Snort mailing list archives
Re: DPX starter kit output: No alert generated
From: Jianyu Li via Snort-users <snort-users () lists snort org>
Date: Sat, 20 Oct 2018 18:08:13 +0000
Hey Russ, Thank you very much, the patch worked! Sorry for the late reply. Yes I didn't build and install snort3_extra before, and it can alert tcp after installing the snort3_extra! Thank you very much for your help :) root@ubuntu1:/home/ubuntu# $my_path/bin/snort --plugin-path /root/snort-3.0.0/lib -c /root/snort-3.0.0/etc/snort/snort.lua --lua "dpx={port=8, max=0}; ips.enable_builtin_rules=true" --bpf "tcp port 8" -r test.pcap -A csv -q 08/14-01:53:28.392198, 1, TCP, raw, 40, C2S, 10.1.2.3:12345, 10.9.8.7:8, 256:1:1, allow 08/14-01:53:28.392324, 3, TCP, raw, 40, C2S, 10.4.5.6:12345, 10.9.8.7:8, 256:1:1, allow Jianyu Li ________________________________ From: Snort-users <snort-users-bounces () lists snort org> on behalf of Russ via Snort-users <snort-users () lists snort org> Sent: 19 October 2018 13:36 To: snort-users () lists snort org Subject: Re: [Snort-users] DPX starter kit output: No alert generated On 10/19/18 5:38 AM, Jianyu Li via Snort-users wrote: Hi Russ, Thank you for providing the example patch! I will try to do the patch. But when I try to use dpx to alert on UDP, there is still no alerts generated: I'm not seeing dpx listed in your startup output below. Did you build and install snort3_extra as well? dpx is in the extras as an example of building a dynamic plugin w/o changing or being part of snort3. root@ubuntu1:/home/ubuntu# $my_path/bin/snort --plugin-path /root/snort-3.0.0/lib -c /root/snort-3.0.0/etc/snort/snort.lua --lua "dpx={port=53, max=128}; ips.enable_builtin_rules=true" --bpf "udp port 53" -r /tmp/dns-zone-transfer-ixfr.cap -A csv -q Then I changed the "dpx={port=53, max=128}" to "dpx={port=53, max=20}" because I think the packet's payload size is less than 128, so maybe I should set "max" to a lower value. But there is still no alert: root@ubuntu1:/home/ubuntu# $my_path/bin/snort --plugin-path /root/snort-3.0.0/lib -c /root/snort-3.0.0/etc/snort/snort.lua --lua "dpx={port=53, max=20}; ips.enable_builtin_rules=true" --bpf "udp port 53" -r /tmp/dns-zone-transfer-ixfr.cap -A csv -q The pcap file I used is: root@ubuntu1:/home/ubuntu# tcpdump -vnr /tmp/dns-zone-transfer-ixfr.cap reading from file /tmp/dns-zone-transfer-ixfr.cap, link-type EN10MB (Ethernet) 11:27:18.296576 IP (tos 0x0, ttl 128, id 245, offset 0, flags [none], proto UDP (17), length 115) 1.1.1.2.1028 > 1.1.1.1.53: 16384 [1n] IXFR? etas.com. (87) 11:27:18.297050 IP (tos 0x0, ttl 128, id 3537, offset 0, flags [none], proto UDP (17), length 243) 1.1.1.1.53 > 1.1.1.2.1028: 16384 5/0/0 etas.com. SOA training2003p. hostmaster. 4 60 600 86400 3600, etas.com. SOA training2003p. hostmaster. 3 60 600 86400 3600, etas.com. SOA training2003p. hostmaster. 4 60 600 86400 3600, index.etas.com. A 1.1.1.100, etas.com. SOA training2003p. hostmaster. 4 60 600 86400 3600 (215) Do you have any idea about this problem? Thanks, Jianyu Li ________________________________ From: Snort-users <snort-users-bounces () lists snort org><mailto:snort-users-bounces () lists snort org> on behalf of Russ via Snort-users <snort-users () lists snort org><mailto:snort-users () lists snort org> Sent: 19 October 2018 03:10 To: snort-users () lists snort org<mailto:snort-users () lists snort org> Subject: Re: [Snort-users] DPX starter kit output: No alert generated Hey Jianyu, As written, the dpx example only alerts on UDP. If you want to alert on TCP, you will need to patch the code. Here is a patch that changes to TCP. If you save that to file you can do this in snort3_extra: $ patch -p 1 < dpx.diff Hope that helps get you going. Russ diff --git a/src/inspectors/dpx/dpx.cc b/src/inspectors/dpx/dpx.cc index c3a541b..843bcfa 100644 --- a/src/inspectors/dpx/dpx.cc +++ b/src/inspectors/dpx/dpx.cc @@ -70,7 +70,7 @@ void Dpx::show(SnortConfig*) void Dpx::eval(Packet* p) { // precondition - what we registered for - assert(p->is_udp()); + assert(p->is_tcp()); if ( p->ptrs.dp == port && p->dsize > max ) DetectionEngine::queue_event(DPX_GID, DPX_SID); @@ -180,7 +180,7 @@ static const InspectApi dpx_api mod_dtor }, IT_NETWORK, - PROTO_BIT__UDP, + PROTO_BIT__TCP, nullptr, // buffers nullptr, // service nullptr, // pinit On 10/18/18 6:06 PM, Jianyu Li via Snort-users wrote: Hi Russ, I don't understand clearly, do you mean the dpx example provided by Snort3 can only alert UDP packets? I changed the bpf from UDP to TCP because I would like to alert TCP packets. Do you know if there is any way I can do it? Thanks, Jianyu Li ________________________________ From: Snort-users <snort-users-bounces () lists snort org><mailto:snort-users-bounces () lists snort org> on behalf of Russ via Snort-users <snort-users () lists snort org><mailto:snort-users () lists snort org> Sent: 18 October 2018 22:42 To: snort-users () lists snort org<mailto:snort-users () lists snort org> Subject: Re: [Snort-users] DPX starter kit output: No alert generated Oops ... there's a copy/paste error. That bpf should be udp not tcp. The Snort 3 example just alerts on a UDP packet on the configured port with a length above the configured limit. On 10/18/18 3:37 PM, Jianyu Li via Snort-users wrote: Hi Russ, Thank you very much for your reply! I tried the commend you provided but there is no any output: root@ubuntu1:/home/ubuntu# $my_path/bin/snort --plugin-path /root/snort-3.0.0/lib/ -c /root/snort-3.0.0/etc/snort/snort.lua --lua "dpx={port=8, max=128}; ips.enable_builtin_rules=true" --bpf "tcp port 8" -r test.pcap -A csv -q root@ubuntu1:/home/ubuntu# The output without "-q" is as followed: root@ubuntu1:/home/ubuntu# $my_path/bin/snort --plugin-path /root/snort-3.0.0/lib/ -c /root/snort-3.0.0/etc/snort/snort.lua --lua "dpx={port=8, max=128}; ips.enable_builtin_rules=true" --bpf "tcp port 8" -r test.pcap -A csv -------------------------------------------------- o")~ Snort++ 3.0.0-247 -------------------------------------------------- Loading /root/snort-3.0.0/etc/snort/snort.lua: ssh pop binder stream_tcp gtp_inspect dce_http_proxy stream_icmp normalizer ftp_server stream_udp dce_smb ips modbus rpc_decode latency wizard appid file_id ftp_data smtp back_orifice port_scan dce_http_server dce_tcp telnet ssl sip classifications http2_inspect http_inspect stream_user stream_ip dnp3 ftp_client stream references arp_spoof dns dce_udp imap stream_file Finished /root/snort-3.0.0/etc/snort/snort.lua. Loading builtin: Finished builtin. -------------------------------------------------- rule counts total rules loaded: 471 builtin rules: 471 option chains: 471 chain headers: 1 -------------------------------------------------- port rule counts tcp udp icmp ip any 471 0 0 0 total 471 0 0 0 Snort BPF option: tcp port 8 -------------------------------------------------- pcap DAQ configured to read-file. Commencing packet processing ++ [0] test.pcap -- [0] test.pcap -------------------------------------------------- Packet Statistics -------------------------------------------------- daq pcaps: 1 received: 4 analyzed: 4 allow: 4 rx_bytes: 216 -------------------------------------------------- codec total: 4 (100.000%) eth: 4 (100.000%) ipv4: 4 (100.000%) tcp: 4 (100.000%) -------------------------------------------------- Module Statistics -------------------------------------------------- detection analyzed: 4 -------------------------------------------------- appid packets: 4 processed_packets: 2 ignored_packets: 2 total_sessions: 2 -------------------------------------------------- binder packets: 2 inspects: 2 -------------------------------------------------- port_scan packets: 4 -------------------------------------------------- stream_tcp sessions: 2 max: 2 created: 2 released: 2 instantiated: 2 setups: 2 syn_ack_trackers: 2 syn_acks: 2 -------------------------------------------------- latency total_packets: 4 total_usecs: 123 max_usecs: 67 -------------------------------------------------- stream tcp_flows: 2 -------------------------------------------------- Summary Statistics -------------------------------------------------- timing runtime: 00:00:00 seconds: 0.215936 packets: 4 pkts/sec: 4 o")~ Snort exiting I didn't find any information about dpx inspector in the output, do you think I need to enable when the configuration of snort? I followed the github readme to install snort3. https://github.com/snort3/snort3 The pcap file I used is: root@ubuntu1:/home/ubuntu# tcpdump -vr test.pcap reading from file test.pcap, link-type EN10MB (Ethernet) 01:53:28.392198 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40) 10.1.2.3.12345 > 10.9.8.7.8: Flags [S], cksum 0x608d (correct), seq 1, win 256, length 0 01:53:28.392236 IP (tos 0x0, ttl 64, id 2, offset 0, flags [none], proto TCP (6), length 40) 10.9.8.7.8 > 10.1.2.3.12345: Flags [S.], cksum 0x607b (correct), seq 1, ack 2, win 256, length 0 01:53:28.392273 IP (tos 0x0, ttl 64, id 3, offset 0, flags [none], proto TCP (6), length 40) 10.1.2.3.12345 > 10.9.8.7.http: Flags [.], cksum 0x6034 (correct), ack 2, win 256, length 0 01:53:28.392324 IP (tos 0x0, ttl 64, id 4, offset 0, flags [none], proto TCP (6), length 40) 10.4.5.6.12345 > 10.9.8.7.8: Flags [S], cksum 0x5d85 (correct), seq 1, win 256, length 0 01:53:28.392353 IP (tos 0x0, ttl 64, id 5, offset 0, flags [none], proto TCP (6), length 40) 10.9.8.7.8 > 10.4.5.6.12345: Flags [S.], cksum 0x5d75 (correct), seq 1, ack 2, win 256, length 0 01:53:28.392392 IP (tos 0x0, ttl 64, id 6, offset 0, flags [none], proto TCP (6), length 40) 10.4.5.6.12345 > 10.9.8.7.http: Flags [.], cksum 0x5d2e (correct), ack 2, win 256, length 0 Thanks, Jianyu Li ________________________________ From: Snort-users <snort-users-bounces () lists snort org><mailto:snort-users-bounces () lists snort org> on behalf of Russ via Snort-users <snort-users () lists snort org><mailto:snort-users () lists snort org> Sent: 17 October 2018 23:36 To: snort-users () lists snort org<mailto:snort-users () lists snort org> Subject: Re: [Snort-users] DPX starter kit output: No alert generated Hi - if you want to give Snort 3 a try instead, here is an example: $ src/snort --plugin-path install/lib -c install/etc/snort/snort.lua --lua "dpx = { port = 53, max = 128 }; ips.enable_builtin_rules = true" --bpf "udp port 53" -r test.pcap -A csv -q 10/17-18:40:25.535685, 1, UDP, raw, 157, C2S, 10.1.2.3:48620, 10.9.8.7:53, 256:1:1, allow On 10/17/18 5:45 PM, Jianyu Li via Snort-users wrote: From: Snort-users <snort-users-bounces () lists snort org><mailto:snort-users-bounces () lists snort org> on behalf of wkitty42--- via Snort-users <snort-users () lists snort org><mailto:snort-users () lists snort org> Sent: 17 October 2018 21:22 To: snort-users () lists snort org<mailto:snort-users () lists snort org> Subject: Re: [Snort-users] DPX starter kit output: No alert generated On 10/17/18 4:07 PM, Jianyu Li via Snort-users wrote:
I followed the link below to build DPX. https://www.snort.org/documents/dpx-readme
But there is no alert generated in the output of ./test.sh I am using snort-2.9.12, daq-2.0.6, ubuntu 18.04.1 LTS on VirtualBox.
i don't know anything about dpx but what are the four short rules and what traffic was sent to be analyzed? the output looks to have passed the traffic... it may be that you need to add "-k none" to your snort command line to ensure that checksums are ignored... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list unless* *a signed and pre-paid contract is in effect with us.* _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Hi wkitty42, Thank you very much for your reply! I am new to snort. I tried to add the "-k none" in snort command line but it didn't work, there is still no alert in the output. The content of test.sh is: root@ubuntu3:~/dpx-1.7#<mailto:root@ubuntu3:%7E/dpx-1.7#> cat test.sh #!/bin/bash if [ ! -e setup.sh ] ; then echo "ERROR: you must echo SNORT=/path/to/snort/dir > setup.sh first" exit -1 fi . ./setup.sh export SNORT_PP_DEBUG=0x80000000 $SNORT/src/snort -c test/snort.conf -A console:test -r test/test.pcap So I think the test/snort.conf is used as the configuration file, the content of test/snort.conf is: root@ubuntu3:~/dpx-1.7/test#<mailto:root@ubuntu3:%7E/dpx-1.7/test#> cat snort.conf # default configuration dynamicpreprocessor directory lib/snort_dynamicpreprocessor preprocessor dpx: port 8 config binding: 10.1.conf net 10.1.0.0/16 include rules.conf But there are only two snort rules inside rules.conf, I am not sure why there are 4 snort rules showed in the result: root@ubuntu3:~/dpx-1.7/test#<mailto:root@ubuntu3:%7E/dpx-1.7/test#> cat rules.conf #config autogenerate_preprocessor_decoder_rules alert ( msg:"tcp src port match"; gid:256; sid:1; ) alert ( msg:"tcp dst port match"; gid:256; sid:2; ) The test/test.pcap was sent to be analyzed: root@ubuntu3:~/dpx-1.7/test#<mailto:root@ubuntu3:%7E/dpx-1.7/test#> tcpdump -vr test.pcap reading from file test.pcap, link-type EN10MB (Ethernet) 01:53:28.392198 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40) 10.1.2.3.12345 > 10.9.8.7.8: Flags [S], cksum 0x608d (correct), seq 1, win 256, length 0 01:53:28.392236 IP (tos 0x0, ttl 64, id 2, offset 0, flags [none], proto TCP (6), length 40) 10.9.8.7.8 > 10.1.2.3.12345: Flags [S.], cksum 0x607b (correct), seq 1, ack 2, win 256, length 0 01:53:28.392273 IP (tos 0x0, ttl 64, id 3, offset 0, flags [none], proto TCP (6), length 40) 10.1.2.3.12345 > 10.9.8.7.http: Flags [.], cksum 0x6034 (correct), ack 2, win 256, length 0 01:53:28.392324 IP (tos 0x0, ttl 64, id 4, offset 0, flags [none], proto TCP (6), length 40) 10.4.5.6.12345 > 10.9.8.7.8: Flags [S], cksum 0x5d85 (correct), seq 1, win 256, length 0 01:53:28.392353 IP (tos 0x0, ttl 64, id 5, offset 0, flags [none], proto TCP (6), length 40) 10.9.8.7.8 > 10.4.5.6.12345: Flags [S.], cksum 0x5d75 (correct), seq 1, ack 2, win 256, length 0 01:53:28.392392 IP (tos 0x0, ttl 64, id 6, offset 0, flags [none], proto TCP (6), length 40) 10.4.5.6.12345 > 10.9.8.7.http: Flags [.], cksum 0x5d2e (correct), ack 2, win 256, length 0 In my understanding, the DPX is a Dynamic Preprocessor Example, which can be downloaded from the snort website. I was trying to test the dynamic preprocessor example, the output should generate the alerts since the dpx preprocessor will listen on port 8(according to the 3rd line of snort.conf file), and the tcpdump showed that some packets' ports are 8. Thanks, Jianyu Li ________________________________ From: Jianyu Li Sent: 17 October 2018 21:07:21 To: snort-users () lists snort org<mailto:snort-users () lists snort org> Subject: DPX starter kit output: No alert generated Hi I followed the link below to build DPX. https://www.snort.org/documents/dpx-readme But there is no alert generated in the output of ./test.sh I am using snort-2.9.12, daq-2.0.6, ubuntu 18.04.1 LTS on VirtualBox. The following is the output of ./test.sh root@ubuntu3:~/dpx-1.7#<mailto:root@ubuntu3:%7E/dpx-1.7#> ./test.sh Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "test/snort.conf" Tagged Packet Limit: 256 Loading all dynamic preprocessor libs from lib/snort_dynamicpreprocessor... Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libdpx.so... done Finished Loading all dynamic preprocessor libs from lib/snort_dynamicpreprocessor Log directory = /var/log/snort +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 4 Snort rules read 4 detection rules 0 decoder rules 0 preprocessor rules 2 Option Chains linked into 2 Chain Headers +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 0 0 0 0 | dst 0 0 0 0 | any 4 0 0 0 | nc 4 0 0 0 | s+d 0 0 0 0 +---------------------------------------------------------------------------- +-----------------------[detection-filter-config]------------------------------ | memory-cap : 1048576 bytes +-----------------------[detection-filter-rules]------------------------------- | none ------------------------------------------------------------------------------- +-----------------------[rate-filter-config]----------------------------------- | memory-cap : 1048576 bytes +-----------------------[rate-filter-rules]------------------------------------ | none ------------------------------------------------------------------------------- +-----------------------[event-filter-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[event-filter-global]---------------------------------- +-----------------------[event-filter-local]----------------------------------- | none +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: pass->drop->sdrop->reject->alert->log Verifying Preprocessor Configurations! [ Port Based Pattern Matching Memory ] pcap DAQ configured to read-file. Acquiring network traffic from "test/test.pcap". Reload thread starting... Reload thread started, thread 0x7f2fb2e68700 (4175) --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.12 GRE (Build 325) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.8.1 Using PCRE version: 8.39 2016-06-14 Using ZLIB version: 1.2.11 Preprocessor Object: dpx Version 1.6 <Build 1> Commencing packet processing (pid=4174) =============================================================================== Run time for packet processing was 0.302 seconds Snort processed 6 packets. Snort ran for 0 days 0 hours 0 minutes 0 seconds Pkts/sec: 6 =============================================================================== Memory usage summary: Total non-mmapped bytes (arena): 4296704 Bytes in mapped regions (hblkhd): 31576064 Total allocated space (uordblks): 3490960 Total free space (fordblks): 805744 Topmost releasable block (keepcost): 659328 =============================================================================== Packet I/O Totals: Received: 6 Analyzed: 6 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 6 (100.000%) VLAN: 0 ( 0.000%) IP4: 6 (100.000%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 0 ( 0.000%) TCP: 6 (100.000%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 0 ( 0.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 6 =============================================================================== Action Stats: Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 6 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) Retry: 0 ( 0.000%) =============================================================================== Snort exiting It would be greatful if you can help me to find out the problem. Thanks, Jianyu Li _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 17)
- Re: DPX starter kit output: No alert generated wkitty42--- via Snort-users (Oct 17)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 17)
- Re: DPX starter kit output: No alert generated Russ via Snort-users (Oct 17)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 18)
- Re: DPX starter kit output: No alert generated Russ via Snort-users (Oct 18)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 18)
- Re: DPX starter kit output: No alert generated Russ via Snort-users (Oct 18)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 19)
- Re: DPX starter kit output: No alert generated Russ via Snort-users (Oct 19)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 20)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 20)
- Re: DPX starter kit output: No alert generated Russ via Snort-users (Oct 17)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 18)
- Re: DPX starter kit output: No alert generated wkitty42--- via Snort-users (Oct 19)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 20)