snort-inline-users — The goal of this list is to help users debug/use snort_inline

Re: [Snort-inline-users] snort_inline and asymetric routing

[Will M. <wil...@gm...>]

Your functionality is greatly reduced as you are only seeing half of
the conversation.  Disable stream4 and stream4 reassembly and see if
you start to get alerts.

Regards,

Will

On 3/7/06, aria asadi <ari...@ya...> wrote:
>
> Hi ,
> Would you plz let me know if it's possible to use snort_inline as a IPS i=
n a
> network that use Asymetric routing ( my outoging traffic goes to internet
> from my router and comes back from my DVB system ) , I'd like to use
> snort_inline as bridging IPS between my DVB system and my local network t=
o
> capture incomming traffic and check it against  snort rules  .
> With Regards
>
>
>
>  ________________________________
>  Yahoo! Mail
>  Use Photomail to share photos without annoying attachments.
>
>

[Snort-inline-users] snort_inline and asymetric routing

[aria a. <ari...@ya...>]

Hi ,
  Would you plz let me know if it's possible to use snort_inline as a IPS in a network that use Asymetric routing ( my outoging traffic goes to internet from my router and comes back from my DVB system ) , I'd like to use snort_inline as bridging IPS between my DVB system and my local network to capture incomming traffic and check it against  snort rules  . 
  With Regards 
   

		
---------------------------------
 Yahoo! Mail
 Use Photomail to share photos without annoying attachments.

RE: [Snort-inline-users] fail open nic and snort inline?

[Cole <co...@op...>]

Guess its your lucky day.

Adlink Technology, adlinktech.com have fail over nics. They are based on the intel chipsets, and
they have 100mbit, as well as gigabit cards. They provide linux drivers in the form of a kernel
module if I remember correctly.

I have written FreeBSD binaries to open/failover/watchdog the cards.

PCI-8213/8214 == 100mbit card
8246 == Gigabit Card

Regards
/Cole 

-----Original Message-----
From: sno...@li...
[mailto:sno...@li...] On Behalf Of Javier Reyna Padilla
Sent: Monday, March 06, 2006 6:13 PM
To: Nick Rogness
Cc: Crayola; sno...@li...
Subject: Re: [Snort-inline-users] fail open nic and snort inline?

Nick Rogness wrote:
>> I would like to build a snort based IPS
>> solution but I cant seem to find a vendor who
>> sells fail open nics. Since snort would be inline,
>> I cant have it blocking my network connection if
>> the system fails, loses power, etc.
>>
>> I checked out bypass switches from Netoptics but I would
>> like something that can be installed directly in the PC.
>> A PCI nic basically.
>>
>>     
>
>   Run 2 snort_inline machines in parallel, using VRRP or CARP or some
> other virtual IP/cluster software.
>
>   It will probably be easier (and cheaper) than finding some crazy
> hardware solution.
>
>   


I don't think is a crazy hardware sollution, if he wants to build an ips 
solution, it is best a fail open NIC than an IPS cluster, upon 2 
solutions may work , the fail open nick, I think is the best, not crazy, 
but the best adapted.
> Nick Rogness <ni...@ro...>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>   



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-inline-users mailing list
Sno...@li...
https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] snort_inline and queue problem

[Will M. <wil...@gm...>]

You say your routing is asymetric.... so you have multiple connections
to the internet and your snort_inline box is only seeing half of the
conversation.... Is that what you are saying?

Regards,

Will

On 3/7/06, aria asadi <ari...@ya...> wrote:
> I configured and ran a Snort_inline (  IPS , with 2 NIC in bridge
> mode )  which received my outging traffic to Internet( from my MS-ISA
> server which is acting as proxy server/NAT for my inside internet users )
> and now is working fine ,
> Now I trying to setup a new SNORT_Inline as IPS to place in my edge
> side of network for firewalling and Intrution Detection for the
> incomming traffic from Internet by my DVB system : in fact network diagra=
m
> is:
>    MY_MS-ISA----->SNORT-BOX----->Switch---->Cisco
> ROUTER----> INTERNET
>
> MY_ISA<-----MY_Switch<----MY_NEW_IPS<-----DVB_SYSTEM<----
> Incomming traffic
>
>    I've insrted the right setting as I did last time for the previous
> SNORT, also I used
>    ifconfig eth0 0.0.0.0 up -arp promisc
>    ifconfig eth0 0.0.0.0 up -arp promisc
>    brctl add br0
>    brctl addif eth0 up
>    brctl addif eth1 up
>    brctl stp br0 off
>    ifconfig br0 0.0.0.0 up -arp
>    and started snort with -Q -c ( my config file ) , but when I use:
>    iptables -A FORWARD -p udp -j ACCEPT
>    iptables -A INPUT -p icmp -j ACCEPT
>    iptables -A FORWARD -p tcp -j QUEUE
>    systems can't browse the web but can receive incomming icmp traffic
> which means that only tcp that gone to QUEUE has problem , what do u
> think about this ? ( as u see my routing is Asymetric ) ,( I've written :
> Home_NET [ my_IP_range] and EXTERNAL_NET any , also my checksum mode is n=
one
> )
>    thanx for your help in advance
>
>  ________________________________
>  Yahoo! Mail
>  Use Photomail to share photos without annoying attachments.
>
>
>

[Snort-inline-users] snort_inline and queue problem

[aria a. <ari...@ya...>]

I configured and ran a Snort_inline (  IPS , with 2 NIC in bridge 
mode )  which received my outging traffic to Internet( from my MS-ISA 
server which is acting as proxy server/NAT for my inside internet users ) 
and now is working fine , 
Now I trying to setup a new SNORT_Inline as IPS to place in my edge 
side of network for firewalling and Intrution Detection for the 
incomming traffic from Internet by my DVB system : in fact network diagram is:
   MY_MS-ISA----->SNORT-BOX----->Switch---->Cisco ROUTER----> INTERNET 
   MY_ISA<-----MY_Switch<----MY_NEW_IPS<-----DVB_SYSTEM<---- Incomming traffic 
    
   I've insrted the right setting as I did last time for the previous 
SNORT, also I used  
   ifconfig eth0 0.0.0.0 up -arp promisc
   ifconfig eth0 0.0.0.0 up -arp promisc
   brctl add br0
   brctl addif eth0 up
   brctl addif eth1 up
   brctl stp br0 off
   ifconfig br0 0.0.0.0 up -arp 
   and started snort with -Q -c ( my config file ) , but when I use:
   iptables -A FORWARD -p udp -j ACCEPT
   iptables -A INPUT -p icmp -j ACCEPT
   iptables -A FORWARD -p tcp -j QUEUE 
   systems can't browse the web but can receive incomming icmp traffic 
which means that only tcp that gone to QUEUE has problem , what do u 
think about this ? ( as u see my routing is Asymetric ) ,( I've written : 
Home_NET [ my_IP_range] and EXTERNAL_NET any , also my checksum mode is none )
   thanx for your help in advance           
			
---------------------------------
 Yahoo! Mail
 Use Photomail to share photos without annoying attachments.

Re: [Snort-inline-users] fail open nic and snort inline?

[Javier R. P. <jr...@on...>]

Nick Rogness wrote:
>> I would like to build a snort based IPS
>> solution but I cant seem to find a vendor who
>> sells fail open nics. Since snort would be inline,
>> I cant have it blocking my network connection if
>> the system fails, loses power, etc.
>>
>> I checked out bypass switches from Netoptics but I would
>> like something that can be installed directly in the PC.
>> A PCI nic basically.
>>
>>     
>
>   Run 2 snort_inline machines in parallel, using VRRP or CARP or some
> other virtual IP/cluster software.
>
>   It will probably be easier (and cheaper) than finding some crazy
> hardware solution.
>
>   


I don't think is a crazy hardware sollution, if he wants to build an ips 
solution, it is best a fail open NIC than an IPS cluster, upon 2 
solutions may work , the fail open nick, I think is the best, not crazy, 
but the best adapted.
> Nick Rogness <ni...@ro...>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>   

Re: [Snort-inline-users] fail open nic and snort inline?

[Nick R. <ni...@ro...>]

> I would like to build a snort based IPS
> solution but I cant seem to find a vendor who
> sells fail open nics. Since snort would be inline,
> I cant have it blocking my network connection if
> the system fails, loses power, etc.
>
> I checked out bypass switches from Netoptics but I would
> like something that can be installed directly in the PC.
> A PCI nic basically.
>

  Run 2 snort_inline machines in parallel, using VRRP or CARP or some
other virtual IP/cluster software.

  It will probably be easier (and cheaper) than finding some crazy
hardware solution.

Nick Rogness <ni...@ro...>

[Snort-inline-users] fail open nic and snort inline?

[Crayola <cr...@op...>]

I would like to build a snort based IPS 
solution but I cant seem to find a vendor who 
sells fail open nics. Since snort would be inline, 
I cant have it blocking my network connection if 
the system fails, loses power, etc. 

I checked out bypass switches from Netoptics but I would 
like something that can be installed directly in the PC. 
A PCI nic basically. 

Any ideas? 

Thanks, 
Mike

[Snort-inline-users] Re: snort_inline / bridge mode / iptables

[Will M. <wil...@gm...>]

This setup should work fine, if you tail -f snort_inline-fast do you
see all of your traffic being dropped due to a sig firing?  try
setting cheksum mode to none in your snort_inline.conf, depending on
what kernel you are running compiler optimizations can mess this up
and cause snort/snort_inline to view all packets as having bad
checksums.  what does your snort_inline.conf look like?

Regards,

Will

On 3/1/06, aria asadi <ari...@ya...> wrote:
> Hello ,
>   I've started snort_inline( function in bridge mode with 2 NICs and br0
> ,all with no Ip adress ) with -Q options and my default iptables policy f=
or
> all chain are : ACCEPT , the problem is that when I send traffic from my
> MS-ISA proxy server to my Snort-BOX
>   using : iptables -A FORWARD -j QUEUE , users can't see Internet but whe=
n I
> use:
>   iptables -A FORWARD -p tcp  --dport 80 all users can see internet , I u=
sed
> :
>   iptables -A FORWARD -p udp -s 0/0 -d 0/0 --dport 53 -j ACCEPT
>   iptables -A FORWARD -p udp -s 0/0 --sport 53  -j ACCEPT
>   iptables -A FORWARD -p tcp -j QUEUE
>   iptables -A FORWATD -p icmp -j QUEUE
>   after that all users can see Internet , the question why I need to to t=
hat
> ( notice that my iptbales defauly policy is : ACCEPT ) ?
>   also when I want to ping Internet I can't ping ouside ( although in my
> snort rules I've not any rule to block icmp connection ) , would you plz
> help me what is the problem ?
>   I think when I use : iptables -A FORWARD -j QUEUE it must work !
>   the network diagram is :
>     My_ISA SERVER------------>SNORT_INLINE_BOX------------>INTERNET
>
>   thanx in advance
>
>
> =09=09
> ---------------------------------
> Yahoo! Mail
> Bring photos to life! New PhotoMail  makes sharing a breeze.
>

[Snort-inline-users] snort_inline / bridge mode / iptables

[aria a. <ari...@ya...>]

Hello ,
  I've started snort_inline( function in bridge mode with 2 NICs and br0 ,all with no Ip adress ) with -Q options and my default iptables policy for all chain are : ACCEPT , the problem is that when I send traffic from my MS-ISA proxy server to my Snort-BOX
  using : iptables -A FORWARD -j QUEUE , users can't see Internet but when I use: 
  iptables -A FORWARD -p tcp  --dport 80 all users can see internet , I used :
  iptables -A FORWARD -p udp -s 0/0 -d 0/0 --dport 53 -j ACCEPT 
  iptables -A FORWARD -p udp -s 0/0 --sport 53  -j ACCEPT 
  iptables -A FORWARD -p tcp -j QUEUE 
  iptables -A FORWATD -p icmp -j QUEUE
  after that all users can see Internet , the question why I need to to that ( notice that my iptbales defauly policy is : ACCEPT ) ?
  also when I want to ping Internet I can't ping ouside ( although in my snort rules I've not any rule to block icmp connection ) , would you plz help me what is the problem ? 
  I think when I use : iptables -A FORWARD -j QUEUE it must work ! 
  the network diagram is :
    My_ISA SERVER------------>SNORT_INLINE_BOX------------>INTERNET 
   
  thanx in advance 
   

		
---------------------------------
 Yahoo! Mail
 Use Photomail to share photos without annoying attachments.

[Snort-inline-users] snort_inline / bridge mode / iptables

[aria a. <ari...@ya...>]

Hello ,
  I've started snort_inline( function in bridge mode with 2 NICs and br0 ,all with no Ip adress ) with -Q options and my default iptables policy for all chain are : ACCEPT , the problem is that when I send traffic from my MS-ISA proxy server to my Snort-BOX
  using : iptables -A FORWARD -j QUEUE , users can't see Internet but when I use: 
  iptables -A FORWARD -p tcp  --dport 80 all users can see internet , I used :
  iptables -A FORWARD -p udp -s 0/0 -d 0/0 --dport 53 -j ACCEPT 
  iptables -A FORWARD -p udp -s 0/0 --sport 53  -j ACCEPT 
  iptables -A FORWARD -p tcp -j QUEUE 
  iptables -A FORWATD -p icmp -j QUEUE
  after that all users can see Internet , the question why I need to to that ( notice that my iptbales defauly policy is : ACCEPT ) ?
  also when I want to ping Internet I can't ping ouside ( although in my snort rules I've not any rule to block icmp connection ) , would you plz help me what is the problem ? 
  I think when I use : iptables -A FORWARD -j QUEUE it must work ! 
  the network diagram is :
    My_ISA SERVER------------>SNORT_INLINE_BOX------------>INTERNET 
   
  thanx in advance 
   

		
---------------------------------
Yahoo! Mail
Bring photos to life! New PhotoMail  makes sharing a breeze. 

Re: [Snort-inline-users] Query

[Murali R. <pro...@gm...>]

U25vcnRfaW5saW5lIGlzIHByb2JhYmx5IG5vdCB3aGF0IHlvdSBhcmUgbG9va2luZyBmb3IuIFBl
cmhhcHMgdGFrZSBhCmxvb2sgYXQgc2V0dGluZyB1cCBTU0ggdHVuIChPcGVuU1NIIDQuMykgYW5k
IGFsc28gdXNlIHRoZSBzc2ggLUMgZm9yCmNvbXByZXNzaW9uPwoKaHR0cDovL3d3dy5vcGVuYnNk
Lm9yZy9jZ2ktYmluL21hbi5jZ2k/cXVlcnk9c3NoZCZhcHJvcG9zPTAmc2VrdGlvbj0wJm1hbnBh
dGg9T3BlbkJTRCtDdXJyZW50JmFyY2g9aTM4NiZmb3JtYXQ9aHRtbAoKaHR0cDovL3d3dy5vcGVu
YnNkLm9yZy9jZ2ktYmluL21hbi5jZ2k/cXVlcnk9c3NoJmFwcm9wb3M9MCZzZWt0aW9uPTAmbWFu
cGF0aD1PcGVuQlNEK0N1cnJlbnQmYXJjaD1pMzg2JmZvcm1hdD1odG1sCgpSZWdhcmRzLAoKX1Jh
anUKCk9uIDIvMTYvMDYsIGFwYXJuYSBtaXNyaSA8YXBhcm5hbWlzcmkwNUB5YWhvby5jby5pbj4g
d3JvdGU6Cj4gaGVsbG8gLAo+ICAgSSBhbSBkb2luZyBhIHNtYWxsIHByb2plY3QgaW4gbmV0d29y
a2luZyAuIEkgd2FudCB0bwo+IGNvbXByZXNzIHBhY2tldHMgYXQgc2VydmVyIHNpZGUgYW5kIHRo
ZW4gc2VuZCBpdCB0bwo+IHRoZSByZWNlaXZlciB3aGVyZSBpdCB3aWxsIGJlIGRlY29tcHJlc3Nl
ZC5NeSBwcm9ibGVtCj4gaXMgd2hlcmUgdG8gY2FwdHVyZSBwYWNrZXRzIGFuZCBtb2RpZnkgaXQu
U25vcnQgaGVscHMKPiBpbiBjYXB0dXJpbmcgcGFja2V0cyBidXQgZG9lcyBpdCBzdXBwb3J0IGFu
eSBmZWF0dXJlCj4gdGhhdCBhbGxvd3MgbWUgdG8gY2hhbmdlIGNvbnRlbnRzIG9mIHBhY2tldHMu
Cj4KPiBJIGFtIHJlYWxseSBzdHVjayB1cCBhdCB0aGlzIHBvaW50IC5BbnkgaGVscCB3aWxsIGJl
Cj4gYXBwcmVjaWF0ZWQuCj4KPiBUaGFua3MuCj4KPgo+Cj4gX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwo+IFlhaG9vISBJbmRpYSBNYXRy
aW1vbnk6IEZpbmQgeW91ciBwYXJ0bmVyIG5vdy4gR28gdG8gaHR0cDovL3lhaG9vLnNoYWFkaS5j
b20KPgo+Cj4gLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLQo+IFRoaXMgU0YubmV0IGVtYWlsIGlzIHNwb25zb3JlZCBieTogU3BsdW5rIEluYy4g
RG8geW91IGdyZXAgdGhyb3VnaCBsb2cgZmlsZXMKPiBmb3IgcHJvYmxlbXM/ICBTdG9wISAgRG93
bmxvYWQgdGhlIG5ldyBBSkFYIHNlYXJjaCBlbmdpbmUgdGhhdCBtYWtlcwo+IHNlYXJjaGluZyB5
b3VyIGxvZyBmaWxlcyBhcyBlYXN5IGFzIHN1cmZpbmcgdGhlICB3ZWIuICBET1dOTE9BRCBTUExV
TkshCj4gaHR0cDovL3NlbC5hcy11cy5mYWxrYWcubmV0L3NlbD9jbWQ9bG5rJmtpZD0xMDM0MzIm
YmlkPTIzMDQ4NiZkYXQ9MTIxNjQyCj4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX18KPiBTbm9ydC1pbmxpbmUtdXNlcnMgbWFpbGluZyBsaXN0Cj4gU25vcnQt
aW5saW5lLXVzZXJzQGxpc3RzLnNvdXJjZWZvcmdlLm5ldAo+IGh0dHBzOi8vbGlzdHMuc291cmNl
Zm9yZ2UubmV0L2xpc3RzL2xpc3RpbmZvL3Nub3J0LWlubGluZS11c2Vycwo+CgoKLS0KTWF5IHRo
ZSBwYWNrZXRzIGJlIHdpdGggeW91Lgo=

Re: [Snort-inline-users] Query

[C.G.Senthilkumar. <che...@cs...>]

Would using a firewall like iptables or ipfw help? You could
divert packets to a user process, modify and re-inject it.

For effeciency purposes, one could directly make use of the
netfilter's libipt. Would this help?

My 2 cents.
Senthil.

On Fri, 17 Feb 2006, Nick Rogness wrote:

>
>> hello ,
>>   I am doing a small project in networking . I want to
>> compress packets at server side and then send it to
>> the receiver where it will be decompressed.My problem
>> is where to capture packets and modify it.Snort helps
>> in capturing packets but does it support any feature
>> that allows me to change contents of packets.
>>
>> I am really stuck up at this point .Any help will be
>> appreciated.
>>
>
>  Snort_inline is not built for this type of functionality.  Even if you
> did add a compression plugin, you would be disappointed in the speed due
> to the overhead.  You should be using client-server model software for
> something like this.  I would suggest:
>
>  - Build a kernel module (like Netgraph)
>  - Modify a tunnelling technology like GRE/IPIP
>  - Look for existing apps that already do this (search google).
>
> FWIW,
>
> Nick Rogness <ni...@ro...>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

-- 
Today's fortune:
If the automobile had followed the same development as the computer, a
Rolls-Royce would today cost $100, get a million miles per per gallon,
and explode once a year killing everyone inside.
 		-- Robert Cringely, InfoWorld

Re: [Snort-inline-users] Query

[Nick R. <ni...@ro...>]

> hello ,
>   I am doing a small project in networking . I want to
> compress packets at server side and then send it to
> the receiver where it will be decompressed.My problem
> is where to capture packets and modify it.Snort helps
> in capturing packets but does it support any feature
> that allows me to change contents of packets.
>
> I am really stuck up at this point .Any help will be
> appreciated.
>

  Snort_inline is not built for this type of functionality.  Even if you
did add a compression plugin, you would be disappointed in the speed due
to the overhead.  You should be using client-server model software for
something like this.  I would suggest:

  - Build a kernel module (like Netgraph)
  - Modify a tunnelling technology like GRE/IPIP
  - Look for existing apps that already do this (search google).

FWIW,

Nick Rogness <ni...@ro...>

Re: [Snort-inline-users] Query

[Will M. <wil...@gm...>]

Ummmm you can replace payload contents (see the README.INLINE) but the
p->dsize has to be the same as the original packet, so I don't think
this is going to help you at all.

Regards,

Will

On 2/16/06, aparna misri <apa...@ya...> wrote:
> hello ,
>   I am doing a small project in networking . I want to
> compress packets at server side and then send it to
> the receiver where it will be decompressed.My problem
> is where to capture packets and modify it.Snort helps
> in capturing packets but does it support any feature
> that allows me to change contents of packets.
>
> I am really stuck up at this point .Any help will be
> appreciated.
>
> Thanks.
>
>
>
> __________________________________________________________
> Yahoo! India Matrimony: Find your partner now. Go to http://yahoo.shaadi.=
com
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log fi=
les
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=
=3D121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] Query

[aparna m. <apa...@ya...>]

hello ,
  I am doing a small project in networking . I want to
compress packets at server side and then send it to
the receiver where it will be decompressed.My problem
is where to capture packets and modify it.Snort helps
in capturing packets but does it support any feature
that allows me to change contents of packets.

I am really stuck up at this point .Any help will be
appreciated.

Thanks.


		
__________________________________________________________ 
Yahoo! India Matrimony: Find your partner now. Go to http://yahoo.shaadi.com

[Snort-inline-users] Clamav only

[Mohamed B. <mb...@gm...>]

Hello,

Is it possible to use the patch clam-only without activating the
inline mode for the detection of virus with snort (IDS mode) ?

Sincerly.

Re: [Snort-inline-users] Re: Snort-inline-users digest, Vol 1 #463 - 2 msgs

[Nick R. <ni...@ro...>]

>
> On 29/01/2006, at 3:42 PM, Will Metcalf <wil...@gm...>
> wrote:
>
>> List,
>>
>> I have posted snort_inline-2.4.3 to sourceforge, this release fixes an
>> issue with Bait-and-Switch and thresholding/flowbits.  Nick also added
>> some code for Reinjecting packets via IPFW.  Pending no serious
>> issues, this will probably be what we relase as snort_inline-2.4.3
>> final.  Please test it out and let us know.  Sorry if it is taking
>> while for me to respond to some of you, I have been super busy at work
>> lately.
>>
>> Regards,
>>
>> Will
>>
>> http://snort-inline.sourceforge.net/download.html
>
> Does the "reinjecting packets via IPFW" mean that it will now work on
> Mac OS X? If so you will have another person to test this version!
>

   No, not yet.  I am working on Mac OS X and will likely be a patched
version of 2.4.3.  If anyone has SSH access to a Mac that I can build
on, it would speed this process along.  Email me privately at
ni...@ro... if will let me use your machine to test on.


Nick Rogness <ni...@ro...>

[Snort-inline-users] Re: Snort-inline-users digest, Vol 1 #463 - 2 msgs

[James B. <jl...@bo...>]

On 29/01/2006, at 3:42 PM, Will Metcalf <wil...@gm...>  
wrote:

> List,
>
> I have posted snort_inline-2.4.3 to sourceforge, this release fixes an
> issue with Bait-and-Switch and thresholding/flowbits.  Nick also added
> some code for Reinjecting packets via IPFW.  Pending no serious
> issues, this will probably be what we relase as snort_inline-2.4.3
> final.  Please test it out and let us know.  Sorry if it is taking
> while for me to respond to some of you, I have been super busy at work
> lately.
>
> Regards,
>
> Will
>
> http://snort-inline.sourceforge.net/download.html

Does the "reinjecting packets via IPFW" mean that it will now work on  
Mac OS X? If so you will have another person to test this version!

Regards,

James.

[Snort-inline-users] Re: New Release

[Will M. <wil...@gm...>]

Sorry that is snort_inline-2.4.3-RC4.....  I'm sleepy....

Regards,

Will

On 1/28/06, Will Metcalf <wil...@gm...> wrote:
> List,
>
> I have posted snort_inline-2.4.3 to sourceforge, this release fixes an
> issue with Bait-and-Switch and thresholding/flowbits.  Nick also added
> some code for Reinjecting packets via IPFW.  Pending no serious
> issues, this will probably be what we relase as snort_inline-2.4.3
> final.  Please test it out and let us know.  Sorry if it is taking
> while for me to respond to some of you, I have been super busy at work
> lately.
>
> Regards,
>
> Will
>
> http://snort-inline.sourceforge.net/download.html
>

[Snort-inline-users] New Release

[Will M. <wil...@gm...>]

List,

I have posted snort_inline-2.4.3 to sourceforge, this release fixes an
issue with Bait-and-Switch and thresholding/flowbits.  Nick also added
some code for Reinjecting packets via IPFW.  Pending no serious
issues, this will probably be what we relase as snort_inline-2.4.3
final.  Please test it out and let us know.  Sorry if it is taking
while for me to respond to some of you, I have been super busy at work
lately.

Regards,

Will

http://snort-inline.sourceforge.net/download.html

[Snort-inline-users] Snort-inline : Received error message 22

[Puce X. <puc...@so...>]

Hi, 

I m using snort-inline-2.3.3-2, running on Mandriva 2006.
I'm using shorewall too.

I've setup snort-inline, in a good way (i hope).

But when i'm trying to use snort-inline , i get an error message : Received
error message 22.
I tried to find some help on google news, but no one seems already had my
issue.

When i try to surf on a web page, i can see snort gets packets from iptable,
but i can't go through.

Hope someone will be able to help me to find why i get this error

Cheers

Alain 


-----


Here is a sample 

snort-inline -c snort.conf -Q -N -l /tmp/ -t /tmp/ -v

 ......
Rule application order:
->activation->dynamic->drop->sdrop->reject->alert->pass->log
Log directory = /tmp/

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.3.3 (Build 14)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2004 Sourcefire Inc., et al.


Received error message 22
01/27-09:30:41.110628 192.168.14.161:49561 -> 213.246.37.27:80
TCP TTL:63 TOS:0x0 ID:10420 IpLen:20 DgmLen:60 DF
******S* Seq: 0x583A09CC  Ack: 0x0  Win: 0xFFFF  TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 0 NOP NOP TS: 1985500894 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[Snort-inline-users] Forwarding an Alert Based on no of Packets

[Roopesh U <gun...@re...>]

  =0AHi ,=0A     is there a way to Forward an Alert (Using SnortSam,Syslog.=
.etc ) based on the number of Alert Generated ?=0A=0AWhat i need is to Forw=
ard an Alert to one System if snort receives a Single Packet and Forward an=
 Alert to Another Different System if i receive another Packet from the Sam=
e Source ?=0A=0Ais it Possible to Do this ?=0Aits been a month since iam tr=
ying but no luck ... :( =0A

Re: [Snort-inline-users] flag on number of packets in period of time

[Ken G. <ken...@ro...>]

Thanks, that is exactly what I'm looking for. I'll just edit it to =20
reflect a drop and hope that it works in Snort-Inline.


On Jan 24, 2006, at 4:21 PM, Norwich University Information Security =20
Department wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
> Isn't this typical signature thresholding?
>
> http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node22.html
>
> - -----Original Message-----
> From: sno...@li... [mailto:snort-=20
> inl...@li...] On Behalf Of Ken Garland
> Sent: Tuesday, January 24, 2006 2:51 PM
> To: Will Metcalf
> Cc: sno...@li...
> Subject: Re: [Snort-inline-users] flag on number of packets in =20
> period of time
>
> My apologies, I found Sticky-Drop in the README.INLINE file, =20
> unfortunately according to the document this will not do what I"m =20
> requesting. This says it is for dropping a host for a certain =20
> amount of time.
>
> An example scenario of what I would like to see happen in my rule =20
> is an intruder's actions match a rule and the rule counts the times =20=

> this rule has been matched for the intruder's IP address, if it =20
> matches X times in Y minutes then another action will be applied. =20
> If Y time expires and X times have not been matched in Y time then =20
> the rule does nothing.
>
>
> On Jan 24, 2006, at 2:25 PM, Ken Garland wrote:
>
>> Would you happen to have an example or link of examples for such a
>> rule?
>>
>> thanks!
>>
>> On Jan 24, 2006, at 1:45 PM, Will Metcalf wrote:
>>
>>> yeah you can use sticky drop and the rule language to accomplish
>>> this.
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> On 1/24/06, Ken Garland <ken...@ro...> wrote:
>>>> Is there a snort rule that will only flag after a certain number of
>>>> packets in a given period of time?
>>>>
>>>> if 55 packets are seen from ip x.x.x.x on this port within 5 =20
>>>> minutes
>>>> then drop all from ip x.x.x.x
>>>>
>>>> or something to that effect?
>>>>
>>>>
>>>> -------------------------------------------------------
>>>> This SF.net email is sponsored by: Splunk Inc. Do you grep through
>>>> log files for problems?  Stop!  Download the new AJAX search engine
>>>> that makes searching your log files as easy as surfing the  web.
>>>> DOWNLOAD SPLUNK!
>>>> http://sel.as-us.falkag.net/sel?
>>>> cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=3D121642
>>>> _______________________________________________
>>>> Snort-inline-users mailing list
>>>> Sno...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>>>
>>>
>>>
>>> -------------------------------------------------------
>>> This SF.net email is sponsored by: Splunk Inc. Do you grep through
>>> log files for problems?  Stop!  Download the new AJAX search engine
>>> that makes searching your log files as easy as surfing the  web.
>>> DOWNLOAD SPLUNK!
>>> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=103432&bid#0486&dat=1216=
42
>>> _______________________________________________
>>> Snort-inline-users mailing list
>>> Sno...@li...
>>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through =20=

>> log
>> files for problems?  Stop!  Download the new AJAX search engine that
>> makes searching your log files as easy as surfing the  web.  DOWNLOAD
>> SPLUNK!
>> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=103432&bid#0486&dat=12164=
2
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>
> - -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through =20
> log files for problems?  Stop!  Download the new AJAX search engine =20=

> that makes searching your log files as easy as surfing the  web.  =20
> DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=3Dk&kid=103432&bid#0486&dat=121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.0.4 (Build 4042)
> Comment: To download this public key go to https://pgp.norwich.edu or
> add ldaps://pgp.norwich.edu:636 to your list of keyservers.
>
> iQIVAwUBQ9aaTco94u0NnYKdAQjudRAAtAXeAUd7qBkJPDJ4I9xRT5P7ciB8X+UE
> TTPq6kRjDpJNmKvkrfP52x+2LM6melskLF1VUX744WMBLEorccjt/fe0vA7uphVN
> EfakXbo1MgtYVoSnmK2AXAneBISSF4/YYPNYDvOi37m2ebzCsiu59tl3eWKw1NhW
> rxaZ2V+YYz73Jn3TjUlxT3jaII64H5SaFX3kqad/1gv1BLnDgCCL7I/xabG/+ukG
> T5R6Pe1TNSQQBSbe1ySSxHqa3S8QuTz8PAwKLxV1MQOiev6WFiSrAAtINUpiptV6
> 1f9qd6A0rCzhrTIfmz6pMYsVAcaWVO2mB52+62maoHDFs90ENo8ZOrbPWoU0xFHD
> cKY9m+4JzQWultt+7WX/M19qK+TsalqQN1KUfTQ3IWF3y0meibfxjrGYcvWIz4Xb
> LSvi+gMURZswVDoMnEpxOF0v0sFHDDbv72P2KiAVQUbkqLBWLxIsl5et3J0INTFu
> 6JPjQKkbjN/wplpu0MBWT4Sv1mpypfibMmBuKn6JChC63kxqtU2D75t0d076KLJo
> Uq8XvOBtfUZP/KmieO9u39LUcPEomczKyRvLN+GY33eGiYn3A6H9lPM44XuLpSPD
> n2h6he8nbusBHNvrHD/1WYP4woBlF2CosKHNBNEplJ60rCKxx4RrF04K8nFwbbv2
> YaiQ0GZYd2A=3D
> =3DpstK
> -----END PGP SIGNATURE-----
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through =20
> log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD =20
> SPLUNK!
> http://sel.as-us.falkag.net/sel?=20
> cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=3D121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

RE: [Snort-inline-users] flag on number of packets in period of time

[Norwich U. I. S. D. <in...@no...>]

LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQ0KSGFzaDogU0hBMjU2DQoNCiANCklz
bid0IHRoaXMgdHlwaWNhbCBzaWduYXR1cmUgdGhyZXNob2xkaW5nPw0KDQpodHRwOi8vd3d3LnNu
b3J0Lm9yZy9kb2NzL3Nub3J0X2h0bWFudWFscy9odG1hbnVhbF8yLjQvbm9kZTIyLmh0bWwNCiAN
Ci0gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IHNub3J0LWlubGluZS11c2Vycy1h
ZG1pbkBsaXN0cy5zb3VyY2Vmb3JnZS5uZXQgW21haWx0bzpzbm9ydC1pbmxpbmUtdXNlcnMtYWRt
aW5AbGlzdHMuc291cmNlZm9yZ2UubmV0XSBPbiBCZWhhbGYgT2YgS2VuIEdhcmxhbmQNClNlbnQ6
IFR1ZXNkYXksIEphbnVhcnkgMjQsIDIwMDYgMjo1MSBQTQ0KVG86IFdpbGwgTWV0Y2FsZg0KQ2M6
IHNub3J0LWlubGluZS11c2Vyc0BsaXN0cy5zb3VyY2Vmb3JnZS5uZXQNClN1YmplY3Q6IFJlOiBb
U25vcnQtaW5saW5lLXVzZXJzXSBmbGFnIG9uIG51bWJlciBvZiBwYWNrZXRzIGluIHBlcmlvZCBv
ZiB0aW1lDQoNCk15IGFwb2xvZ2llcywgSSBmb3VuZCBTdGlja3ktRHJvcCBpbiB0aGUgUkVBRE1F
LklOTElORSBmaWxlLCB1bmZvcnR1bmF0ZWx5IGFjY29yZGluZyB0byB0aGUgZG9jdW1lbnQgdGhp
cyB3aWxsIG5vdCBkbyB3aGF0IEkibSByZXF1ZXN0aW5nLiBUaGlzIHNheXMgaXQgaXMgZm9yIGRy
b3BwaW5nIGEgaG9zdCBmb3IgYSBjZXJ0YWluIGFtb3VudCBvZiB0aW1lLg0KDQpBbiBleGFtcGxl
IHNjZW5hcmlvIG9mIHdoYXQgSSB3b3VsZCBsaWtlIHRvIHNlZSBoYXBwZW4gaW4gbXkgcnVsZSBp
cyBhbiBpbnRydWRlcidzIGFjdGlvbnMgbWF0Y2ggYSBydWxlIGFuZCB0aGUgcnVsZSBjb3VudHMg
dGhlIHRpbWVzIHRoaXMgcnVsZSBoYXMgYmVlbiBtYXRjaGVkIGZvciB0aGUgaW50cnVkZXIncyBJ
UCBhZGRyZXNzLCBpZiBpdCBtYXRjaGVzIFggdGltZXMgaW4gWSBtaW51dGVzIHRoZW4gYW5vdGhl
ciBhY3Rpb24gd2lsbCBiZSBhcHBsaWVkLiBJZiBZIHRpbWUgZXhwaXJlcyBhbmQgWCB0aW1lcyBo
YXZlIG5vdCBiZWVuIG1hdGNoZWQgaW4gWSB0aW1lIHRoZW4gdGhlIHJ1bGUgZG9lcyBub3RoaW5n
Lg0KDQoNCk9uIEphbiAyNCwgMjAwNiwgYXQgMjoyNSBQTSwgS2VuIEdhcmxhbmQgd3JvdGU6DQoN
Cj4gV291bGQgeW91IGhhcHBlbiB0byBoYXZlIGFuIGV4YW1wbGUgb3IgbGluayBvZiBleGFtcGxl
cyBmb3Igc3VjaCBhIA0KPiBydWxlPw0KPg0KPiB0aGFua3MhDQo+DQo+IE9uIEphbiAyNCwgMjAw
NiwgYXQgMTo0NSBQTSwgV2lsbCBNZXRjYWxmIHdyb3RlOg0KPg0KPj4geWVhaCB5b3UgY2FuIHVz
ZSBzdGlja3kgZHJvcCBhbmQgdGhlIHJ1bGUgbGFuZ3VhZ2UgdG8gYWNjb21wbGlzaCANCj4+IHRo
aXMuDQo+Pg0KPj4gUmVnYXJkcywNCj4+DQo+PiBXaWxsDQo+Pg0KPj4gT24gMS8yNC8wNiwgS2Vu
IEdhcmxhbmQgPGtlbm5ldGguZ2FybGFuZEByb3RlY2guY29tPiB3cm90ZToNCj4+PiBJcyB0aGVy
ZSBhIHNub3J0IHJ1bGUgdGhhdCB3aWxsIG9ubHkgZmxhZyBhZnRlciBhIGNlcnRhaW4gbnVtYmVy
IG9mIA0KPj4+IHBhY2tldHMgaW4gYSBnaXZlbiBwZXJpb2Qgb2YgdGltZT8NCj4+Pg0KPj4+IGlm
IDU1IHBhY2tldHMgYXJlIHNlZW4gZnJvbSBpcCB4LngueC54IG9uIHRoaXMgcG9ydCB3aXRoaW4g
NSBtaW51dGVzIA0KPj4+IHRoZW4gZHJvcCBhbGwgZnJvbSBpcCB4LngueC54DQo+Pj4NCj4+PiBv
ciBzb21ldGhpbmcgdG8gdGhhdCBlZmZlY3Q/DQo+Pj4NCj4+Pg0KPj4+IC0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCj4+PiBUaGlzIFNGLm5l
dCBlbWFpbCBpcyBzcG9uc29yZWQgYnk6IFNwbHVuayBJbmMuIERvIHlvdSBncmVwIHRocm91Z2gg
DQo+Pj4gbG9nIGZpbGVzIGZvciBwcm9ibGVtcz8gIFN0b3AhICBEb3dubG9hZCB0aGUgbmV3IEFK
QVggc2VhcmNoIGVuZ2luZSANCj4+PiB0aGF0IG1ha2VzIHNlYXJjaGluZyB5b3VyIGxvZyBmaWxl
cyBhcyBlYXN5IGFzIHN1cmZpbmcgdGhlICB3ZWIuICANCj4+PiBET1dOTE9BRCBTUExVTkshDQo+
Pj4gaHR0cDovL3NlbC5hcy11cy5mYWxrYWcubmV0L3NlbD8gDQo+Pj4gY21kPWxuayZraWQ9MTAz
NDMyJmJpZD0yMzA0ODYmZGF0PTEyMTY0Mg0KPj4+IF9fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fDQo+Pj4gU25vcnQtaW5saW5lLXVzZXJzIG1haWxpbmcgbGlz
dA0KPj4+IFNub3J0LWlubGluZS11c2Vyc0BsaXN0cy5zb3VyY2Vmb3JnZS5uZXQNCj4+PiBodHRw
czovL2xpc3RzLnNvdXJjZWZvcmdlLm5ldC9saXN0cy9saXN0aW5mby9zbm9ydC1pbmxpbmUtdXNl
cnMNCj4+Pg0KPj4NCj4+DQo+PiAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tDQo+PiBUaGlzIFNGLm5ldCBlbWFpbCBpcyBzcG9uc29yZWQgYnk6
IFNwbHVuayBJbmMuIERvIHlvdSBncmVwIHRocm91Z2ggDQo+PiBsb2cgZmlsZXMgZm9yIHByb2Js
ZW1zPyAgU3RvcCEgIERvd25sb2FkIHRoZSBuZXcgQUpBWCBzZWFyY2ggZW5naW5lIA0KPj4gdGhh
dCBtYWtlcyBzZWFyY2hpbmcgeW91ciBsb2cgZmlsZXMgYXMgZWFzeSBhcyBzdXJmaW5nIHRoZSAg
d2ViLiAgDQo+PiBET1dOTE9BRCBTUExVTkshDQo+PiBodHRwOi8vc2VsLmFzLXVzLmZhbGthZy5u
ZXQvc2VsP2NtZD1sbmsma2lkEDM0MzImYmlkIzA0ODYmZGF0EjE2NDINCj4+IF9fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+PiBTbm9ydC1pbmxpbmUtdXNl
cnMgbWFpbGluZyBsaXN0DQo+PiBTbm9ydC1pbmxpbmUtdXNlcnNAbGlzdHMuc291cmNlZm9yZ2Uu
bmV0DQo+PiBodHRwczovL2xpc3RzLnNvdXJjZWZvcmdlLm5ldC9saXN0cy9saXN0aW5mby9zbm9y
dC1pbmxpbmUtdXNlcnMNCj4NCj4NCj4NCj4gLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KPiBUaGlzIFNGLm5ldCBlbWFpbCBpcyBzcG9uc29y
ZWQgYnk6IFNwbHVuayBJbmMuIERvIHlvdSBncmVwIHRocm91Z2ggbG9nIA0KPiBmaWxlcyBmb3Ig
cHJvYmxlbXM/ICBTdG9wISAgRG93bmxvYWQgdGhlIG5ldyBBSkFYIHNlYXJjaCBlbmdpbmUgdGhh
dCANCj4gbWFrZXMgc2VhcmNoaW5nIHlvdXIgbG9nIGZpbGVzIGFzIGVhc3kgYXMgc3VyZmluZyB0
aGUgIHdlYi4gIERPV05MT0FEIA0KPiBTUExVTkshDQo+IGh0dHA6Ly9zZWwuYXMtdXMuZmFsa2Fn
Lm5ldC9zZWw/Y21kPWxuayZraWQQMzQzMiZiaWQjMDQ4NiZkYXQSMTY0Mg0KPiBfX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPiBTbm9ydC1pbmxpbmUtdXNl
cnMgbWFpbGluZyBsaXN0DQo+IFNub3J0LWlubGluZS11c2Vyc0BsaXN0cy5zb3VyY2Vmb3JnZS5u
ZXQNCj4gaHR0cHM6Ly9saXN0cy5zb3VyY2Vmb3JnZS5uZXQvbGlzdHMvbGlzdGluZm8vc25vcnQt
aW5saW5lLXVzZXJzDQoNCg0KDQotIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0NClRoaXMgU0YubmV0IGVtYWlsIGlzIHNwb25zb3JlZCBieTog
U3BsdW5rIEluYy4gRG8geW91IGdyZXAgdGhyb3VnaCBsb2cgZmlsZXMgZm9yIHByb2JsZW1zPyAg
U3RvcCEgIERvd25sb2FkIHRoZSBuZXcgQUpBWCBzZWFyY2ggZW5naW5lIHRoYXQgbWFrZXMgc2Vh
cmNoaW5nIHlvdXIgbG9nIGZpbGVzIGFzIGVhc3kgYXMgc3VyZmluZyB0aGUgIHdlYi4gIERPV05M
T0FEIFNQTFVOSyENCmh0dHA6Ly9zZWwuYXMtdXMuZmFsa2FnLm5ldC9zZWw/Y21kPWsma2lkEDM0
MzImYmlkIzA0ODYmZGF0EjE2NDINCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fDQpTbm9ydC1pbmxpbmUtdXNlcnMgbWFpbGluZyBsaXN0DQpTbm9ydC1pbmxp
bmUtdXNlcnNAbGlzdHMuc291cmNlZm9yZ2UubmV0DQpodHRwczovL2xpc3RzLnNvdXJjZWZvcmdl
Lm5ldC9saXN0cy9saXN0aW5mby9zbm9ydC1pbmxpbmUtdXNlcnMNCg0KLS0tLS1CRUdJTiBQR1Ag
U0lHTkFUVVJFLS0tLS0NClZlcnNpb246IFBHUCBEZXNrdG9wIDkuMC40IChCdWlsZCA0MDQyKQ0K
Q29tbWVudDogVG8gZG93bmxvYWQgdGhpcyBwdWJsaWMga2V5IGdvIHRvIGh0dHBzOi8vcGdwLm5v
cndpY2guZWR1IG9yIA0KYWRkIGxkYXBzOi8vcGdwLm5vcndpY2guZWR1OjYzNiB0byB5b3VyIGxp
c3Qgb2Yga2V5c2VydmVycy4NCg0KaVFJVkF3VUJROWFhVGNvOTR1ME5uWUtkQVFqdWRSQUF0QVhl
QVVkN3FCa0pQREo0STl4UlQ1UDdjaUI4WCtVRQ0KVFRQcTZrUmpEcEpObUt2a3JmUDUyeCsyTE02
bWVsc2tMRjFWVVg3NDRXTUJMRW9yY2NqdC9mZTB2QTd1cGhWTg0KRWZha1hibzFNZ3RZVm9Tbm1L
MkFYQW5lQklTU0Y0L1lZUE5ZRHZPaTM3bTJlYnpDc2l1NTl0bDNlV0t3MU5oVw0KcnhhWjJWK1lZ
ejczSm4zVGpVbHhUM2phSUk2NEg1U2FGWDNrcWFkLzFndjFCTG5EZ0NDTDdJL3hhYkcvK3VrRw0K
VDVSNlBlMVROU1FRQlNiZTF5U1N4SHFhM1M4UXVUejhQQXdLTHhWMU1RT2lldjZXRmlTckFBdElO
VXBpcHRWNg0KMWY5cWQ2QTByQ3poclRJZm16NnBNWXNWQWNhV1ZPMm1CNTIrNjJtYW9IREZzOTBF
Tm84Wk9yYlBXb1UweEZIRA0KY0tZOW0rNEp6UVd1bHR0KzdXWC9NMTlxSytUc2FscVFOMUtVZlRR
M0lXRjN5MG1laWJmeGpyR1ljdldJejRYYg0KTFN2aStnTVVSWnN3VkRvTW5FcHhPRjB2MHNGSERE
YnY3MlAyS2lBVlFVYmtxTEJXTHhJc2w1ZXQzSjBJTlRGdQ0KNkpQalFLa2JqTi93cGxwdTBNQldU
NFN2MW1weXBmaWJNbUJ1S242SkNoQzYza3hxdFUyRDc1dDBkMDc2S0xKbw0KVXE4WHZPQnRmVVpQ
L0ttaWVPOXUzOUxVY1BFb21jekt5UnZMTitHWTMzZUdpWW4zQTZIOWxQTTQ0WHVMcFNQRA0KbjJo
NmhlOG5idXNCSE52ckhELzFXWVA0d29CbEYyQ29zS0hOQk5FcGxKNjByQ0t4eDRSckYwNEs4bkZ3
YmJ2Mg0KWWFpUTBHWllkMkE9DQo9cHN0Sw0KLS0tLS1FTkQgUEdQIFNJR05BVFVSRS0tLS0tDQoN
Cg==