Snort mailing list archives

RE: XML Plugins

From: "David Stubblefield" <dstubblefield () ragingnet com>
Date: Mon, 3 Nov 2003 07:15:57 -0800

I had the same problems with it crashing for snort 2.0.2, I would get
segmentation faults.  I found a posting on snort-developers from Harry
at vigilantminds regarding a patch for XML for snort 2.0.2.  I
downloaded the patch and followed the instructions in the README and it
works just fine.  I am running RH8 with snort 2.0.2.  Here is the
posting:

List:     snort-devel
Subject:  [Snort-devel] Patch: Updated XML patch for 2.0.2
From:     "Harry M. Leitzell III" <harry.leitzell () hushmail ! com>
Date:     2003-10-29 5:57:46
[Download message RAW]

Howdie folks,
Here is an updated patch for the XML output of snort 2.0.2.  If there
is enough demand for it, I could move this into barnyard for the next
snort release.
I do work for Vigilantminds (The people who patched the original 2.0.0),
 and I am subscribed to all the Snort lists through
harry.leitzell () vigilantminds com
and this hushmail account, so you can reach me through either address
if you like.

-Harry

["snort_xml_2.0.2.tar.bz2" (application/x-bzip2)]

Regards,
David Stubblefield
RagingNet

-----Original Message-----
From: snort-users-request () lists sourceforge net
[mailto:snort-users-request () lists sourceforge net] 
Sent: Thursday, August 28, 2003 8:26 AM
To: snort-users () lists sourceforge net
Subject: Snort-users digest, Vol 1 #3506 - 10 msgs

Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-admin () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."

Today's Topics:

   1. Xml Plugins (Neal Timm)
   2. Re: Re: [Snort-devel] IDS vs IPS (Mark Teicher)
   3. RE: Re: [Snort-devel] IDS vs IPS (Mark Teicher)
   4. ARP packets, exploits (chris)
   5. RE: Re: [Snort-devel] IDS vs IPS (Mark Teicher)
   6. Re: Re: [Snort-devel] IDS vs IPS (Mark Teicher)
   7. RE: Re: [Snort-devel] IDS vs IPS (Gordon Cunningham)
   8. Re: Rules for detecting spyware (Brian)
   9. Re: Microsoft DCOM RPC Worm Alert (Brian)
  10. RE: Re: [Snort-devel] IDS vs IPS (Gordon Cunningham)

--__--__--

Message: 1
From: "Neal Timm" <nealtimm () sbcglobal net>
To: <snort-users () lists sourceforge net>
Date: Wed, 27 Aug 2003 20:18:52 -0500
Subject: [Snort-users] Xml Plugins

This is a multi-part message in MIME format.

------=_NextPart_000_0009_01C36CD8.6FC60510
Content-Type: text/plain;
        charset="US-ASCII"
Content-Transfer-Encoding: 7bit

We are currently running snort 2.1 have upgraded from 2.0  we use the
xml plugin supplied by vigiliantminds.com  we have had a issue with it
crashing on 2.0 and 2.1 on a regular basis currently we are on  about a
8 meg isp pipe seeing about 20000 events a day.  We really need the xml
output from snort for our parsers.   I have tried to download the xml
patch from Cert also but when I compile snort with the libih and libair
options snort does not recognize it and  gives no xml plugin support.
Has anybody been able to get this to work at all.  Or does anyone know
of any other xml plugins that could be used with snort.
Any help is appreciated is this is a very big issue for our network.

Thanks,

Neal Timm
1400 Sleepytime Trl
Pflugerville, Tx 78660
(512)-670-1516

------=_NextPart_000_0009_01C36CD8.6FC60510
Content-Type: text/html;
        charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.0.4630.0">
<TITLE>Xml Plugins</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial">We are currently running snort 2.1 have
=
upgraded from 2.0&nbsp; we use the xml plugin supplied by =
vigiliantminds.com&nbsp; we have had a issue with it crashing on 2.0 and
=
2.1 on a regular basis currently we are on&nbsp; about a 8 meg isp pipe
=
seeing about 20000 events a day.&nbsp; We really need the xml output =
from snort for our parsers.&nbsp;&nbsp; I have tried to download the xml
=
patch from Cert also but when I compile snort with the libih and libair
=
options snort does not recognize it and&nbsp; gives no xml plugin =
support.&nbsp;&nbsp; Has anybody been able to get this to work at =
all.&nbsp; Or does anyone know of any other xml plugins that could be =
used with snort.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Any help is appreciated is this is a =
very big issue for our network.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Thanks,</FONT>
</P>
<BR>

<P><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">Neal Timm</FONT>

<BR><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">1400 Sleepytime =
Trl</FONT>

<BR><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">Pflugerville, Tx =
78660</FONT>

<BR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">(512)-670-1516</FONT>
</P>

</BODY>
</HTML>
------=_NextPart_000_0009_01C36CD8.6FC60510--

--__--__--

Message: 2
Date: Wed, 27 Aug 2003 22:21:52 -0600
To: Jason <security () brvenik com>,Frank Knobbe <frank () knobbe us>
From: Mark Teicher <mht3 () earthlink net>
Subject: Re: [Snort-users] Re: [Snort-devel] IDS vs IPS
Cc: bwalder () spamcop net,'Jeff Nathan' <jeff () snort org>,Vkmobile () aol com,
 snort-devel () lists sourceforge net,snort-users () lists sourceforge net

I disagree, New IPS is not the natural evolution of the existing
firewall, 
it is natural evolution of marketing hype. !!! Good firewall code just 
doesn't exist anymore, except for the Ultimate Firewall toolkit....!!!

At 09:16 PM 8/27/2003, Jason wrote:

Thanks, I think the matrix shows fairly well that the _new IPS_ is a 
natural evolution of the existing firewall.

This is important to point out because there are existing investments

in

firewalls and these firewalls are rapidly closing the gap where needed.

know that CP has been moving in this direction for a while. It has also

been my experience that they have been moving at an appropriate pace

and

the capabilities have been there when I've needed them.

One final statement. You do not need the firewall to log content if you

have an IDS that you can trust will not have a direct impact on the 
business should it be too critical of the data.

You can also have confidence in your firewall because your IDS verifies

what you told the firewall to do and covers your arse when you let 
something by because of business requirements or a human error.




--__--__--

Message: 3
Date: Wed, 27 Aug 2003 22:22:45 -0600
To: twig les <twigles () yahoo com>,snort-users () lists sourceforge net
From: Mark Teicher <mht3 () earthlink net>
Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS

I am still waiting for people on the list to detail what an IPS actually
is 
and the underlying technology that makes it so attractive to large 
enterprise entities

/mark

At 09:20 PM 8/27/2003, twig les wrote:

I agree with an early post on this thread that IPS is basically
a BS marketing term. A buzzword like "B2B". IPS is not a BS
*concept* but techs can not let marketing ppl define our lingo
(since they don't understand what they are describing) or we
risk mass confusion, which it seems is happening here. So IDS
and firewalls seem to be doing some overlapping functions, good,
I hope the functionality matures. But I think we should let the
Powerpoint brigade argue over what to call things in pamphlets.

It's been a long day so this may come across way more
offensive-sounding than I mean it.

--- Frank Knobbe <frank () knobbe us> wrote:

On Thu, 2003-08-28 at 01:46, Gordon Cunningham wrote:

Black Ice Defender did this a few years ago... based on

signatures, the

system could detect some attack types and automatically

react by preventing

access from the source IP or port for some period of time.



Right. But don't you consider BlackICE an IPS instead of a
firewall?

Regards,
Frank

ATTACHMENT part 2 application/pgp-signature name=signature.asc




=====
-----------------------------------------------------------
Emo is what happens when the glee club goes punk.
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

--__--__--

Message: 4
From: chris <cfeldmann () nyc rr com>
To: snort-users () lists sourceforge net
Organization: 
Date: 28 Aug 2003 00:53:41 -0400
Subject: [Snort-users] ARP packets, exploits

I am using snort behind shorewall at home because, frankly, I find IDS
interesting (write SQL for a living, which helps a bit), but I am an
admitted newbie. The preponderance of my logs (~95%) are ARP packets;
they really stack up. Since I am behind a fairly muscular firewall
configuration (there are a few ports open, e.g. ssh and http) would it
be a big deal to write a rule to just drop these (from the logs, not
drop the packets)? I can filter them (I guess, haven't tried yet) to an
ignored table in the DB, but are there exploits that would appear as
ARP-header packets? Is it obvious that I'm lazily posting when I could
find this online (I hate it when people do that)? Actually I have pulled
a bit of hair researching this before posting.

Thanks,
Chris

--__--__--

Message: 5
Date: Wed, 27 Aug 2003 23:36:06 -0600
To: Frank Knobbe <frank () knobbe us>,twig les <twigles () yahoo com>
From: Mark Teicher <mht3 () earthlink net>
Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS
Cc: snort-users () lists sourceforge net

Can't call it that. You will infring on www.intrusion.com or 
www.innerwall.com claim to fame.. :)

Inline IDS is a proven technology, IPS is not..  All the small fish were

gobbled by the bigger fish, and are in the midst of re-tooling..

/mark

At 09:53 PM 8/27/2003, Frank Knobbe wrote:

On Thu, 2003-08-28 at 03:20, twig les wrote:

I agree with an early post on this thread that IPS is basically
a BS marketing term.
[...]
It's been a long day so this may come across way more
offensive-sounding than I mean it.


heh... not at all. I used to prefer GIDS or Inline IDS, but I've come

to

realize that it does contain firewall like elements so xIDS may not be
appropriate.

Since it's somewhat an equal marriage of them, we should probably call
it an Intrusion Wall, or IW. It's just that 'prevention' sounds so sexy
:)

Frank




--__--__--

Message: 6
Date: Wed, 27 Aug 2003 23:37:31 -0600
To: Frank Knobbe <frank () knobbe us>,Jason <security () brvenik com>
From: Mark Teicher <mht3 () earthlink net>
Subject: Re: [Snort-users] Re: [Snort-devel] IDS vs IPS
Cc: snort-devel () lists sourceforge net,snort-users () lists sourceforge net

At 09:47 PM 8/27/2003, Frank Knobbe wrote:

<mht> Some vendors are already introducing their products as a hybrid

IDS

and Forensics.  NAI recently announced the Intellistream box.. Linux

with

3 terrabytes of storage.



/mark

I probably made this prediction before, but here is a good place to do
it again. Mark my words :) "We will see a new breed of software become
popular soon which is a merger of IDS and forensics software".

Cheers,
Frank

--__--__--

Message: 7
Reply-To: <gacunningham () bellsouth net>
From: "Gordon Cunningham" <gacunningham () bellsouth net>
To: <snort-devel () lists sourceforge net>,
        <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS
Date: Thu, 28 Aug 2003 10:16:03 -0400

Yes, we *ARE* seeing convergence in products like BlackIce (which I do
consider a firewall+IDS - but not a router - I used to use it as my home
DSL
firewall with a dual-NIC machine and it worked very well during the
height
of Code Red),  and the Cisco NIDS system's ability to interact with
Cisco
switches, routers and firewalls to provide reactive hardening upon
threat
detection.  The problem, IMO, is that sufficient granularity has been
lacking, possibly due to traffic levels and speed of detection issues to
say
nothing of the rulebase size, and the nature of networks to often have
many
types of inappropriate traffic appear as legitimate traffic or vice
versa.
And now we are adding a 4th dimension - time - how do you differentiate
not
only by host, protocol, port and payload, but now differentiation
changes
over time?

While some firewall vendors will have a tough time making the leap from
stateful inspection, those with application/proxy level (IP stack)
firewalls
(remember Raptor?) might be more comfortable dealing with packet
payloads
and traffic analysis, IMO.  IPS is just another spin on this
convergence,
attempting to make it "one box" or one methodology, but either way it is
the
next step - an integration.

But it will be the specialists teaming with the big boys that pull this
off - unless someone really misses the mark, that's usually how the
evolution (not revolution) in IT usually goes.

- Gordon

"The software said it requires Windows 98 or better, so I installed
Linux..."

 -----Original Message-----
From:   snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]  On Behalf Of Bob
Walder
Sent:   Thursday, August 28, 2003 5:15 AM
To:     'Jason'; 'Frank Knobbe'
Cc:     bwalder () spamcop net; 'Mark Teicher'; 'Jeff Nathan';
Vkmobile () aol com;
snort-devel () lists sourceforge net; snort-users () lists sourceforge net
Subject:        RE: [Snort-users] Re: [Snort-devel] IDS vs IPS

One important distinction

Firewalls are about policy enforcement - IDS and IPS are about detection
(as of THIS moment in time)

I still see the IPS as an evolution of the IDS and not the firewall. In
my opinion, the firewall is itself gonna have to evolve pretty damn
quickly to stop the IPS going the whole hog and taking over its job too.

YES - the two technologies have similar aims and will undoubtedly
converge. BUT, who do you see winning the race? In my opinion, the guys
who already have the flashy hardware and solid IDS/IPS technology will
have an easier time of it than the firewall vendors (i.e. the likes of
Tippingpoint and Intruvert/NAI).

By the way - why not ask NetScreen how hard it is to integrate IPS and
firewall technology?! They already had a firewall appliance - if it is
really that easy to converge these technologies (or if there really
isn't a difference between them in the first place) then why have we not
seen their IPS technology already fully integrated into their fancy
firewall platform?

Cisco is well placed to do this job too - it has the big switches which
could take a flashy new IPS/IDS/firewall blade, and the in-house
expertise with both firewall and IDS technologies. AND it understands
how important it is for this stuff to be rock solid and scalable. Both
Intruvert and Tippingpoint could probably also make a decent fist of it.

But... It ain't easy! It will be a while before these things do
converge, and until then I foresee a number of religious arguments over
which technology is best, which technology is pure marketing hype, which
technology came first, blah, blah, blah (i.e. a bit like this thread...
;o)

Oh... And no way am I advocating that any one of these technologies can
displace the others right now - they all have their place. On my network
I have two firewalls at the perimeter for the policy enforcement stuff
(i.e. that's where I say "allow HTTP to this server on my DMZ, don't
allow Telnet to anything, allow FTP to that server on my DMZ, and so
on...). Behind those I have an IPS - also at the perimeter - to catch
the bad stuff that the firewall lets through (i.e. the firewall says let
through HTTP traffic, but there is a lot of nasty stuff that could ride
on the back of that). And finally, I have IDS systems on the DMZ and
internal networks just so I can mop up anything that might get through
owing to the fact I don't want my IPS to block absolutely everything
('cos it's just not ready for that yet!)

I would LOVE to have just the one box for this.... But it's just not
available...sorry

Regards,

Bob

-----Original Message-----
From: Jason [mailto:security () brvenik com]
Sent: 28 August 2003 05:17
To: Frank Knobbe
Cc: bwalder () spamcop net; 'Mark Teicher'; 'Jeff Nathan';
Vkmobile () aol com; snort-devel () lists sourceforge net;
snort-users () lists sourceforge net
Subject: Re: [Snort-users] Re: [Snort-devel] IDS vs IPS

Thanks, I think the matrix shows fairly well that the _new IPS_ is a
natural evolution of the existing firewall.

This is important to point out because there are existing
investments in
firewalls and these firewalls are rapidly closing the gap
where needed.
I know that CP has been moving in this direction for a while. It has
also been my experience that they have been moving at an appropriate
pace and the capabilities have been there when I've needed them.

One final statement. You do not need the firewall to log
content if you
have an IDS that you can trust will not have a direct impact on the
business should it be too critical of the data.

You can also have confidence in your firewall because your
IDS verifies
what you told the firewall to do and covers your arse when you let
something by because of business requirements or a human error.

Frank Knobbe wrote:

On Wed, 2003-08-27 at 18:36, Jason wrote:

Bob Walder wrote:

My 0.02 worth is that a Network IPS (NIPS) is a device with two
interfaces that operates in-line to detect suspicious traffic and
INSTANTLY discard the offending packet and the rest of

the suspicious

flow.


What we have here is a definition of an IPS that matches pretty
closely what firewalls have been able to do for some time.




Not quite. There are difference in the way firewalls and intrusion
detection systems analyze data. For example, I have not seen a
firewall that can identify a CodeRed attempt by name for example.
Yeah, you can block HTTP methods and put limiters on URL's

etc (you

mentioned CP as an example which can do that with HTTP

content stuff).

But I have not come across a firewall with a 'signature

set' like IDS'

have them......yet.

It is true that most firewalls are under-utilized. However, an IPS
(being based on an IDS) has capabilities beyond a firewall. Policy
violations (or network flow anomalies) can be detected by

firewalls

and cause some sort of reaction/enforcement (CP's SAM is

one example).

However, firewalls don't have statistical anomaly

detection like some

IDS' do.

Let's draft a matrix of capabilities:

Metric      |  Firewall      |  IDS           |  IPS
-----------------------------------------------------------
Signature   | Limited packet | Extensive      | See IDS
Analysis    | inspection     | signature sets |
            | due to lack of | allow wide     |
            | rule set defin.| pattern match  |
-----------------------------------------------------------
Protocol    | Mostly present | Present        | Present
validation  |                |                |
-----------------------------------------------------------
Traffic flow| Present, that's| Present        | Present
Anomaly Det.| what they do   |                | Present
-----------------------------------------------------------
Statisitcal | Absent         | Present        | Absent (???)
Anomaly Det.|                |                | (as of today)
-----------------------------------------------------------
Packet Log  | Logging mostly | capable of     | See IDS
            | high level     | logging content|
-----------------------------------------------------------
Protocol    | Present        | Absent         | Present
normalizat  |                |                |
ion         |                |                |
===========================================================
Activity    | Active         | Mostly Passive | Active


If someone wants to take this further, feel free. But as

you can see,

IPS and firewalls are not quite alike (but neither are IPS

and IDS! :)


Regards,
Frank





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--__--__--

Message: 8
Date: Thu, 28 Aug 2003 11:16:01 -0400
From: Brian <bmc () snort org>
To: Marc Quibell <mquibell () fbfs com>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Rules for detecting spyware

On Mon, Aug 11, 2003 at 09:54:49AM -0500, Marc Quibell wrote:

I've done a little checking, so far no luck. I wonder if it's possible

to setup

some Snort rules for detecting spyware data. I'll keep looking for the

actual

data content of such packets, but does anyone already have some rules?

TIA!

Sure its possible to detect spyware.  Do we do it currently?  Nope.  But

thats cause I don't have packet captures for it.  The easiest method for

finding packets is to install the spyware in question, then sit back
and watch.  :)

-brian


--__--__--

Message: 9
Date: Thu, 28 Aug 2003 11:24:15 -0400
From: Brian <bmc () snort org>
To: David <dwad24 () excite com>
Cc: snort-users () lists sourceforge net, rreid () 1800FLOWERS com
Subject: Re: [Snort-users] Microsoft DCOM RPC Worm Alert

On Tue, Aug 12, 2003 at 11:56:26AM -0400, David wrote:

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \
(msg:"DCE RPC Interface Buffer Overflow Exploit"; \
content:"|00 5C 00 5C|"; \
content:!"|5C|"; within:32;\
flow:to_server,established; \
reference:bugtraq,8205; rev: 1;)


This rule is easily evadable.

Sure, the vulnerability is predicated by an overly long path.  That 
doesn't mean the service validates the path before it attempts to deal
with it.  Take any of the exploits and change the path from 
\\[lotsocrap]\C$\123456111111111111111.doc to random crap and it will
still crash the service.

-brian


--__--__--

Message: 10
Reply-To: <gacunningham () bellsouth net>
From: "Gordon Cunningham" <gacunningham () bellsouth net>
To: "Mark Teicher" <mht3 () earthlink net>,
        "twig les" <twigles () yahoo com>,
        <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS
Date: Thu, 28 Aug 2003 11:24:30 -0400

Ok, for me, IPS is a class of systems, not a single hardware device.  It
includes firewalls, routers, IDS and whatever convergence of those
systems
is seen.  Whether we include security policy in the definition, yes if
we
talk about a general enterprise system, no if we refer to hardware
devices.

Who coined the term and how do they define it?

- Gordon

"The software said it requires Windows 98 or better, so I installed
Linux..."

 -----Original Message-----
From:   snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]  On Behalf Of Mark
Teicher
Sent:   Thursday, August 28, 2003 12:23 AM
To:     twig les; snort-users () lists sourceforge net
Subject:        RE: [Snort-users] Re: [Snort-devel] IDS vs IPS

I am still waiting for people on the list to detail what an IPS actually
is
and the underlying technology that makes it so attractive to large
enterprise entities

/mark

At 09:20 PM 8/27/2003, twig les wrote:

I agree with an early post on this thread that IPS is basically
a BS marketing term. A buzzword like "B2B". IPS is not a BS
*concept* but techs can not let marketing ppl define our lingo
(since they don't understand what they are describing) or we
risk mass confusion, which it seems is happening here. So IDS
and firewalls seem to be doing some overlapping functions, good,
I hope the functionality matures. But I think we should let the
Powerpoint brigade argue over what to call things in pamphlets.

It's been a long day so this may come across way more
offensive-sounding than I mean it.

--- Frank Knobbe <frank () knobbe us> wrote:

On Thu, 2003-08-28 at 01:46, Gordon Cunningham wrote:

Black Ice Defender did this a few years ago... based on

signatures, the

system could detect some attack types and automatically

react by preventing

access from the source IP or port for some period of time.



Right. But don't you consider BlackICE an IPS instead of a
firewall?

Regards,
Frank

ATTACHMENT part 2 application/pgp-signature name=signature.asc




=====
-----------------------------------------------------------
Emo is what happens when the glee club goes punk.
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: XML Plugins David Stubblefield (Nov 03)