Snort mailing list archives
RE: XML Plugins
From: "David Stubblefield" <dstubblefield () ragingnet com>
Date: Mon, 3 Nov 2003 07:15:57 -0800
I had the same problems with it crashing for snort 2.0.2, I would get segmentation faults. I found a posting on snort-developers from Harry at vigilantminds regarding a patch for XML for snort 2.0.2. I downloaded the patch and followed the instructions in the README and it works just fine. I am running RH8 with snort 2.0.2. Here is the posting: List: snort-devel Subject: [Snort-devel] Patch: Updated XML patch for 2.0.2 From: "Harry M. Leitzell III" <harry.leitzell () hushmail ! com> Date: 2003-10-29 5:57:46 [Download message RAW] Howdie folks, Here is an updated patch for the XML output of snort 2.0.2. If there is enough demand for it, I could move this into barnyard for the next snort release. I do work for Vigilantminds (The people who patched the original 2.0.0), and I am subscribed to all the Snort lists through harry.leitzell () vigilantminds com and this hushmail account, so you can reach me through either address if you like. -Harry ["snort_xml_2.0.2.tar.bz2" (application/x-bzip2)] Regards, David Stubblefield RagingNet -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Thursday, August 28, 2003 8:26 AM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #3506 - 10 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Xml Plugins (Neal Timm) 2. Re: Re: [Snort-devel] IDS vs IPS (Mark Teicher) 3. RE: Re: [Snort-devel] IDS vs IPS (Mark Teicher) 4. ARP packets, exploits (chris) 5. RE: Re: [Snort-devel] IDS vs IPS (Mark Teicher) 6. Re: Re: [Snort-devel] IDS vs IPS (Mark Teicher) 7. RE: Re: [Snort-devel] IDS vs IPS (Gordon Cunningham) 8. Re: Rules for detecting spyware (Brian) 9. Re: Microsoft DCOM RPC Worm Alert (Brian) 10. RE: Re: [Snort-devel] IDS vs IPS (Gordon Cunningham) --__--__-- Message: 1 From: "Neal Timm" <nealtimm () sbcglobal net> To: <snort-users () lists sourceforge net> Date: Wed, 27 Aug 2003 20:18:52 -0500 Subject: [Snort-users] Xml Plugins This is a multi-part message in MIME format. ------=_NextPart_000_0009_01C36CD8.6FC60510 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit We are currently running snort 2.1 have upgraded from 2.0 we use the xml plugin supplied by vigiliantminds.com we have had a issue with it crashing on 2.0 and 2.1 on a regular basis currently we are on about a 8 meg isp pipe seeing about 20000 events a day. We really need the xml output from snort for our parsers. I have tried to download the xml patch from Cert also but when I compile snort with the libih and libair options snort does not recognize it and gives no xml plugin support. Has anybody been able to get this to work at all. Or does anyone know of any other xml plugins that could be used with snort. Any help is appreciated is this is a very big issue for our network. Thanks, Neal Timm 1400 Sleepytime Trl Pflugerville, Tx 78660 (512)-670-1516 ------=_NextPart_000_0009_01C36CD8.6FC60510 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 6.0.4630.0"> <TITLE>Xml Plugins</TITLE> </HEAD> <BODY> <!-- Converted from text/rtf format --> <P><FONT SIZE=3D2 FACE=3D"Arial">We are currently running snort 2.1 have = upgraded from 2.0 we use the xml plugin supplied by = vigiliantminds.com we have had a issue with it crashing on 2.0 and = 2.1 on a regular basis currently we are on about a 8 meg isp pipe = seeing about 20000 events a day. We really need the xml output = from snort for our parsers. I have tried to download the xml = patch from Cert also but when I compile snort with the libih and libair = options snort does not recognize it and gives no xml plugin = support. Has anybody been able to get this to work at = all. Or does anyone know of any other xml plugins that could be = used with snort.</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">Any help is appreciated is this is a = very big issue for our network.</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Thanks,</FONT> </P> <BR> <P><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">Neal Timm</FONT> <BR><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">1400 Sleepytime = Trl</FONT> <BR><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">Pflugerville, Tx = 78660</FONT> <BR><FONT COLOR=3D"#0000FF" SIZE=3D2 = FACE=3D"Arial">(512)-670-1516</FONT> </P> </BODY> </HTML> ------=_NextPart_000_0009_01C36CD8.6FC60510-- --__--__-- Message: 2 Date: Wed, 27 Aug 2003 22:21:52 -0600 To: Jason <security () brvenik com>,Frank Knobbe <frank () knobbe us> From: Mark Teicher <mht3 () earthlink net> Subject: Re: [Snort-users] Re: [Snort-devel] IDS vs IPS Cc: bwalder () spamcop net,'Jeff Nathan' <jeff () snort org>,Vkmobile () aol com, snort-devel () lists sourceforge net,snort-users () lists sourceforge net I disagree, New IPS is not the natural evolution of the existing firewall, it is natural evolution of marketing hype. !!! Good firewall code just doesn't exist anymore, except for the Ultimate Firewall toolkit....!!! At 09:16 PM 8/27/2003, Jason wrote:
Thanks, I think the matrix shows fairly well that the _new IPS_ is a natural evolution of the existing firewall. This is important to point out because there are existing investments
in
firewalls and these firewalls are rapidly closing the gap where needed.
I
know that CP has been moving in this direction for a while. It has also
been my experience that they have been moving at an appropriate pace
and
the capabilities have been there when I've needed them. One final statement. You do not need the firewall to log content if you
have an IDS that you can trust will not have a direct impact on the business should it be too critical of the data. You can also have confidence in your firewall because your IDS verifies
what you told the firewall to do and covers your arse when you let something by because of business requirements or a human error.
--__--__-- Message: 3 Date: Wed, 27 Aug 2003 22:22:45 -0600 To: twig les <twigles () yahoo com>,snort-users () lists sourceforge net From: Mark Teicher <mht3 () earthlink net> Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS I am still waiting for people on the list to detail what an IPS actually is and the underlying technology that makes it so attractive to large enterprise entities /mark At 09:20 PM 8/27/2003, twig les wrote:
I agree with an early post on this thread that IPS is basically a BS marketing term. A buzzword like "B2B". IPS is not a BS *concept* but techs can not let marketing ppl define our lingo (since they don't understand what they are describing) or we risk mass confusion, which it seems is happening here. So IDS and firewalls seem to be doing some overlapping functions, good, I hope the functionality matures. But I think we should let the Powerpoint brigade argue over what to call things in pamphlets. It's been a long day so this may come across way more offensive-sounding than I mean it. --- Frank Knobbe <frank () knobbe us> wrote:On Thu, 2003-08-28 at 01:46, Gordon Cunningham wrote:Black Ice Defender did this a few years ago... based onsignatures, thesystem could detect some attack types and automaticallyreact by preventingaccess from the source IP or port for some period of time.Right. But don't you consider BlackICE an IPS instead of a firewall? Regards, FrankATTACHMENT part 2 application/pgp-signature name=signature.asc===== ----------------------------------------------------------- Emo is what happens when the glee club goes punk. ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 4 From: chris <cfeldmann () nyc rr com> To: snort-users () lists sourceforge net Organization: Date: 28 Aug 2003 00:53:41 -0400 Subject: [Snort-users] ARP packets, exploits I am using snort behind shorewall at home because, frankly, I find IDS interesting (write SQL for a living, which helps a bit), but I am an admitted newbie. The preponderance of my logs (~95%) are ARP packets; they really stack up. Since I am behind a fairly muscular firewall configuration (there are a few ports open, e.g. ssh and http) would it be a big deal to write a rule to just drop these (from the logs, not drop the packets)? I can filter them (I guess, haven't tried yet) to an ignored table in the DB, but are there exploits that would appear as ARP-header packets? Is it obvious that I'm lazily posting when I could find this online (I hate it when people do that)? Actually I have pulled a bit of hair researching this before posting. Thanks, Chris --__--__-- Message: 5 Date: Wed, 27 Aug 2003 23:36:06 -0600 To: Frank Knobbe <frank () knobbe us>,twig les <twigles () yahoo com> From: Mark Teicher <mht3 () earthlink net> Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS Cc: snort-users () lists sourceforge net Can't call it that. You will infring on www.intrusion.com or www.innerwall.com claim to fame.. :) Inline IDS is a proven technology, IPS is not.. All the small fish were gobbled by the bigger fish, and are in the midst of re-tooling.. /mark At 09:53 PM 8/27/2003, Frank Knobbe wrote:
On Thu, 2003-08-28 at 03:20, twig les wrote:I agree with an early post on this thread that IPS is basically a BS marketing term. [...] It's been a long day so this may come across way more offensive-sounding than I mean it.heh... not at all. I used to prefer GIDS or Inline IDS, but I've come
to
realize that it does contain firewall like elements so xIDS may not be appropriate. Since it's somewhat an equal marriage of them, we should probably call it an Intrusion Wall, or IW. It's just that 'prevention' sounds so sexy :) Frank
--__--__-- Message: 6 Date: Wed, 27 Aug 2003 23:37:31 -0600 To: Frank Knobbe <frank () knobbe us>,Jason <security () brvenik com> From: Mark Teicher <mht3 () earthlink net> Subject: Re: [Snort-users] Re: [Snort-devel] IDS vs IPS Cc: snort-devel () lists sourceforge net,snort-users () lists sourceforge net At 09:47 PM 8/27/2003, Frank Knobbe wrote:
<mht> Some vendors are already introducing their products as a hybrid
IDS
and Forensics. NAI recently announced the Intellistream box.. Linux
with
3 terrabytes of storage.
/mark
I probably made this prediction before, but here is a good place to do it again. Mark my words :) "We will see a new breed of software become popular soon which is a merger of IDS and forensics software". Cheers, Frank
--__--__-- Message: 7 Reply-To: <gacunningham () bellsouth net> From: "Gordon Cunningham" <gacunningham () bellsouth net> To: <snort-devel () lists sourceforge net>, <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS Date: Thu, 28 Aug 2003 10:16:03 -0400 Yes, we *ARE* seeing convergence in products like BlackIce (which I do consider a firewall+IDS - but not a router - I used to use it as my home DSL firewall with a dual-NIC machine and it worked very well during the height of Code Red), and the Cisco NIDS system's ability to interact with Cisco switches, routers and firewalls to provide reactive hardening upon threat detection. The problem, IMO, is that sufficient granularity has been lacking, possibly due to traffic levels and speed of detection issues to say nothing of the rulebase size, and the nature of networks to often have many types of inappropriate traffic appear as legitimate traffic or vice versa. And now we are adding a 4th dimension - time - how do you differentiate not only by host, protocol, port and payload, but now differentiation changes over time? While some firewall vendors will have a tough time making the leap from stateful inspection, those with application/proxy level (IP stack) firewalls (remember Raptor?) might be more comfortable dealing with packet payloads and traffic analysis, IMO. IPS is just another spin on this convergence, attempting to make it "one box" or one methodology, but either way it is the next step - an integration. But it will be the specialists teaming with the big boys that pull this off - unless someone really misses the mark, that's usually how the evolution (not revolution) in IT usually goes. - Gordon "The software said it requires Windows 98 or better, so I installed Linux..." -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Bob Walder Sent: Thursday, August 28, 2003 5:15 AM To: 'Jason'; 'Frank Knobbe' Cc: bwalder () spamcop net; 'Mark Teicher'; 'Jeff Nathan'; Vkmobile () aol com; snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS One important distinction Firewalls are about policy enforcement - IDS and IPS are about detection (as of THIS moment in time) I still see the IPS as an evolution of the IDS and not the firewall. In my opinion, the firewall is itself gonna have to evolve pretty damn quickly to stop the IPS going the whole hog and taking over its job too. YES - the two technologies have similar aims and will undoubtedly converge. BUT, who do you see winning the race? In my opinion, the guys who already have the flashy hardware and solid IDS/IPS technology will have an easier time of it than the firewall vendors (i.e. the likes of Tippingpoint and Intruvert/NAI). By the way - why not ask NetScreen how hard it is to integrate IPS and firewall technology?! They already had a firewall appliance - if it is really that easy to converge these technologies (or if there really isn't a difference between them in the first place) then why have we not seen their IPS technology already fully integrated into their fancy firewall platform? Cisco is well placed to do this job too - it has the big switches which could take a flashy new IPS/IDS/firewall blade, and the in-house expertise with both firewall and IDS technologies. AND it understands how important it is for this stuff to be rock solid and scalable. Both Intruvert and Tippingpoint could probably also make a decent fist of it. But... It ain't easy! It will be a while before these things do converge, and until then I foresee a number of religious arguments over which technology is best, which technology is pure marketing hype, which technology came first, blah, blah, blah (i.e. a bit like this thread... ;o) Oh... And no way am I advocating that any one of these technologies can displace the others right now - they all have their place. On my network I have two firewalls at the perimeter for the policy enforcement stuff (i.e. that's where I say "allow HTTP to this server on my DMZ, don't allow Telnet to anything, allow FTP to that server on my DMZ, and so on...). Behind those I have an IPS - also at the perimeter - to catch the bad stuff that the firewall lets through (i.e. the firewall says let through HTTP traffic, but there is a lot of nasty stuff that could ride on the back of that). And finally, I have IDS systems on the DMZ and internal networks just so I can mop up anything that might get through owing to the fact I don't want my IPS to block absolutely everything ('cos it's just not ready for that yet!) I would LOVE to have just the one box for this.... But it's just not available...sorry Regards, Bob
-----Original Message----- From: Jason [mailto:security () brvenik com] Sent: 28 August 2003 05:17 To: Frank Knobbe Cc: bwalder () spamcop net; 'Mark Teicher'; 'Jeff Nathan'; Vkmobile () aol com; snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: Re: [Snort-users] Re: [Snort-devel] IDS vs IPS Thanks, I think the matrix shows fairly well that the _new IPS_ is a natural evolution of the existing firewall. This is important to point out because there are existing investments in firewalls and these firewalls are rapidly closing the gap where needed. I know that CP has been moving in this direction for a while. It has also been my experience that they have been moving at an appropriate pace and the capabilities have been there when I've needed them. One final statement. You do not need the firewall to log content if you have an IDS that you can trust will not have a direct impact on the business should it be too critical of the data. You can also have confidence in your firewall because your IDS verifies what you told the firewall to do and covers your arse when you let something by because of business requirements or a human error. Frank Knobbe wrote:On Wed, 2003-08-27 at 18:36, Jason wrote:Bob Walder wrote:My 0.02 worth is that a Network IPS (NIPS) is a device with two interfaces that operates in-line to detect suspicious traffic and INSTANTLY discard the offending packet and the rest ofthe suspiciousflow.What we have here is a definition of an IPS that matches pretty closely what firewalls have been able to do for some time.Not quite. There are difference in the way firewalls and intrusion detection systems analyze data. For example, I have not seen a firewall that can identify a CodeRed attempt by name for example. Yeah, you can block HTTP methods and put limiters on URL'setc (youmentioned CP as an example which can do that with HTTPcontent stuff).But I have not come across a firewall with a 'signatureset' like IDS'have them......yet. It is true that most firewalls are under-utilized. However, an IPS (being based on an IDS) has capabilities beyond a firewall. Policy violations (or network flow anomalies) can be detected byfirewallsand cause some sort of reaction/enforcement (CP's SAM isone example).However, firewalls don't have statistical anomalydetection like someIDS' do. Let's draft a matrix of capabilities: Metric | Firewall | IDS | IPS ----------------------------------------------------------- Signature | Limited packet | Extensive | See IDS Analysis | inspection | signature sets | | due to lack of | allow wide | | rule set defin.| pattern match | ----------------------------------------------------------- Protocol | Mostly present | Present | Present validation | | | ----------------------------------------------------------- Traffic flow| Present, that's| Present | Present Anomaly Det.| what they do | | Present ----------------------------------------------------------- Statisitcal | Absent | Present | Absent (???) Anomaly Det.| | | (as of today) ----------------------------------------------------------- Packet Log | Logging mostly | capable of | See IDS | high level | logging content| ----------------------------------------------------------- Protocol | Present | Absent | Present normalizat | | | ion | | | =========================================================== Activity | Active | Mostly Passive | Active If someone wants to take this further, feel free. But asyou can see,IPS and firewalls are not quite alike (but neither are IPSand IDS! :)Regards, Frank
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 8 Date: Thu, 28 Aug 2003 11:16:01 -0400 From: Brian <bmc () snort org> To: Marc Quibell <mquibell () fbfs com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Rules for detecting spyware On Mon, Aug 11, 2003 at 09:54:49AM -0500, Marc Quibell wrote:
I've done a little checking, so far no luck. I wonder if it's possible
to setup
some Snort rules for detecting spyware data. I'll keep looking for the
actual
data content of such packets, but does anyone already have some rules?
TIA! Sure its possible to detect spyware. Do we do it currently? Nope. But thats cause I don't have packet captures for it. The easiest method for finding packets is to install the spyware in question, then sit back and watch. :) -brian --__--__-- Message: 9 Date: Thu, 28 Aug 2003 11:24:15 -0400 From: Brian <bmc () snort org> To: David <dwad24 () excite com> Cc: snort-users () lists sourceforge net, rreid () 1800FLOWERS com Subject: Re: [Snort-users] Microsoft DCOM RPC Worm Alert On Tue, Aug 12, 2003 at 11:56:26AM -0400, David wrote:
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \ (msg:"DCE RPC Interface Buffer Overflow Exploit"; \ content:"|00 5C 00 5C|"; \ content:!"|5C|"; within:32;\ flow:to_server,established; \ reference:bugtraq,8205; rev: 1;)
This rule is easily evadable. Sure, the vulnerability is predicated by an overly long path. That doesn't mean the service validates the path before it attempts to deal with it. Take any of the exploits and change the path from \\[lotsocrap]\C$\123456111111111111111.doc to random crap and it will still crash the service. -brian --__--__-- Message: 10 Reply-To: <gacunningham () bellsouth net> From: "Gordon Cunningham" <gacunningham () bellsouth net> To: "Mark Teicher" <mht3 () earthlink net>, "twig les" <twigles () yahoo com>, <snort-users () lists sourceforge net> Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS Date: Thu, 28 Aug 2003 11:24:30 -0400 Ok, for me, IPS is a class of systems, not a single hardware device. It includes firewalls, routers, IDS and whatever convergence of those systems is seen. Whether we include security policy in the definition, yes if we talk about a general enterprise system, no if we refer to hardware devices. Who coined the term and how do they define it? - Gordon "The software said it requires Windows 98 or better, so I installed Linux..." -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Mark Teicher Sent: Thursday, August 28, 2003 12:23 AM To: twig les; snort-users () lists sourceforge net Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS I am still waiting for people on the list to detail what an IPS actually is and the underlying technology that makes it so attractive to large enterprise entities /mark At 09:20 PM 8/27/2003, twig les wrote:
I agree with an early post on this thread that IPS is basically a BS marketing term. A buzzword like "B2B". IPS is not a BS *concept* but techs can not let marketing ppl define our lingo (since they don't understand what they are describing) or we risk mass confusion, which it seems is happening here. So IDS and firewalls seem to be doing some overlapping functions, good, I hope the functionality matures. But I think we should let the Powerpoint brigade argue over what to call things in pamphlets. It's been a long day so this may come across way more offensive-sounding than I mean it. --- Frank Knobbe <frank () knobbe us> wrote:On Thu, 2003-08-28 at 01:46, Gordon Cunningham wrote:Black Ice Defender did this a few years ago... based onsignatures, thesystem could detect some attack types and automaticallyreact by preventingaccess from the source IP or port for some period of time.Right. But don't you consider BlackICE an IPS instead of a firewall? Regards, FrankATTACHMENT part 2 application/pgp-signature name=signature.asc===== ----------------------------------------------------------- Emo is what happens when the glee club goes punk. ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: XML Plugins David Stubblefield (Nov 03)