # # arguments: space separated list # alert_fragments - alert on any rpc fragmented TCP data # no_alert_multiple_requests - don't alert when >1 rpc query is in a packet # no_alert_large_fragments - don't alert when the fragmented # sizes exceed the current packet size # no_alert_incomplete - don't alert when a single segment # exceeds the current packet size preprocessor rpc_decode: 111 32771 # bo: Back Orifice detector # ------------------------- # Detects Back Orifice traffic on the network. Takes no arguments in 2.0. # # The Back Orifice detector uses Generator ID 105 and uses the # following SIDS for that GID: # SID Event description # ----- ------------------- # 1 Back Orifice traffic detected preprocessor bo # telnet_decode: Telnet negotiation string normalizer # --------------------------------------------------- # This preprocessor "normalizes" telnet negotiation strings from # telnet and ftp traffic. It works in much the same way as the # http_decode preprocessor, searching for traffic that breaks up # the normal data stream of a protocol and replacing it with # a normalized representation of that traffic so that the "content" # pattern matching keyword can work without requiring modifications. # This preprocessor requires no arguments. # Portscan uses Generator ID 109 and does not generate any SID currently. preprocessor telnet_decode # Portscan: detect a variety of portscans # --------------------------------------- # portscan preprocessor by Patrick Mullen <p_mullen () linuxrc net> # This preprocessor detects UDP packets or TCP SYN packets going to # four different ports in less than three seconds. "Stealth" TCP # packets are always detected, regardless of these settings. # Portscan uses Generator ID 100 and uses the following SIDS for that GID: # SID Event description # ----- ------------------- # 1 Portscan detect # 2 Inter-scan info # 3 Portscan End preprocessor portscan: 0.0.0.0/0 5 3 portscan.log # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from # specific networks or hosts to reduce false alerts. It is typical # to see many false alerts from DNS servers so you may want to # add your DNS servers here. You can all multiple hosts/networks # in a whitespace-delimited list. # #preprocessor portscan-ignorehosts: 0.0.0.0 # arpspoof #---------------------------------------- # Experimental ARP detection code from Jeff Nathan, detects ARP attacks, # unicast ARP requests, and specific ARP mapping monitoring. To make use # of this preprocessor you must specify the IP and hardware address of hosts on # the same layer 2 segment as you. Specify one host IP MAC combo per line. # Also takes a "-unicast" option to turn on unicast ARP request detection. # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID: # SID Event description # ----- ------------------- # 1 Unicast ARP request # 2 Etherframe ARP mismatch (src) # 3 Etherframe ARP mismatch (dst) # 4 ARP cache overwrite attack #preprocessor arpspoof #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 # Conversation #------------------------------------------ # This preprocessor tracks conversations for tcp, udp and icmp traffic. It # is a prerequisite for running portscan2. # # allowed_ip_protcols 1 6 17 # list of allowed ip protcols ( defaults to any ) # # timeout [num] # conversation timeout ( defaults to 60 ) # # # max_conversations [num] # number of conversations to support at once (defaults to 65335) # # # alert_odd_protocols # alert on protocols not listed in allowed_ip_protocols # # preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversat ions 3000 # # Portscan2 #------------------------------------------- # Portscan 2, detect portscans in a new and exciting way. You must enable # spp_conversation in order to use this preprocessor. # # Available options: # scanners_max [num] # targets_max [num] # target_limit [num] # port_limit [num] # timeout [num] # log [logdir] # #preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, por t_limit 20, timeout 60 # Too many false alerts from portscan2? Tone it down with # portscan2-ignorehosts! # # A space delimited list of addresses in CIDR notation to ignore # # preprocessor portscan2-ignorehosts: 10.0.0.0/8 192.168.24.0/24 # # Experimental Perf stats # ----------------------- # No docs. Highly subject to change. # # preprocessor perfmonitor: console flow events time 10 #################################################################### # Step #3: Configure output plugins # # Uncomment and configure the output plugins you decide to use. # General configuration for output plugins is of the form: # # output <name_of_plugin>: <configuration_options> # # alert_syslog: log alerts to syslog # ---------------------------------- # Use one or more syslog facilities as arguments. Win32 can also # optionally specify a particular hostname/port. Under Win32, the # default hostname is '127.0.0.1', and the default port is 514. # # [Unix flavours should use this format...] # output alert_syslog: LOG_AUTH LOG_ALERT # # [Win32 can use any of these formats...] # output alert_syslog: LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT # log_tcpdump: log packets in binary tcpdump format # ------------------------------------------------- # The only argument is the output file name. # # output log_tcpdump: tcpdump.log # database: log to a variety of databases # --------------------------------------- # See the README.database file for more information about configuring # and using this plugin. # #output database: log, mysql, user= password= dbname=snort host= # output database: alert, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # unified: Snort unified binary format alerting and logging # ------------------------------------------------------------- # The unified output plugin provides two new formats for logging # and generating alerts from Snort, the "unified" format. The # unified format is a straight binary format for logging data # out of Snort that is designed to be fast and efficient. Used # with barnyard (the new alert/log processor), most of the overhead # for logging and alerting to various slow storage mechanisms # such as databases or the network can now be avoided. # # Check out the spo_unified.h file for the data formats. # # Two arguments are supported. # filename - base filename to write to (current time_t is appended) # limit - maximum size of spool file in MB (default: 128) # output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 # You can optionally define new rule types and associate one or # more output plugins specifically to that type. # # This example will create a type that will log to just tcpdump. # ruletype suspicious # { # type log # output log_tcpdump: suspicious.log # } # # EXAMPLE RULE FOR SUSPICIOUS RULETYPE: # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) # # This example will create a rule type that will log to syslog # and a mysql database. # ruletype redalert # { # type alert # output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mysql, user=snort dbname=snort host=localhost # } # # EXAMPLE RULE FOR REDALERT RULETYPE # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \ # (msg:"Someone is being LEET"; flags:A+;) # # Include classification & priority settings # include classification.config # # Include reference systems # include reference.config #################################################################### # Step #4: Customize your rule set # # Up to date snort rules are available at http://www.snort.org # # The snort web site has documentation about how to write your own # custom snort rules. # # The rules included with this distribution generate alerts based on # on suspicious activity. Depending on your network environment, your # security policies, and what you consider to be suspicious, some of # these rules may either generate false positives ore may be detecting # activity you consider to be acceptable; therefore, you are # encouraged to comment out rules that are not applicable in your # environment. # # Note that using all of the rules at the same time may lead to # serious packet loss on slower machines. YMMV, use with caution, # standard disclaimers apply. :) # # The following individuals contributed many of rules in this # distribution. # # Credits: # Ron Gula <rgula () securitywizards com> of Network Security Wizards # Max Vision <vision () whitehats com> # Martin Markgraf <martin () mail du gtn com> # Fyodor Yarochkin <fygrave () tigerteam net> # Nick Rogness <nick () rapidnet com> # Jim Forster <jforster () rapidnet com> # Scott McIntyre <scott () whoi edu> # Tom Vandepoel <Tom.Vandepoel () ubizen com> # Brian Caswell <bmc () snort org> # Zeno <admin () cgisecurity com> # Ryan Russell <ryan () securityfocus com> # #========================================= # Include all relevant rulesets here # # shellcode, policy, info, backdoor, and virus rulesets are # disabled by default. These require tuning and maintance. # Please read the included specific file for more information. #========================================= include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules # include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules include $RULE_PATH/porn.rules # include $RULE_PATH/info.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules # include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules Barnyard.conf #------------------------------------------------------------- # http://www.snort.org Barnyard 0.1.0 configuration file # Contact: snort-barnyard () lists sourceforge net #------------------------------------------------------------- # $Id: barnyard.conf,v 1.1.1.1 2002/12/02 20:51:35 andrewbaker Exp $ ######################################################## # Currently you want to do two things in here: turn on # available data processors and turn on output plugins. # The data processors (dp's) and output plugin's (op's) # automatically associate with each other by type and # are automatically selected at run time depending on # the type of file you try to load. ######################################################## # Step 0: configuration declarations # To keep from having a commandline that uses every letter in the alphabet # most configuration options are set here # enable daemon mode # config daemon # use localtime instead of UTC (*not* recommended because of timewarps) #config localtime # set the hostname (currently only used for the acid db output plugin) config hostname: destroyer # set the interface name (currently only used for the acid db output plugin) config interface: fxp0 # set the filter (currently only used for the acid db output plugin) config filter: not port 22 # Step 1: setup the data processors # dp_alert # -------------------------- # The dp_alert data processor is capable of reading the alert (event) format # generated by Snort's spo_unified plug-in. It is used with output plug-ins # that support the "alert" input type. This plug-in takes no arguments. processor dp_alert # dp_log # --------------------------- # The dp_log data processor is capable of reading the log format generated # by Snort's spo_unified plug-in. It is used with output plug-ins # that support the "log" input type. This plug-in takes no arguments. processor dp_log # dp_stream_stat # --------------------------- # The dp_stream_stat data processor is capable of reading the binary output # generated by Snort's spp_stream4 plug-in. It is used with output plug-ins # that support the "stream_stat" input type. This plug-in takes no arguments. processor dp_stream_stat # Step 2: setup the output plugins # alert_fast #----------------------------- # Converts data from the dp_alert plugin into an approximation of Snort's # "fast alert" mode. Argument: <filename> #output alert_fast # log_dump #----------------------------- # Converts data from the dp_log plugin into an approximation of Snort's # "ASCII packet dump" mode. Argument: <filename> #output log_dump # alert_html (experimental) #--------------------------- # Creates a series of html pages about recent alerts # Arguments: # [webroot] - base directory for storing the html pages # # Example: # output alert_html: /var/www/htdocs/op_alert_html # output alert_html: /var/www/htdocs/op_alert_html # alert_csv (experimental) #--------------------------- # Creates a CSV output file of alerts (optionally using a user specified format) # Arguments: filepath [format] # # The format is a comma-seperated list of fields to output (no spaces allowed) # The available fields are: # sig_gen - signature generator # sig_id - signature id # sig_rev - signatrue revision # sid - SID triplet # class - class id # classname - textual name of class # priority - priority id # event_id - event id # event_reference - event reference # ref_tv_sec - reference seconds # ref_tv_usec - reference microseconds # tv_sec - event seconds # tv_usec - event microseconds # timestamp - prettified timestamp (2001-01-01 01:02:03) in UTC # src - src address as a u_int32_t # srcip - src address as a dotted quad # dst - dst address as a u_int32_t # dstip - dst address as a dotted quad # sport_itype - source port or ICMP type (or 0) # sport - source port (if UDP or TCP) # itype - ICMP type (if ICMP) # dport_icode - dest port or ICMP code (or 0) # dport - dest port # icode - ICMP code (if ICMP) # proto - protocol number # protoname - protocol name # flags - flags from UnifiedAlertRecord # msg - message text # hostname - hostname (from barnyard.conf) # interface - interface (from barnyard.conf) # # Examples: # output alert_csv: /var/log/snort/csv.out # output alert_csv: /var/log/snort/csv.out timestamp,msg,srcip,sport,dstip,dp ort,protoname,itype,icode # output alert_csv: csv.out timestamp,msg,srcip,sport,dstip,dport,protoname,i type,icode # alert_syslog #----------------------------- # Converts data from the alert stream into an approximation of Snort's # syslog alert output plugin. Same arguments as the output plugin in snort. #output alert_syslog # log_pcap #----------------------------- # Converts data from the dp_log plugin into standard pcap format # Argument: <filename> #output log_pcap # acid_db #------------------------------- # Available as both a log and alert output plugin. Used to output data into # the db schema used by ACID # Arguments: # $db_flavor - what flavor of database (ie, mysql) # sensor_id $sensor_id - integer sensor id to insert data as # database $database - name of the database # server $server - server the database is located on # user $user - username to connect to the database as # password $password - password for database authentication output alert_acid_db: mysql, sensor_id 1, database snort, server X.X.X.X, user XXX, password XXXX output log_acid_db: mysql, database snort, server X.X.X.X, user XXX, password XXXX, detail full ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Not Picking up Much WHY "I am pulling out my hair" Elijah Savage (Oct 12)
- Re: Not Picking up Much WHY "I am pulling out my hair" Patrick Harper (Oct 12)