Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Youn G. <is...@cl...> - 2004-03-10 19:00:22
|
I am having problems compiling on redhat 9, minimal install. I was unable to
search the archives, but could not find much using search engines. Any
suggestions?
BTW, I don't necessarily have to use redhat or linux as the platform so if
anyone has had better luck using a different os I would be willing to
switch.
Making all in output-plugins
make[3]: Entering directory `/root/snort_inline-2.1.0a/src/output-plugins'
gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../.. -I../../src -I../../src/sfutil -
I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins
-I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preproc
essors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/prepr
ocessors/HttpInspect/include -I/usr/local/include -I/usr/include -g -O2 -W
all -DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H
-DLIBNET_LIL_ENDIAN -c `test -f 'spo_alert_fast.c' || echo
'./'`spo_alert_fast.c
In file included from /usr/include/linux/netfilter_ipv4/ip_queue.h:10,
from /usr/local/include/libipq.h:37,
from ../../src/inline.h:8,
from ../../src/snort.h:38,
from spo_alert_fast.c:51:
/usr/include/linux/if.h:59: redefinition of `struct ifmap'
/usr/include/linux/if.h:77: redefinition of `struct ifreq'
/usr/include/linux/if.h:126: redefinition of `struct ifconf'
make[3]: *** [spo_alert_fast.o] Error 1
make[3]: Leaving directory `/root/snort_inline-2.1.0a/src/output-plugins'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/root/snort_inline-2.1.0a/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/snort_inline-2.1.0a'
make: *** [all] Error 2
Youn Gonzales
System Administrator
Comptia A+, Network+, INET+,
Cisco CCNA/CCDA Certified Technician
Microsoft Certified Professional
Indifference can not but be criminal, when it is conversant about objects
which are so far from being of an indifferent nature, that they are highest
importance. --Addison.
|
|
From: Jochen V. <jv...@it...> - 2004-03-05 12:14:45
|
Hi, If snort log to ascii i get payload. If snort log to binary and barnyard write it to ascii i get no payload. Snort ------------- /usr/local/bin/snort -c /tmp/rules/snort.conf -i br0 -deQ -A none -------------- output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 -------------- Barnyard ---------------- /usr/local/bin/barnyard -c $CONF/barnyard.conf -d $LOG \ -g /tmp/rules/gen-msg.map -s /tmp/rules/sid-msg.map \ -f snort.log -w $LOG/waldo.log ----------------- #output alert_fast output log_dump #output alert_syslog #output log_pcap #output alert_acid_db: mysql, database snort, server 192.168.0.48, user sensor #output log_acid_db: mysql, database snort, server 192.168.0.48, user sensor, detail full Any idea? Thx for help jo |
|
From: Christopher J. <cj...@ho...> - 2004-03-05 05:28:29
|
Hello Brian, Thank you for your reply. Sorry for the delay. I have tried installing snortconfig on a new machine and have the same problem. The result after running "snortconfig -inline -file test.conf -config honeynet.conf -directory snortconfig-rules" are empty rules. I am currently running RedHat 7.3 with a precompiled bridging kernel. I have installed Net-Snort-Parser-1.14.tar.gz. Running "perl -MNet::Snort::Parser::Rule -e 'print $Net::Snort::Parser::Rule::VERSION."\n";'" shows "1.14". "which snortconfig" reflects the correct location of snortconfig: "/usr/bin/snortconfig". I have manually updated my Snort rules so that snort_inline can run properly - but it would be nice to use your snortconfig tool because it is convenient. Thank you, Chris > > On Fri, 9 Jan 2004, Christopher Joyce wrote: > > > Hello, > > > > > > I am having problems using snortconfig to convert my snort rules. I >have > > > setup a basic test to convert one file (x11.rules) and the file that >is > > > created in the directory specified below is blank. > > > > > > Here is what I have tried: > > > > > > snortconfig -inline -file test.conf -config honeynet.conf -directory > > > snortconfig-rules > > > > Using the latest release of snortconfig, your exact config works as > > expected for me. What version of snortconfig are you using? > > > > You can find this out by doing: > > > > ident `which snortconfig` > > > > Also, what version of the perl modules are you using? You can find this > > out by doing: > > > > perl -MNet::Snort::Parser::Rule -e 'print >$Net::Snort::Parser::Rule::VERSION."\n";' > > > > Thanks, > > Brian > > > > > > ------------------------------------------------------- > > The SF.Net email is sponsored by EclipseCon 2004 > > Premiere Conference on Open Tools Development and Integration > > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > > http://www.eclipsecon.org/osdn > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > >--- >Outgoing mail is certified Virus Free. >Checked by AVG anti-virus system (http://www.grisoft.com). >Version: 6.0.605 / Virus Database: 385 - Release Date: 3/1/2004 > _________________________________________________________________ Fast. Reliable. Get MSN 9 Dial-up - 3 months for the price of 1! (Limited-time Offer) http://click.atdmt.com/AVE/go/onm00200361ave/direct/01/ |
|
From: Jochen V. <jv...@it...> - 2004-03-04 15:17:29
|
Hi, I have the following problem. If i set "etc/passwd" to drop i get an logging "etc/passwd" If i set "etc/passwd" to alert i get an logging "http directory traversal" I think this is an rule order problem? Thx for help jo |
|
From: Phillips, M. <Mic...@bm...> - 2004-03-04 12:48:19
|
When running snort_inline in inline mode, (using -Q), I get an this error when trying to "kill -HUP snort_inline-PID-Number ". This is the error .... =20 -*> Snort! <*- Version 2.1.0 (Build 9) By Martin Roesch (ro...@so..., www.snort.org) pcap_stats: pcap_stats: Bad file descriptor database: Closing connection to database "" Restarting Snort Reading from iptables Running in IDS mode Log directory =3D /var/log/snort Initializing Inline mode InlineInit: : Unable to bind netlink socket: Address already in use =20 I am using these command line arguments/switches " -c /xx -l /xx -d -Q "=20=20 =20 Has anybody else come across this and is there a way to HUP the process when using -Q =20 Thanks Michael =20 =20 BMRB International=20 http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the=20 recipient and may contain confidential and/or privileged=20 material. If you have received this in error, please contact the=20 sender and delete this message immediately. Disclosure, copying=20 or other action taken in respect of this email or in=20 reliance on it is prohibited. BMRB International Limited=20 accepts no liability in relation to any personal emails, or=20 content of any email which does not directly relate to our=20 business. |
|
From: unor <uno...@ya...> - 2004-03-03 04:39:44
|
Has anyone else see the compile error below while
attempting to compile snort_inline 2.1.0a under Linux
kernel 2.6.3? (RedHat 9 if it matters)
It compiled fine under 2.6.1 so I copied swab.h from
the 2.6.1 tree into /usr/include/linux/byteorder/ and
it compiled fine. I'm no coder so I have no idea what
implication this may cause... sorry cannot test yet
either :(
Earl Sammons
## The error
make[3]: Entering directory
`/root/src/snort_inline-2.1.0a/src'
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../src
-I../src/sfutil -I/usr/include/pcap
-I../src/output-plugins -I../src/detection-plugins
-I../src/preprocessors -I../src/preprocessors/flow
-I../src/preprocessors/portscan
-I../src/preprocessors/flow/int-snort
-I../src/preprocessors/HttpInspect/include
-I/usr/include/pcre -I/usr/include -g -O2 -Wall
-DGIDS -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD
-DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c `test -f
'inline.c' || echo './'`inline.c
In file included from
/usr/include/linux/byteorder/little_endian.h:11,
from /usr/include/asm/byteorder.h:34,
from /usr/include/linux/igmp.h:19,
from /usr/include/netinet/igmp.h:26,
from /usr/include/libnet.h:69,
from inline.c:8:
/usr/include/linux/byteorder/swab.h:133: syntax error
before "__u16"
In file included from
/usr/include/linux/byteorder/little_endian.h:11,
from /usr/include/asm/byteorder.h:34,
from /usr/include/linux/igmp.h:19,
from /usr/include/netinet/igmp.h:26,
from /usr/include/libnet.h:69,
from inline.c:8:
/usr/include/linux/byteorder/swab.h:146: syntax error
before "__u32"
In file included from
/usr/include/linux/byteorder/little_endian.h:11,
from /usr/include/asm/byteorder.h:34,
from /usr/include/linux/igmp.h:19,
from /usr/include/netinet/igmp.h:26,
from /usr/include/libnet.h:69,
from inline.c:8:
/usr/include/linux/byteorder/swab.h:160: syntax error
before "__u64"
make[3]: *** [inline.o] Error 1
make[3]: Leaving directory
`/root/src/snort_inline-2.1.0a/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory
`/root/src/snort_inline-2.1.0a/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory
`/root/src/snort_inline-2.1.0a'
make: *** [all] Error 2
####################################################
diff linux-2.6.1/include/linux/byteorder/swab.h
linux-2.6.3/include/linux/byteorder/swab.h
17a18,19
> #include <linux/compiler.h>
>
131c133
< static __inline__ __const__ __u16 __fswab16(__u16 x)
---
> static __inline__ __attribute_const__ __u16
__fswab16(__u16 x)
144c146
< static __inline__ __const__ __u32 __fswab32(__u32 x)
---
> static __inline__ __attribute_const__ __u32
__fswab32(__u32 x)
158c160
< static __inline__ __const__ __u64 __fswab64(__u64 x)
---
> static __inline__ __attribute_const__ __u64
__fswab64(__u64 x)
####################################################
__________________________________
Do you Yahoo!?
Yahoo! Search - Find what youre looking for faster
http://search.yahoo.com
|
|
From: Schwendinger, D. T., 1. IO C. <dt...@1s...> - 2004-03-02 14:53:24
|
All, A little background: > I'm using SNORT_inline as part of a honeypot on a RedHat 9.0 box with the > snort_inline.sh script from honeynet.org. The only modifications I made > were to add the "-s" option to send the alerts to syslog as well as a file > and change the interface. > > $SNORT -D -d -s -c /etc/snort_inline/snort_inline.conf -Q -i vmnet1 -l > $DIR/$DATE -t $DIR/$DATE > > It seems to start without any problems, no errors or messages in syslog > that indicate there's a problem but it will not log to syslog or to a > file. A "ps -ef" shows that it is running. > > If I remove the "-Q" option it will begin logging. The Problem: I found that when I patched the kernel with "ebtables-brnf-3_vs_2.4.22-kernel.diff.gz" patch and got the following error. > patching file net/Makefile > > Hunk #1 FAILED at 7. > 1 out of 2 hunks FAILED -- saving rejects to file net/Makefile.rej -According to http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html: "The br-nf code makes bridged IP frames/packets go through the iptables chains. Ebtables filters on the Ethernet layer, while iptables only filters IP packets." This caused the traffic from the Linux host to be queued and looked at by snort_inline but traffic that was bridged was sent right through without being queued and examined by snort_inline because of this error in the installation of ebtables. The solution: I was unable to correct this problem with the patch, so I upgraded the kernel to 2.6.2 ( has ebtables and bridge-netfilters built in) and recompiled it with all the bridge-netfilters and ebt options selected. This fixed the problem and now snort_inline is working perfectly. David |
|
From: Schwendinger, D. T., 1. IO C. <dt...@1s...> - 2004-03-01 15:16:28
|
I found out what the problem was. It was a problem ebtables not a snort_inline problem. Thanks david -----Original Message----- From: Schwendinger, David T., 1st IO CMD Sent: Wednesday, January 07, 2004 3:55 PM To: Sno...@li... Subject: Problem with -Q I'm using SNORT_inline as part of a honeypot on a RedHat 9.0 box with the snort_inline.sh script from honeynet.org. The only modifications I made were to add the "-s" option to send the alerts to syslog as well as a file and change the interface. $SNORT -D -d -s -c /etc/snort_inline/snort_inline.conf -Q -i vmnet1 -l $DIR/$DATE -t $DIR/$DATE It seems to start without any problems, no errors or messages in syslog that indicate there's a problem but it will not log to syslog or to a file. A "ps -ef" shows that it is running. If I remove the "-Q" option it will begin logging. Any idea on what the problem may be. Thanks david |
|
From: Kris L. <ki...@ho...> - 2004-02-29 08:47:03
|
Hello list, After finally getting snortconfig to work I have run into a problem. All the rule files that it creates are empty. Using command: ./snortconfig -file asdf.conf -config examples/HONEYNET.config -verbose -honeynet -inline asdf.conf: var RULE_PATH /etc/snort include $RULE_PATH/exploit.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop3.rules include $RULE_PATH/pop2.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/virus.rules include $RULE_PATH/nntp.rules Output from snortconfig with -verboseTried adding replace to 312. No contents Did not switch 1382. Doesn't use variables. Did not switch 271. Doesn't use variables. Did not switch 224. Doesn't use variables. Did not switch 1941. Doesn't use variables. Did not switch 2337. Doesn't use variables. Did not switch 1289. Doesn't use variables. Did not switch 1441. Doesn't use variables. Did not switch 1442. Doesn't use variables. Did not switch 1443. Doesn't use variables. Did not switch 485. Doesn't use variables. Did not switch 486. Doesn't use variables. Did not switch 487. Doesn't use variables. Did not switch 2311. Doesn't use variables. Did not switch 2348. Doesn't use variables. Did not switch 2349. Doesn't use variables. Did not switch 1415. Doesn't use variables. Did not switch 1416. Doesn't use variables. Did not switch 732. Doesn't use variables. perl -MNet::Snort::Parser::Rule -e 'print $Net::Snort::Parser::Rule::VERSION."\n";' gives 1.14 i've tried to get all the latest files from cvs but the same problem still exhists. Perl version is 5.8.0. Any help would be great. _________________________________________________________________ Stay informed on Election 2004 and the race to Super Tuesday. http://special.msn.com/msn/election2004.armx |
|
From: Rick S. <rsh...@mi...> - 2004-02-26 15:03:09
|
I have libnet-1.0.2a-r3 and the configure for snort_inline says: checking "for libnet.h version 1.0.x"... ./configure: line 1: libnet-config: command not found ./configure: line 1: libnet-config: command not found ./configure: line 1: libnet-config: command not found It says it configured fine but make throws an error: /usr/include/libnet.h:87:2: #error "byte order has not been specified, you'll need to #define either LIBNET_LIL_ENDIAN or LIBNET_BIG_ENDIAN. See the documentation regarding the libnet-config script." any ideas? Rick S. |
|
From: Brian J. <bja...@ci...> - 2004-02-26 14:31:16
|
Nathan wrote:- > see so many inline bridge deployments. Has anyone successfully done an inline with nat? I have been running snort_inline within my IPCop natted firewall on inbound traffic for a few months now. The setup is roughly as described by William Metcalfe. You have to be very, very careful about which rules to implement! I started with about a dozen and that has grown to circa 400. False positives are a definite no, no! The results are terrific. Every alert into the DMZ is of interest. The most common being notification of access to robots.txt on the web server. Well worth the effort. I (think I) know exactly where to focus my efforts. regards, Brian |
|
From: <Wil...@kc...> - 2004-02-26 05:46:56
|
DQoNCg0KDQpJdCBzaG91bGRuJ3QgYmUgYWxsIHRoYXQgZGlmZmljdWx0LCBJZiB5b3UgYWxyZWFk eSBoYXZlIGEgbmF0IGZpcmV3YWxsLA0KanVzdCBjaGFuZ2UgdGhlIHRhcmdldCBpbiB5b3VyIHJ1 bGVzIGZyb20gLWogQUNDRVBUIHRvIC1qIFFVRVVFLiAgVXNpbmcgdGhlDQpRVUVVRSB0YXJnZXQg c25vcnQtaW5saW5lIHdpbGwgbG9vayBhdCB0aGUgdHJhZmZpYy4gIElmIGl0IGlzIGdvb2QgaXQg d2lsbA0KcGFzcyBpdCwgaWYgaXQgaXMgYmFkIGl0IHdpbGwgZHJvcCBpdC4gIE9yIGxldCdzIGFz c3VtZSB0aGF0IHlvdSBoYXZlIGENCmxpbnV4IGJveCB3aXRoIHR3byBpbnRlcmZhY2VzIGFuZCB5 b3Ugd2FudCBpdCB0byBiZSBhbiBpcHMgcm91dGVyLiAgTGV0cw0KYWxzbyBhc3N1bWUgdGhhdCBl dGgwIGlzIGludCBvZiB0aGUgbmV0d29yayB5b3Ugd2FudCB0byBwcm90ZWN0IGFuZCBldGgxIGlz DQp0aGUgaW50ZXJmYWNlIHlvdSBoYXZlIHBsdWdnZWQgaW50byBhbiB1bnRydXN0ZWQgbmV0d29y ayAoY2FibGUgbW9kZW0NCmV0Yy4uLi4uKSAgU29tZXRoaW5nIGxpa2UgdGhlIGlwdGFibGVzIHNj cmlwdCBiZWxvdyBzaG91bGQgc3VmZmljZS4gIEkNCm1pZ2h0IGhhdmUgc29tZSByZWR1bmRhbnQg UVVFVUUgdGFyZ2V0cywgYnV0IEkgd3JvdGUgYW5kIHRlc3RlZCB0aGlzIGluDQpmaWZ0ZWVuIG1p bnV0ZXMuICBJdCB3YXMgZHJvcHBpbmcgYmFkIHRyYWZmaWMgbGlrZSBhIGNoYW1wLiAgSSBkaWRu J3QNCmluY2x1ZGUgYW55IGljbXAgc3RhdGVtZW50cywgc28gaWYgeW91IHdhbnQgcGluZyB5b3Ug d2lsbCBoYXZlIHRvIGFkZCBpdA0KeW91cnNlbGYuDQoNCmlwdGFibGVzIC1GIElOUFVUDQppcHRh YmxlcyAtRiBGT1JXQVJEDQppcHRhYmxlcyAtRiBPVVRQVVQNCmlwdGFibGVzIC10IG5hdCAtRiBQ UkVST1VUSU5HDQppcHRhYmxlcyAtdCBuYXQgLUYgUE9TVFJPVVRJTkcNCmlwdGFibGVzIC1QIElO UFVUIERST1ANCmlwdGFibGVzIC1QIEZPUldBUkQgRFJPUA0KaXB0YWJsZXMgLVAgT1VUUFVUIEFD Q0VQVA0KIyBFbmFibGUgSVAgZm9yd2FyZGluZw0KZWNobyAiMSIgPiAvcHJvYy9zeXMvbmV0L2lw djQvaXBfZm9yd2FyZA0KZWNobyAiMCIgPiAvcHJvYy9zeXMvbmV0L2lwdjQvY29uZi9hbGwvYWNj ZXB0X3NvdXJjZV9yb3V0ZQ0KZWNobyAiMCIgPiAvcHJvYy9zeXMvbmV0L2lwdjQvY29uZi9hbGwv c2VuZF9yZWRpcmVjdHMNCmVjaG8gIjAiID4gL3Byb2Mvc3lzL25ldC9pcHY0L2NvbmYvYWxsL2Fj Y2VwdF9yZWRpcmVjdHMNCmVjaG8gIjEiID4gL3Byb2Mvc3lzL25ldC9pcHY0L3RjcF9zeW5jb29r aWVzDQojSU5QVVQNCiNMZXQgZmlyZXdhbGwgdGFsayB0byBpdHNlbGYNCmlwdGFibGVzIC1BIElO UFVUIC1pIGxvIC1tIHN0YXRlIC0tc3RhdGUgTkVXIC1qIEFDQ0VQVA0KI0FsbG93IHRyYWZmaWMg aW5pdGlhdGVkIGZyb20gdGhpcyBib3ggYmFjayBpbiBhbmQgY2hlY2sgZm9yIG5hc3RpbmVzcw0K aXB0YWJsZXMgLUEgSU5QVVQgLW0gc3RhdGUgLS1zdGF0ZSBSRUxBVEVELEVTVEFCTElTSEVEIC1q IFFVRVVFDQojU2V0IHVwIHRoZSBGT1JXQVJEIHRhYmxlIGZvciBOQVQNCmlwdGFibGVzIC1BIEZP UldBUkQgLWkgZXRoMCAtbyBldGgxIC1qIFFVRVVFDQppcHRhYmxlcyAtQSBGT1JXQVJEIC1pIGV0 aDEgLW0gc3RhdGUgLS1zdGF0ZSBSRUxBVEVELEVTVEFCTElTSEVEIC1qIFFVRVVFDQojU2V0dXAg dGhlIE5BVCBydWxlDQppcHRhYmxlcyAtdCBuYXQgLUEgUE9TVFJPVVRJTkcgLW8gZXRoMSAtaiBN QVNRVUVSQURFDQoNClJlZ2FyZHMsDQoNCldpbGwNCg0KDQoNCiAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0K ICAgICAgICAgICAgICJOYXRoYW4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgTGl0dGxlcGFnZSIgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICA8bmF0 aGFuQGl3YW50a2EuYyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRv IA0KICAgICAgICAgICAgIG9tPiAgICAgICAgICAgICAgICAgICAgICAgPHNub3J0LWlubGluZS11 c2Vyc0BsaXN0cy5zb3VyY2Vmb3IgDQogICAgICAgICAgICAgU2VudCBieTogICAgICAgICAgICAg ICAgICBnZS5uZXQ+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICBz bm9ydC1pbmxpbmUtdXNlciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IGNjIA0KICAgICAgICAgICAgIHMtYWRtaW5AbGlzdHMuc291ICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgcmNlZm9yZ2UubmV0ICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgU3ViamVjdCANCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJFOiBbU25vcnQtaW5saW5lLXVzZXJzXSBSZTog ICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcmMuZmlyZXdh bGwgc2NyaXB0IGVkaXRpbmcgLSAgICAgICAgDQogICAgICAgICAgICAgMDIvMjUvMjAwNCAwNTo0 NyAgICAgICAgICBGb2xsb3ctdXAgdG8gcG9zdCBsYXN0IG1vbnRoICAgICAgICANCiAgICAgICAg ICAgICBQTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCg0K DQoNCg0KSSBzZWUgc28gbWFueSBpbmxpbmUgYnJpZGdlIGRlcGxveW1lbnRzLiBIYXMgYW55b25l IHN1Y2Nlc3NmdWxseSBkb25lIGFuDQppbmxpbmUgd2l0aCBuYXQ/DQogLS0tLS1PcmlnaW5hbCBN ZXNzYWdlLS0tLS0NCiBGcm9tOiBzbm9ydC1pbmxpbmUtdXNlcnMtYWRtaW5AbGlzdHMuc291cmNl Zm9yZ2UubmV0DQogW21haWx0bzpzbm9ydC1pbmxpbmUtdXNlcnMtYWRtaW5AbGlzdHMuc291cmNl Zm9yZ2UubmV0XSBPbiBCZWhhbGYgT2YNCiBXaWxsaWFtX01ldGNhbGZAa2Ntby5vcmcNCiBTZW50 OiBGcmlkYXksIEZlYnJ1YXJ5IDIwLCAyMDA0IDQ6MjkgUE0NCiBUbzogS2FybCAuDQogQ2M6IHNu b3J0LWlubGluZS11c2Vyc0BsaXN0cy5zb3VyY2Vmb3JnZS5uZXQNCiBTdWJqZWN0OiBbU25vcnQt aW5saW5lLXVzZXJzXSBSZTogcmMuZmlyZXdhbGwgc2NyaXB0IGVkaXRpbmcgLSBGb2xsb3ctdXAN CiB0byBwb3N0IGxhc3QgbW9udGgNCg0KDQogVGhpcyBpcyB3aGF0IEkgdXNlIHRvIHN0YXJ0dXAg bXkgc3RlYWx0aCBicmlkZ2UuDQoNCiBjYXNlICIkMSIgaW4NCiAgIHN0YXJ0KQ0KICAgICAgICAg ZWNobyAtbiAic3RhcnRpbmcgYnJpZGdlIg0KICAgICAgICAgI0JSSURHRSBTRVRVUA0KICAgICAg ICAgZWNobyBzZXR0aW5nIHVwIGJyaWRnZQ0KICAgICAgICAgL3NiaW4vaWZjb25maWcgZXRoMCAw LjAuMC4wDQogICAgICAgICAvc2Jpbi9pZmNvbmZpZyBldGgxIDAuMC4wLjANCiAgICAgICAgICAg ICAgICAgL3Vzci9sb2NhbC9iaW4vYnJjdGwgYWRkYnIgYnIwDQogICAgICAgICAgICAgICAgIC91 c3IvbG9jYWwvYmluL2JyY3RsIGFkZGlmIGJyMCBldGgwDQogICAgICAgICAgICAgICAgIC91c3Iv bG9jYWwvYmluL2JyY3RsIGFkZGlmIGJyMCBldGgxDQogICAgICAgICAvdXNyL2xvY2FsL2Jpbi9i cmN0bCBzdHAgYnIwIG9mZg0KICAgICAgICAgL3NiaW4vaWZjb25maWcgYnIwIHVwDQogICAgICAg ICAjTkFJTElORyBVUCBJTlRFUkZBQ0VTIEFUIDEwMEZVTEwNCiAgICAgICAgICBlY2hvIG5haWxp bmcgdXAgaW50ZXJmYWNlcyBhdCAxMDBGVUxMDQogICAgICAgICAgICAgICAgIC9zYmluL21paS10 b29sIGV0aDAgLUYgMTAwYmFzZVR4LUZEDQogICAgICAgICAgICAgICAgIC9zYmluL21paS10b29s IGV0aDEgLUYgMTAwYmFzZVR4LUZEDQogICAgICAgICBzbGVlcCAzDQogICAgICAgICBlY2hvDQog ICAgICAgICA7Ow0KICAgIHN0b3ApDQogICAgICAgICBlY2hvIC1uICJTdG9wcGluZyBJUFMgU1RV RkY6ICgiDQogICAgICAgICAvdXNyL2xvY2FsL2Jpbi9icmN0bCBkZWxpZiBicjAgZXRoMA0KICAg ICAgICAgL3Vzci9sb2NhbC9iaW4vYnJjdGwgZGVsaWYgYnIwIGV0aDENCiAgICAgICAgIC9zYmlu L2lmY29uZmlnIGJyMCBkb3duDQogICAgICAgICAvdXNyL2xvY2FsL2Jpbi9icmN0bCBkZWxiciBi cjANCiAgICAgICAgICBlY2hvDQogICAgICAgICA7Ow0KIHJlc3RhcnQpDQogICAgICAgICAkMCBz dG9wDQogICAgICAgICAkMCBzdGFydA0KICAgICAgICAgOzsNCiAgc3RhdHVzKQ0KICAgICAgICAg c3RhdHVzIGJyaWRnZQ0KICAgICAgICAgOzsNCiAgICAqKQ0KICAgICAgICAgZWNobyAiVXNhZ2U6 ICQwIHtzdGFydHxzdG9wfHJlc3RhcnR8c3RhdHVzfSINCiAgICAgICAgIGV4aXQgMQ0KIGVzYWMN Cg0KIGV4aXQgMA0KDQogVGhpcyBpcyB3aGF0IEkgdXNlIGluIGlwdGFibGVzIGZvciBwdXJlIElQ UyBpbmJvdW5kL291dGJvdW5kIElQUw0KDQogaXB0YWJsZXMgLUEgRk9SV0FSRCAtaiBRVUVVRQ0K IGlwdGFibGVzIC1BIElOUFVUIC1qIERST1ANCg0KIElmIHlvdSBvbmx5IHdhbnQgdG8gYWxsb3cg dHJhZmZpYyB0byBhbmQgZnJvbSBhIGNlcnRpYW4gaXAgeW91IHdvdWxkIGRvDQogc29tZXRoaW5n IGxpa2UgdGhpcyBsZXRzIHNheSB0aGF0IHlvdXIgY29tcHV0ZXIgaGFzIGFuIGlwIG9mIDE5Mi4x NjguMS4xDQogaW5zbW9kIGlwdF9zdGF0ZQ0KDQogaXB0YWJsZXMgLUEgRk9SV0FSRCAtbSBzdGF0 ZSAtLXN0YXRlIElOVkFMSUQgLWogRFJPUA0KIGlwdGFibGVzIC1BIEZPUldBUkQgLXMgMTkyLjE2 OC4xLjEgLWQgMC4wLjAuMC8wIC1tIHN0YXRlIC0tc3RhdGUgTkVXIC1qDQogUVVFVUUNCiBpcHRh YmxlcyAtQSBGT1JXQVJEIC1wIHRjcCAtbSBzdGF0ZSAtLXN0YXRlIFJFTEFURUQsRVNUQUJMSVNI RUQgLWogUVVFVUUNCiBpcHRhYmxlcyAtQSBGT1JXQVJEIC1qIERST1ANCiBpcHRhYmxlcyAtQSBJ TlBVVCAtaiBEUk9QDQoNCiBPciB5b3UgaGF2ZSBhIGNsYXNzIGMgbmV0d29yayB5b3Ugd291bGQg ZG8gc29tZXRoaW5nIGxpa2UNCg0KIGlwdGFibGVzIC1BIEZPUldBUkQgLW0gc3RhdGUgLS1zdGF0 ZSBJTlZBTElEIC1qIERST1ANCiBpcHRhYmxlcyAtQSBGT1JXQVJEIC1zIDE5Mi4xNjguMS4wLzI0 IC1kIDAuMC4wLjAvMCAtbSBzdGF0ZSAtLXN0YXRlIE5FVyAtag0KIFFVRVVFDQogaXB0YWJsZXMg LUEgRk9SV0FSRCAtcCB0Y3AgLW0gc3RhdGUgLS1zdGF0ZSBSRUxBVEVELEVTVEFCTElTSEVEIC1q IFFVRVVFDQogaXB0YWJsZXMgLUEgRk9SV0FSRCAtaiBEUk9QDQogaXB0YWJsZXMgLUEgSU5QVVQg LWogRFJPUA0KDQogSWYgdGhlIGRoY3Agc2VydmVyIGZvciB5b3VyIG5ldCBpcyBvbiB0aGUgb3Ro ZXIgc2lkZSBvZiB0aGUgYnJpZGdlDQogY29ubnRyYWNrIGhhcyBwcm9ibGVtcyB3aXRoIGJvb3Rw L2RoY3Agc28gYWRkIHRoZSBmb2xsb3dpbmcgcnVsZXMuDQoNCiBpcHRhYmxlcyAtQSBGT1JXQVJE IC1wIHVkcCAtLWRwb3J0IDY3IC1qIEFDQ0VQVA0KIGlwdGFibGVzIC1BIEZPUldBUkQgLXAgdWRw IC0tZHBvcnQgNjggLWogQUNDRVBUDQogaXB0YWJsZXMgLUEgRk9SV0FSRCAtcCB1ZHAgLS1zcG9y dCA2NyAtaiBBQ0NFUFQNCiBpcHRhYmxlcyAtQSBGT1JXQVJEIC1wIHVkcCAtLXNwb3J0IDY4IC1q IEFDQ0VQVA0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAiS2FybCAuIiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KIDxrZmJk ZXZyeUBob3RtYWlsLmNvbT4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRvIA0KIDAy LzIwLzIwMDQgMDM6NTkgUE0gICAgICAgICAgICAgICAgICAgICAgIFdpbGxpYW1fTWV0Y2FsZkBr Y21vLm9yZyAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjYyANCiAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0K ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIFN1YmplY3QgDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgcmMuZmlyZXdhbGwgc2NyaXB0IGVkaXRpbmcgLSAgICANCiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBGb2xsb3ctdXAgdG8gcG9zdCBsYXN0IG1vbnRoICAg IA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgDQoNCg0KDQoNCg0KIFdpbGxpYW0sDQoNCiBJIHNh dyB5b3VyIHBvc3Q6DQoNCiBodHRwOi8vMjE2LjIzOS4zOS4xMDQNCiAvc2VhcmNoP3E9Y2FjaGU6 cW9NS1JzaDl5cW9KOnNvdXJjZWZvcmdlLm5ldC9tYWlsYXJjaGl2ZS9mb3J1bS5waHAlM0Z0aHJl YWRfaWQlM0QzNzY4MzY3JTI2Zm9ydW1faWQlM0QzMjkzMytyYy5maXJld2FsbCtSb2IrTWNNaWxs ZW4maGw9ZW4maWU9VVRGLTgNCg0KDQogcmVnYXJkaW5nIGEgInNpbXBsZSIgdmVyc2lvbiBvZiB0 aGUgcmMuZmlyZXdhbGwgc2NyaXB0IGJ5IFJvYk1jTWlsbGVuLiAgSQ0KIHdhbnRlZCB0byBkbyB0 aGUgZXhhY3Qgc2FtZSB0aGluZyBidXQgSSdtIG5vdCBzdXJlIHdoYXQgdG8gcHV0IGluIHRoZQ0K IFBVQkxJQ19JUCBhbmQgSU5FVF9JRkFDRSB2YXJpYWJsZXMgc2luY2UgSSdtIG5vdCBydW5uaW5n IGEgSG9uZXlwb3QuICBNeQ0KIGZpcmV3YWxsIGhhcyBhbGwgdGhlIHB1YmxpYyBhbmQgcHJpdmF0 ZSBhZGRyZXNzZXMsIG5vdCB0aGlzIGJveCwgcmlnaHQ/DQoNCiBDb3VsZCB5b3UgcG9zc2libHkg aGVscCBtZSBvbiB0aGlzPyAgSSdtIHNpbXBseSB3YW50IHRvIHVzZSB0aGlzIGJveCBhcyBhDQog U3RlYWx0aCBCcmlkZ2UgYmVoaW5kIG15IERTTCBtb2RlbSB0byBwcmV2ZW50IGF0dGFja3Mgb24g bXkgc2VydmVycy4NCg0KIEFueSBoZWxwIGlzIGFwcHJlY2lhdGVkLg0KDQogVGhhbmtzDQoNCiBL YXJsDQoNCiBTYXkg4oCcZ29vZC1ieWXigJ0gdG8gc3BhbSwgdmlydXNlcyBhbmQgcG9wLXVwcyB3 aXRoIE1TTiBQcmVtaXVtIC0tIGZyZWUgdHJpYWwNCiBvZmZlciE= |
|
From: Nathan L. <na...@iw...> - 2004-02-25 23:57:02
|
I see so many inline bridge deployments. Has anyone successfully done an
inline with nat?
-----Original Message-----
From: sno...@li...
[mailto:sno...@li...] On Behalf Of
Wil...@kc...
Sent: Friday, February 20, 2004 4:29 PM
To: Karl .
Cc: sno...@li...
Subject: [Snort-inline-users] Re: rc.firewall script editing - Follow-up
to post last month
This is what I use to startup my stealth bridge.
case "$1" in
start)
echo -n "starting bridge"
#BRIDGE SETUP
echo setting up bridge
/sbin/ifconfig eth0 0.0.0.0
/sbin/ifconfig eth1 0.0.0.0
/usr/local/bin/brctl addbr br0
/usr/local/bin/brctl addif br0 eth0
/usr/local/bin/brctl addif br0 eth1
/usr/local/bin/brctl stp br0 off
/sbin/ifconfig br0 up
#NAILING UP INTERFACES AT 100FULL
echo nailing up interfaces at 100FULL
/sbin/mii-tool eth0 -F 100baseTx-FD
/sbin/mii-tool eth1 -F 100baseTx-FD
sleep 3
echo
;;
stop)
echo -n "Stopping IPS STUFF: ("
/usr/local/bin/brctl delif br0 eth0
/usr/local/bin/brctl delif br0 eth1
/sbin/ifconfig br0 down
/usr/local/bin/brctl delbr br0
echo
;;
restart)
$0 stop
$0 start
;;
status)
status bridge
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0
This is what I use in iptables for pure IPS inbound/outbound IPS
iptables -A FORWARD -j QUEUE
iptables -A INPUT -j DROP
If you only want to allow traffic to and from a certian ip you would do
something like this lets say that your computer has an ip of 192.168.1.1
insmod ipt_state
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -s 192.168.1.1 -d 0.0.0.0/0 -m state --state NEW -j
QUEUE
iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j QUEUE
iptables -A FORWARD -j DROP
iptables -A INPUT -j DROP
Or you have a class c network you would do something like
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -s 192.168.1.0/24 -d 0.0.0.0/0 -m state --state NEW
-j QUEUE
iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j QUEUE
iptables -A FORWARD -j DROP
iptables -A INPUT -j DROP
If the dhcp server for your net is on the other side of the bridge
conntrack has problems with bootp/dhcp so add the following rules.
iptables -A FORWARD -p udp --dport 67 -j ACCEPT
iptables -A FORWARD -p udp --dport 68 -j ACCEPT
iptables -A FORWARD -p udp --sport 67 -j ACCEPT
iptables -A FORWARD -p udp --sport 68 -j ACCEPT
"Karl ." <kfb...@ho...>
02/20/2004 03:59 PM
To
Wil...@kc...
cc
Subject
rc.firewall script editing - Follow-up to post last month
William,
I saw your post:
<http://64.4.10.250/cgi-bin/linkrd?_lang=EN&lah=9c16cb8818ea160a8ff61e65
f83d2b18&lat=1077314208&hm___action=http%3a%2f%2f216%2e239%2e39%2e104%2f
search%3fq%3dcache%3aqoMKRsh9yqoJ%3asourceforge%2enet%2fmailarchive%2ffo
rum%2ephp%253Fthread_id%253D3768367%2526forum_id%253D32933%2brc%2efirewa
ll%2bRob%2bMcMillen%26amp%3bhl%3den%26amp%3bie%3dUTF%2d8>
http://216.239.39.104/search?q=cache:qoMKRsh9yqoJ:sourceforge.net/mailar
chive/forum.php%3Fthread_id%3D3768367%26forum_id%3D32933+rc.firewall+Rob
+McMillen&hl=en&ie=UTF-8
regarding a "simple" version of the rc.firewall script by RobMcMillen.
I wanted to do the exact same thing but I'm not sure what to put in the
PUBLIC_IP and INET_IFACE variables since I'm not running a Honeypot. My
firewall has all the public and private addresses, not this box, right?
Could you possibly help me on this? I'm simply want to use this box as
a Stealth Bridge behind my DSL modem to prevent attacks on my servers.
Any help is appreciated.
Thanks
Karl
_____
<http://g.msn.com/8HMBENUS/2740??PS=> Say "good-bye" to spam, viruses
and pop-ups with MSN Premium -- free trial offer!
|
|
From: <Wil...@kc...> - 2004-02-20 22:35:29
|
VGhpcyBpcyB3aGF0IEkgdXNlIHRvIHN0YXJ0dXAgbXkgc3RlYWx0aCBicmlkZ2UuDQoNCmNhc2Ug IiQxIiBpbg0KICBzdGFydCkNCiAgICAgICAgZWNobyAtbiAic3RhcnRpbmcgYnJpZGdlIg0KICAg ICAgICAjQlJJREdFIFNFVFVQDQogICAgICAgIGVjaG8gc2V0dGluZyB1cCBicmlkZ2UNCiAgICAg ICAgL3NiaW4vaWZjb25maWcgZXRoMCAwLjAuMC4wDQogICAgICAgIC9zYmluL2lmY29uZmlnIGV0 aDEgMC4wLjAuMCANCiAgICAgICAgICAgICAgICAvdXNyL2xvY2FsL2Jpbi9icmN0bCBhZGRiciBi cjANCiAgICAgICAgICAgICAgICAvdXNyL2xvY2FsL2Jpbi9icmN0bCBhZGRpZiBicjAgZXRoMA0K ICAgICAgICAgICAgICAgIC91c3IvbG9jYWwvYmluL2JyY3RsIGFkZGlmIGJyMCBldGgxDQogICAg ICAgIC91c3IvbG9jYWwvYmluL2JyY3RsIHN0cCBicjAgb2ZmDQogICAgICAgIC9zYmluL2lmY29u ZmlnIGJyMCB1cA0KICAgICAgICAjTkFJTElORyBVUCBJTlRFUkZBQ0VTIEFUIDEwMEZVTEwNCiAg ICAgICAgIGVjaG8gbmFpbGluZyB1cCBpbnRlcmZhY2VzIGF0IDEwMEZVTEwNCiAgICAgICAgIC9z YmluL21paS10b29sIGV0aDAgLUYgMTAwYmFzZVR4LUZEDQogICAgICAgICAgICAgICAgL3NiaW4v bWlpLXRvb2wgZXRoMSAtRiAxMDBiYXNlVHgtRkQNCiAgICAgICAgc2xlZXAgMw0KICAgICAgICBl Y2hvDQogICAgICAgIDs7DQogICBzdG9wKQ0KICAgICAgICBlY2hvIC1uICJTdG9wcGluZyBJUFMg U1RVRkY6ICgiDQogICAgICAgIC91c3IvbG9jYWwvYmluL2JyY3RsIGRlbGlmIGJyMCBldGgwDQog ICAgICAgIC91c3IvbG9jYWwvYmluL2JyY3RsIGRlbGlmIGJyMCBldGgxDQogICAgICAgIC9zYmlu L2lmY29uZmlnIGJyMCBkb3duDQogICAgICAgIC91c3IvbG9jYWwvYmluL2JyY3RsIGRlbGJyIGJy MA0KICAgICAgICAgZWNobw0KICAgICAgICA7Ow0KcmVzdGFydCkNCiAgICAgICAgJDAgc3RvcA0K ICAgICAgICAkMCBzdGFydA0KICAgICAgICA7Ow0KIHN0YXR1cykNCiAgICAgICAgc3RhdHVzIGJy aWRnZQ0KICAgICAgICA7Ow0KICAgKikNCiAgICAgICAgZWNobyAiVXNhZ2U6ICQwIHtzdGFydHxz dG9wfHJlc3RhcnR8c3RhdHVzfSINCiAgICAgICAgZXhpdCAxDQplc2FjDQoNCmV4aXQgMA0KDQpU aGlzIGlzIHdoYXQgSSB1c2UgaW4gaXB0YWJsZXMgZm9yIHB1cmUgSVBTIGluYm91bmQvb3V0Ym91 bmQgSVBTDQoNCmlwdGFibGVzIC1BIEZPUldBUkQgLWogUVVFVUUNCmlwdGFibGVzIC1BIElOUFVU IC1qIERST1ANCg0KSWYgeW91IG9ubHkgd2FudCB0byBhbGxvdyB0cmFmZmljIHRvIGFuZCBmcm9t IGEgY2VydGlhbiBpcCB5b3Ugd291bGQgZG8gDQpzb21ldGhpbmcgbGlrZSB0aGlzIGxldHMgc2F5 IHRoYXQgeW91ciBjb21wdXRlciBoYXMgYW4gaXAgb2YgMTkyLjE2OC4xLjENCmluc21vZCBpcHRf c3RhdGUNCg0KaXB0YWJsZXMgLUEgRk9SV0FSRCAtbSBzdGF0ZSAtLXN0YXRlIElOVkFMSUQgLWog RFJPUA0KaXB0YWJsZXMgLUEgRk9SV0FSRCAtcyAxOTIuMTY4LjEuMSAtZCAwLjAuMC4wLzAgLW0g c3RhdGUgLS1zdGF0ZSBORVcgLWogDQpRVUVVRQ0KaXB0YWJsZXMgLUEgRk9SV0FSRCAtcCB0Y3Ag LW0gc3RhdGUgLS1zdGF0ZSBSRUxBVEVELEVTVEFCTElTSEVEIC1qIFFVRVVFDQppcHRhYmxlcyAt QSBGT1JXQVJEIC1qIERST1ANCmlwdGFibGVzIC1BIElOUFVUIC1qIERST1ANCg0KT3IgeW91IGhh dmUgYSBjbGFzcyBjIG5ldHdvcmsgeW91IHdvdWxkIGRvIHNvbWV0aGluZyBsaWtlIA0KDQppcHRh YmxlcyAtQSBGT1JXQVJEIC1tIHN0YXRlIC0tc3RhdGUgSU5WQUxJRCAtaiBEUk9QDQppcHRhYmxl cyAtQSBGT1JXQVJEIC1zIDE5Mi4xNjguMS4wLzI0IC1kIDAuMC4wLjAvMCAtbSBzdGF0ZSAtLXN0 YXRlIE5FVyAtaiANClFVRVVFDQppcHRhYmxlcyAtQSBGT1JXQVJEIC1wIHRjcCAtbSBzdGF0ZSAt LXN0YXRlIFJFTEFURUQsRVNUQUJMSVNIRUQgLWogUVVFVUUNCmlwdGFibGVzIC1BIEZPUldBUkQg LWogRFJPUA0KaXB0YWJsZXMgLUEgSU5QVVQgLWogRFJPUA0KDQpJZiB0aGUgZGhjcCBzZXJ2ZXIg Zm9yIHlvdXIgbmV0IGlzIG9uIHRoZSBvdGhlciBzaWRlIG9mIHRoZSBicmlkZ2UgDQpjb25udHJh Y2sgaGFzIHByb2JsZW1zIHdpdGggYm9vdHAvZGhjcCBzbyBhZGQgdGhlIGZvbGxvd2luZyBydWxl cy4NCg0KaXB0YWJsZXMgLUEgRk9SV0FSRCAtcCB1ZHAgLS1kcG9ydCA2NyAtaiBBQ0NFUFQNCmlw dGFibGVzIC1BIEZPUldBUkQgLXAgdWRwIC0tZHBvcnQgNjggLWogQUNDRVBUDQppcHRhYmxlcyAt QSBGT1JXQVJEIC1wIHVkcCAtLXNwb3J0IDY3IC1qIEFDQ0VQVA0KaXB0YWJsZXMgLUEgRk9SV0FS RCAtcCB1ZHAgLS1zcG9ydCA2OCAtaiBBQ0NFUFQNCg0KDQoNCiJLYXJsIC4iIDxrZmJkZXZyeUBo b3RtYWlsLmNvbT4gDQowMi8yMC8yMDA0IDAzOjU5IFBNDQoNClRvDQpXaWxsaWFtX01ldGNhbGZA a2Ntby5vcmcNCmNjDQoNClN1YmplY3QNCnJjLmZpcmV3YWxsIHNjcmlwdCBlZGl0aW5nIC0gRm9s bG93LXVwIHRvIHBvc3QgbGFzdCBtb250aA0KDQoNCg0KDQoNCg0KV2lsbGlhbSwNCiANCkkgc2F3 IHlvdXIgcG9zdDoNCiANCmh0dHA6Ly8yMTYuMjM5LjM5LjEwNC9zZWFyY2g/cT1jYWNoZTpxb01L UnNoOXlxb0o6c291cmNlZm9yZ2UubmV0L21haWxhcmNoaXZlL2ZvcnVtLnBocCUzRnRocmVhZF9p ZCUzRDM3NjgzNjclMjZmb3J1bV9pZCUzRDMyOTMzK3JjLmZpcmV3YWxsK1JvYitNY01pbGxlbiZo bD1lbiZpZT1VVEYtOA0KIA0KcmVnYXJkaW5nIGEgInNpbXBsZSIgdmVyc2lvbiBvZiB0aGUgcmMu ZmlyZXdhbGwgc2NyaXB0IGJ5IFJvYk1jTWlsbGVuLiAgSSANCndhbnRlZCB0byBkbyB0aGUgZXhh Y3Qgc2FtZSB0aGluZyBidXQgSSdtIG5vdCBzdXJlIHdoYXQgdG8gcHV0IGluIHRoZSANClBVQkxJ Q19JUCBhbmQgSU5FVF9JRkFDRSB2YXJpYWJsZXMgc2luY2UgSSdtIG5vdCBydW5uaW5nIGEgSG9u ZXlwb3QuICBNeSANCmZpcmV3YWxsIGhhcyBhbGwgdGhlIHB1YmxpYyBhbmQgcHJpdmF0ZSBhZGRy ZXNzZXMsIG5vdCB0aGlzIGJveCwgcmlnaHQ/DQogDQpDb3VsZCB5b3UgcG9zc2libHkgaGVscCBt ZSBvbiB0aGlzPyAgSSdtIHNpbXBseSB3YW50IHRvIHVzZSB0aGlzIGJveCBhcyBhIA0KU3RlYWx0 aCBCcmlkZ2UgYmVoaW5kIG15IERTTCBtb2RlbSB0byBwcmV2ZW50IGF0dGFja3Mgb24gbXkgc2Vy dmVycy4NCiANCkFueSBoZWxwIGlzIGFwcHJlY2lhdGVkLg0KIA0KVGhhbmtzDQogDQpLYXJsDQoN ClNheSDigJxnb29kLWJ5ZeKAnSB0byBzcGFtLCB2aXJ1c2VzIGFuZCBwb3AtdXBzIHdpdGggTVNO IFByZW1pdW0gLS0gZnJlZSB0cmlhbCANCm9mZmVyISANCg0K |
|
From: Karl B. <Ka...@my...> - 2004-02-18 20:55:34
|
Hello Everyone, =20 I am trying to use snort-inline and the rc.firewall script to protect my internal network (servers on a DMZ and LAN) . I need it to be in bridge mode without IPs (stealth?). I'm not sure how to change the configuration for this type of setup. I'm not trying to run a honeypot at this time. Does anyone have any idea on how to do this? =20 =20 Thanks =20 Karl =20 =20 =20 |
|
From: Cory S. <CS...@St...> - 2004-02-18 17:36:07
|
On Thu, 2004-02-05 at 15:04, Josh Berry wrote: > Does anyone know of a vendor that produces network bypass cards (not sure > if this is the right way to say it). What I mean is the kind of card that > Netscreen uses to have some sort of network redundancy. The card has two > ports, in and out to the Netscreen IDP and in and out to the regular > network (bypassing the Netscreen IDP), the card automagically redirects > network traffic through the in/out portion that bypassess the IDP in the > event of a failure of one of the NICS or the power to the Netscreen IDP. > > I am trying to use Snort-Inline at my company and this is a requirement, > otherwise I have to buy from one of these vendors. > > > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users Hi Josh: I do not know if this is what you want but Shoremicro has a bypass card that is used to bypass an inline device. It has three modes of operation that can be controlled through a serial port for soft failures and automatic failure for things like link failure. They have an external and an internal unit that uses the PCI bus for power only. http://www.shoremicro.com/html/sm-2400.shtml Thanks, -- Cory Stoker Security Engineer StillSecure 303.381.3842 Direct 303.381.3881 Fax www.stillsecure.com Reducing your risk has never been this easy. . . . The information transmitted is intended only for the person to which it is addressed and may contain confidential material. Review or other use of this information by persons other than the intended recipient is prohibited. If you've received this in error, please contact the sender and del |
|
From: Rob M. <rv...@ca...> - 2004-02-09 22:55:32
|
What method are you using to feed snort_inline the packets? Is there a script or firewall rule you are using? Rob |
|
From: Rob M. <rv...@ca...> - 2004-02-06 22:50:51
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 libnet 1.0.x is required. Rob On Fri, 6 Feb 2004, Rick S. wrote: > Is libnet 1.0.x required? or can libnet 1.1.x be used? > I have 1.1.1 installed but snort_inline-2.1.0a cant find it. > > Rick S. > > > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBQCQW4fnAyY+9KLjdEQJcswCgznwbSORZ/EmtHCe1OqmgW7Jm6ysAmwZ4 MyPOVrgIpsT1f1KORASIstKe =Jw+D -----END PGP SIGNATURE----- |
|
From: unor <uno...@ya...> - 2004-02-06 20:42:09
|
Running snort_inline on a box with 3 NICS: 2 NICs are bridged for IPS functionality 1 NIC for OOB management I'm still learning IPTables and have a question about the QUEUE statement in this setup. I wanted to be as explicit as possible witht the QUEUE statement thinking that traffic might be inadvertently "FORWARDed" to/from the management interface if I simply use: iptables -A FORWARD -j QUEUE I'm testing with the following: iptables -P FORWARD DROP #Default to DROP iptables -A FORWARD -i $BR_IF -o $BR_IF -j QUEUE #$BR_IF is the "virtual" bridge interface It works but I have doubts that this is the "correct" way. Can anyone either confirm this is ok or suggest a better way? BTW: this doesnt seem to work: iptables -A FORWARD -i $BR_IF0 -o $BR_IF1 -j QUEUE iptables -A FORWARD -i $BR_IF1 -o $BR_IF0 -j QUEUE #$BR_IF0 and BR_IF1 are the interfaces that make up the bridge Thanks. Earl __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html |
|
From: brad <br...@tn...> - 2004-02-06 17:20:18
|
You may like this card http://www.etinc.com/index.php?page=ethernet_bypass.htm I have used thier bandwidth management software and it works very well at about 25mbps in an ISP environment. Brad On Fri, 6 Feb 2004, Pieter Claassen wrote: > Hi Josh, > > You can also use STP on the two switches (managed) on both sides of your > IPS. Just connect one port on each switch with a ethernet cable and tell > the switches to see those ports as a low (high cost, I can't remember > the detail). If the path through your IPS fails then it will switch to > the redundant path. > > Pieter > On Thu, 2004-02-05 at 22:04, Josh Berry wrote: > > Does anyone know of a vendor that produces network bypass cards (not sure > > if this is the right way to say it). What I mean is the kind of card that > > Netscreen uses to have some sort of network redundancy. The card has two > > ports, in and out to the Netscreen IDP and in and out to the regular > > network (bypassing the Netscreen IDP), the card automagically redirects > > network traffic through the in/out portion that bypassess the IDP in the > > event of a failure of one of the NICS or the power to the Netscreen IDP. > > > > I am trying to use Snort-Inline at my company and this is a requirement, > > otherwise I have to buy from one of these vendors. > > > > > > ------------------------------------------------------- > > The SF.Net email is sponsored by EclipseCon 2004 > > Premiere Conference on Open Tools Development and Integration > > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > > http://www.eclipsecon.org/osdn > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > -- > ----------------------------- > Pieter Claassen > pi...@op... > http://www.openauth.co.uk > > OpenAuth > Tel: 01344 390530 > DDI: 01344 390630/390631 > Fax number: 01344 390700 > Mobile: 0776 665 6924 > > Highview House > Charles Square > Bracknell > Berkshire > RG12 1DF > > TERMS AND CONDITIONS > (i)The information contained in this email and attachments is only > intended for the addressed recipient(s) and may not be distributed or > viewed by any other party without the explicit consent of the sender. If > you have received this message by accident, please contact Pieter > Claassen (pi...@op...) and destroy any electronic or physical > copies of the information contained in it, immediately. > (ii)This email is not certified to be virus free and OpenAuth accepts no > liability for losses arising from you receiving this email. > (iii)Any digital signatures (if present) used to authenticate this > email, only serves to allow you to verify the originating email address > of the sender and should not be relied upon to prove identity or base > financial transactions on, unless the Certificate Practice Statement > that the signature references, explicitly states differently. > (iv)This email may be subjected to further terms and conditions as > published on the company website at http://www.openauth.co.uk. If you > need to rely on the information contained in this email in any way, then > you should read those terms and conditions to understand how much you > can trust the information in this email. > (v)OpenAuth retains the copyright on any relevant material that is > included in this email. > > > > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Rick S. <rsh...@mi...> - 2004-02-06 17:19:30
|
Is libnet 1.0.x required? or can libnet 1.1.x be used? I have 1.1.1 installed but snort_inline-2.1.0a cant find it. Rick S. |
|
From: Pieter C. <pie...@co...> - 2004-02-06 17:14:26
|
Hi Josh, You can also use STP on the two switches (managed) on both sides of your IPS. Just connect one port on each switch with a ethernet cable and tell the switches to see those ports as a low (high cost, I can't remember the detail). If the path through your IPS fails then it will switch to the redundant path. Pieter On Thu, 2004-02-05 at 22:04, Josh Berry wrote: > Does anyone know of a vendor that produces network bypass cards (not sure > if this is the right way to say it). What I mean is the kind of card that > Netscreen uses to have some sort of network redundancy. The card has two > ports, in and out to the Netscreen IDP and in and out to the regular > network (bypassing the Netscreen IDP), the card automagically redirects > network traffic through the in/out portion that bypassess the IDP in the > event of a failure of one of the NICS or the power to the Netscreen IDP. > > I am trying to use Snort-Inline at my company and this is a requirement, > otherwise I have to buy from one of these vendors. > > > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users -- ----------------------------- Pieter Claassen pi...@op... http://www.openauth.co.uk OpenAuth Tel: 01344 390530 DDI: 01344 390630/390631 Fax number: 01344 390700 Mobile: 0776 665 6924 Highview House Charles Square Bracknell Berkshire RG12 1DF TERMS AND CONDITIONS (i)The information contained in this email and attachments is only intended for the addressed recipient(s) and may not be distributed or viewed by any other party without the explicit consent of the sender. If you have received this message by accident, please contact Pieter Claassen (pi...@op...) and destroy any electronic or physical copies of the information contained in it, immediately. (ii)This email is not certified to be virus free and OpenAuth accepts no liability for losses arising from you receiving this email. (iii)Any digital signatures (if present) used to authenticate this email, only serves to allow you to verify the originating email address of the sender and should not be relied upon to prove identity or base financial transactions on, unless the Certificate Practice Statement that the signature references, explicitly states differently. (iv)This email may be subjected to further terms and conditions as published on the company website at http://www.openauth.co.uk. If you need to rely on the information contained in this email in any way, then you should read those terms and conditions to understand how much you can trust the information in this email. (v)OpenAuth retains the copyright on any relevant material that is included in this email. |
|
From: Josh B. <jos...@li...> - 2004-02-05 21:57:02
|
Does anyone know of a vendor that produces network bypass cards (not sure if this is the right way to say it). What I mean is the kind of card that Netscreen uses to have some sort of network redundancy. The card has two ports, in and out to the Netscreen IDP and in and out to the regular network (bypassing the Netscreen IDP), the card automagically redirects network traffic through the in/out portion that bypassess the IDP in the event of a failure of one of the NICS or the power to the Netscreen IDP. I am trying to use Snort-Inline at my company and this is a requirement, otherwise I have to buy from one of these vendors. |
|
From: Teolupus <teo...@sp...> - 2004-02-02 21:36:38
|
Rob, I think you're not receiving my mails when I send them direct to you. = Please try to reach me at teo...@sp... I can help you with React. Had a lot of experience in development of a = similar system. Have Fun. Teolupus |
|
From: <Wil...@kc...> - 2004-01-30 17:13:53
|
Actually somebody else posted the correct syntax for the iptables rules
all you need is
iptables -A FORWARD -j QUEUE
Regards,
Will
unor <uno...@ya...>
Sent by: sno...@li...
01/30/2004 11:03 AM
To: Rob McMillen <rv...@ca...>,
sno...@li...
cc:
Subject: Re: [Snort-inline-users] simple rc.firewall
Yes.
Here are the basic requirements I have set:
Able to actively stop "malicious" traffic
Rich ruleset
Management via ssh
Quickly deployable
Inline, no routing (no network changes)
Undecided on fail open or closed... I prefer to have a
choice
free
Basic operation: Completely open Bridge_FW with
Snort_inline making dicisions on what to drop. This
is not being designed as a long term solution... more
like an "If all else fails" backup to have on hand for
temporary situations if they arise.
A potential deployment scenario would be to have these
running (or ready to go) at various choke points with
an "empty ruleset" until the next
"Insert_Malicious_Activity" happens. Quickly craft a
rule (assuming it is possible) and deploy it to
provide protection until (Insert_Vendor) updates a
signature or whatever.
I'm sure there are a million other ways to do this and
I'm not by any means claiming to have a "New" or
"Better" idea... The technology is free, runs on cheap
hardware and it seems to work. I have not done any
load testing (yet) and have heard that there is a
performance hit with respect to the trip down to user
space which is why I plan on starting out with a
solution that is more of a single perpose temporary
fix for when nothing else works.
For now, I only have what Will suggested earlier...
IPTABLES -A FORWARD -j QUEUE
IPTABLES -A FORWARD -j ACCEPT
I believe this is all I need for now because this is
not meant to be a firewall... it's a purpose built
IPS. I'll barrow some of the iptable stuff from
rc.firewall (and learn more myself) to help lock down
the management interface when I get there.
I feel that snort_inline fits well. I have something
working (more or less) but am open to input if you
have suggestions.
Thanks for participating.
The sorceforge page looks great... Clean and to the
point. I don't know C and hate HTML but I can script
a bit and can write reasonably well provided a spell
checker is available <grin>. Let me know if I can
help.
Earl Sammons
--- Rob McMillen <rv...@ca...> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Is your intent to let all traffic flow via
> snort_inline? Both outbound
> and inbound?
>
> Rob
>
> On Fri, 23 Jan 2004, unor wrote:
>
> > I'm looking for a "simple" version of the infamous
> > rc.firewall from the honeynet project.
> >
> > I want to do a bridged inline IPS with with
> > snort_inline and therefore don't need the outbound
> > blocking / rate limiting and other various parts
> of
> > the existing rc.firewall script. Is there
> anything
> > like this out there?
> >
> > I'm trying to hack up a version of rc.firewall
> myself
> > but... If I get it working I'll post it.
> >
> > Earl
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! SiteBuilder - Free web site building tool.
> Try it!
> > http://webhosting.yahoo.com/ps/sb/
> >
> >
> >
>
-------------------------------------------------------
> > The SF.Net email is sponsored by EclipseCon 2004
> > Premiere Conference on Open Tools Development and
> Integration
> > See the breadth of Eclipse activity. February 3-5
> in Anaheim, CA.
> > http://www.eclipsecon.org/osdn
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> Comment: Made with pgp4pine 1.76
>
>
iQA/AwUBQBGelvnAyY+9KLjdEQKedwCgvWx0ZOgZ3dgEyh+48f8yMtPEtiQAoP1b
> skuc76JsfD/7DO36276ScqkC
> =3BUx
> -----END PGP SIGNATURE-----
>
>
>
>
>
-------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and
> Integration
> See the breadth of Eclipse activity. February 3-5 in
> Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
>
https://lists.sourceforge.net/lists/listinfo/snort-inline-users
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-inline-users mailing list
Sno...@li...
https://lists.sourceforge.net/lists/listinfo/snort-inline-users
|
133 messages has been excluded from this view by a project administrator.
