Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

[Snort-users] Re: Catchall rule

0 views

Skip to first unread message

njharris

unread,

Feb 6, 2003, 1:44:26 AM2/6/03

I use one rule "alert ip any any -> any any" to log all packets to a mysql
database. I would prefer to use tcpdump, but if it is on a windows system ,
windump doesn't seem to log to a database.

Good Luck
Nick Harris
TNS Consulting

----- Original Message -----
From: <snort-use...@lists.sourceforge.net>
To: <snort...@lists.sourceforge.net>
Sent: Wednesday, February 05, 2003 10:32 PM
Subject: Snort-users digest, Vol 1 #2759 - 6 msgs

> Send Snort-users mailing list submissions to
> snort...@lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
> snort-use...@lists.sourceforge.net
>
> You can reach the person managing the list at
> snort-us...@lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> Today's Topics:
>
> 1. Re: Snort-users digest, Vol 1 #2758 - 10 msgs (Kenton Smith)
> 2. RE: MySql and Snort (L. Christopher Luther)
> 3. Starting and Stopping Snort feeding Mysql (James M. Driskell)
> 4. Catchall Rule (John Cherbini)
> 5. RE: Catchall Rule (John Cherbini)
> 6. Re: Catchall Rule (twig les)
>
> --__--__--
>
> Message: 1
> From: Kenton Smith <ksm...@chartwelltechnology.com>
> To: snort...@lists.sourceforge.net
> Cc: den...@northshoreagency.com
> Organization: Chartwell Technology Inc.
> Date: 05 Feb 2003 16:37:00 -0700
> Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2758 - 10 msgs
>
> The confusing part about these messages is in the source and destination
> addresses. The source of the message is the equipment sending back the
> Unreachable message. The Destination is the machine that would have
> originally sent the ICMP packet. So in this case the machines to look at
> are the ones shown as destination by the Snort alert (in your case, if I
> understand correctly, your web server and Snort sensor).
>
> I think you should investigate this closely and here's why:
>
> Script kiddie crafts malicious (or other) packets using *your* Web
> Server's IP address. *He* spews the packets out and some of them hit
> equipment that sends back the Unreachable message. *He's* not going to
> get the return traffic; you are because he used *your* IP address in the
> packet. Therefore if you can't find any evidence of your machines
> sending out ICMP packets to the address listed as Source by Snort, you
> may want to consider the fact that someone is spoofing your address.
>
> Just my $0.02
>
> Kenton Smith
>
> On Wed, 2003-02-05 at 16:09, den...@northshoreagency.com wrote:
>
> > I have received over 7000 "ICMP Destination Unreachable (Communication
> > Administratively Prohibited)" alerts in the last 6 days. I look on
> > snort.org for info about this alert, but I'm still unsure if this is
> > something I need to worry about, and if not how can I remove this alert?
> >
> > I'm run snort on a MS Windows 200 Server.
> >
> >
> > Thanks,
> >
> > Dennis Gorman
> > Network Manager
> > North Shore Agency
> >
> >
> >
> >
>
>
>
>
> --__--__--
>
> Message: 2
> From: "L. Christopher Luther" <CLu...@Xybernaut.com>
> To: 'Cilin' <cil...@yahoo.com>
> Cc: "Snort-Users (E-mail)" <snort...@lists.sourceforge.net>
> Date: Wed, 5 Feb 2003 19:48:35 -0500
> Subject: [Snort-users] RE: MySql and Snort
>
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
>
> ------_=_NextPart_001_01C2CD79.7A9A1390
> Content-Type: text/plain;
> charset="iso-8859-1"
>
> Cilin,
>
> Please post additional information so that we can better help you. For
> example:
>
> o The Snort command line you use when not sniffing (i.e., the '-v' puts
> Snort in sniffer mode, not in packet logger mode).
>
> o Output plugins in snort.conf
>
> o etc.
>
>
> Regards,
>
> Christopher
>
>
> -----Original Message-----
> Date: Wed, 5 Feb 2003 14:51:32 -0800 (PST)
> From: Cilin <cil...@yahoo.com>
> To: snort...@lists.sourceforge.net
> Subject: [Snort-users] MySql and Snort
>
> Hi, I am newbie to snort and also have the problem of
> Snort not logging into the MySql database. I did the
> following steps, as recommended in one of the earlier
> emails but nothing helped.
>
> 1. Created the database snort in MySQL with
> appropriate permissions for users and hosts.
> 2. Ran the script contrib/create_mysql in the snort
> source code against the database as a user with the
> correct permissions.
> 3. Uncommented and supplied user, password, database
> and host for the output database line for mysql in the
> snort.conf file.
> 4. Restarted Snort.
>
> and still nothing
> Snort does log the scans (scan.log gets updated every
> time i run a scan over the network)
> However i haven't gotten a single error yet.
> (alert.ids is 0Kb)
>
> when i run snort from the command line via
> "snort -v -i 1" I get:
>
> 0 dropped packages
>
> Action stats:
> Alerts: 0
> Logs : 0
> Passed: 0
>
> Wireless Stats, Fragmentation Stats, TCP Stream
> Reasembly stats have ONLY '0's.
>
> Please help, i have searched the internet and the
> forums for any clues for the past 2 weeks but didn't
> find anything.
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
>
> ------_=_NextPart_001_01C2CD79.7A9A1390
> Content-Type: text/html;
> charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Diso-8859-1">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> 5.5.2653.12">
> <TITLE>RE: MySql and Snort</TITLE>
> </HEAD>
> <BODY>
>
> Cilin,  
> 
>
> Please post additional information so that we can =
> better help you.  For example:  
> 
>
> o  The Snort command line you use when not =
> sniffing (i.e., the '-v' puts Snort in sniffer mode, not in packet =
> logger mode).  
>
> o  Output plugins in snort.conf  
> 
>
> o  etc.  
> 
> 
>
> Regards, 
> 
>
> Christopher
> 
> 
>
> -----Original Message-----
> Date: Wed, 5 Feb 2003 14:51:32 -0800 (PST)
> From: Cilin <cil...@yahoo.com>
> To: snort...@lists.sourceforge.net
> Subject: [Snort-users] MySql and Snort
> 
>
> Hi, I am newbie to snort and also have the problem =
> of
> Snort not logging into the MySql database. I did =
> the
> following steps, as recommended in one of the =
> earlier
> emails but nothing helped.
> 
>
> 1.  Created the database snort in MySQL =
> with
> appropriate permissions for users and hosts.
> 2.  Ran the script contrib/create_mysql in the =
> snort
> source code against the database as a user with =
> the
> correct permissions.
> 3.   Uncommented and supplied user, =
> password, database
> and host for the output database line for mysql in =
> the
> snort.conf file.
> 4.   Restarted Snort.
> 
>
> and still nothing
> Snort does log the scans (scan.log gets updated =
> every
> time i run a scan over the network)
> However i haven't gotten a single error yet.
> (alert.ids is 0Kb)
> 
>
> when i run snort from the command line via 
> "snort -v -i 1" I get:
> 
>
> 0 dropped packages
> 
>
> Action stats:
> Alerts: 0
> Logs  : 0
> Passed: 0
> 
>
> Wireless Stats, Fragmentation Stats, TCP =
> Stream
> Reasembly stats have ONLY '0's.
> 
>
> Please help, i have searched the internet and =
> the
> forums for any clues for the past 2 weeks but =
> didn't
> find anything.
> 
>
> SIZE=3D2>__________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up =
> now.
> <A HREF=3D"http://mailplus.yahoo.com" =
> TARGET=3D"_blank">http://mailplus.yahoo.com</A>
> 
>
> </BODY>
> </HTML>
> ------_=_NextPart_001_01C2CD79.7A9A1390--
>
>
> --__--__--
>
> Message: 3
> From: "James M. Driskell" <jdri...@ups.edu>
> To: <snort...@lists.sourceforge.net>
> Date: Wed, 5 Feb 2003 17:08:17 -0800
> Subject: [Snort-users] Starting and Stopping Snort feeding Mysql
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0001_01C2CD39.2D554C70
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: 7bit
>
> Hello,
>
>
>
> I'm running 2 snort sensors feeding a mysql database on another box. I
> get the following errors periodically from either box:
>
>
>
> Feb 5 14:31:40 snort1 snort: database: mysql_error: Duplicate entry
> '3-4958' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp)
> VALUES ('3', '4958', '5', '2003-02-05 14:31:40-08')
>
> Feb 5 14:31:50 snort1 snort: database: mysql_error: Duplicate entry
> '3-4959' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp)
> VALUES ('3', '4959', '5', '2003-02-05 14:31:50-08')
>
>
>
> I can clear the problem by stopping and restarting the offending snort
> box, but I'd rather fix the problem. I also note that I get an unknown
> sensor when I restart snort.
>
>
>
> I've had to stop and start snort daily because the local alert and
> scan.logs tend to run me out of disk space on the snort boxes. I guess
> I need to invest in new hd's but until then, can anyone help me fix this
> problem.
>
>
>
> Thanks,
>
>
>
> Jim Driskell
>
> University of Puget Sound
>
>
> ------=_NextPart_000_0001_01C2CD39.2D554C70
> Content-Type: text/html;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> <html>
>
> <head>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Dus-ascii">
>
>
> <meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">
>
> <style>
> 
> </style>
>
> </head>
>
> <body lang=3DEN-US link=3Dblue vlink=3Dpurple>
>
> <div class=3DSection1>
>
> style=3D'font-size:10.0pt;
> font-family:Arial'>Hello,
>
> style=3D'font-size:10.0pt;
> font-family:Arial'> 
>
> style=3D'font-size:10.0pt;
> font-family:Arial'>I’m running 2 snort sensors feeding a mysql =
> database
> on another box.   I get the following errors periodically from =
> either
> box:
>
> style=3D'font-size:10.0pt;
> font-family:Arial'> 
>
> style=3D'font-size:10.0pt;
> font-family:Arial'>Feb  5 face=3DArial> =
> style=3D'font-size:10.0pt;font-family:Arial'>14:31:40 size=3D2
> face=3DArial> snort1 =
> snort:
> database: mysql_error: Duplicate entry '3-4958' for key 1 SQL=3DINSERT =
> INTO event
> (sid,cid,signature,timestamp) VALUES ('3', '4958', '5', '2003-02-05 =
> style=3D'font-size:10.0pt;font-family:Arial'>14:31:40 size=3D2 face=3DArial> style=3D'font-size:10.0pt;font-family:Arial'>-08') 
>
> style=3D'font-size:10.0pt;
> font-family:Arial'>Feb  5 face=3DArial> =
> style=3D'font-size:10.0pt;font-family:Arial'>14:31:50 size=3D2
> face=3DArial> snort1 =
> snort:
> database: mysql_error: Duplicate entry '3-4959' for key 1 SQL=3DINSERT =
> INTO event
> (sid,cid,signature,timestamp) VALUES ('3', '4959', '5', '2003-02-05 =
> style=3D'font-size:10.0pt;font-family:Arial'>14:31:50 size=3D2 face=3DArial> style=3D'font-size:10.0pt;font-family:Arial'>-08')
>
> style=3D'font-size:10.0pt;
> font-family:Arial'> 
>
> style=3D'font-size:10.0pt;
> font-family:Arial'>I can clear the problem by stopping and restarting =
> the
> offending snort box, but I’d rather fix the problem.  I also =
> note that
> I get an unknown sensor when I restart snort.  
>
> style=3D'font-size:10.0pt;
> font-family:Arial'> 
>
> style=3D'font-size:10.0pt;
> font-family:Arial'>I’ve had to stop and start snort daily because =
> the local
> alert and scan.logs tend to run me out of disk space on the snort boxes. =
>  I
> guess I need to invest in new hd’s but until then, can anyone help =
> me fix
> this problem.
>
> style=3D'font-size:10.0pt;
> font-family:Arial'> 
>
> style=3D'font-size:10.0pt;
> font-family:Arial'>Thanks,
>
> style=3D'font-size:10.0pt;
> font-family:Arial'> 
>
> style=3D'font-size:10.0pt;
> font-family:Arial'>Jim Driskell
>
> style=3D'font-size:10.0pt;
> font-family:Arial'>University face=3DArial> style=3D'font-size:10.0pt;font-family:Arial'> of size=3D2
> face=3DArial>Puget =
> Sound
>
> </div>
>
> </body>
>
> </html>
>
> ------=_NextPart_000_0001_01C2CD39.2D554C70--
>
>
>
> --__--__--
>
> Message: 4
> From: "John Cherbini" <cher...@dakotacom.net>
> To: "'Snort User Groups'" <snort...@lists.sourceforge.net>
> Date: Wed, 5 Feb 2003 20:39:35 -0700
> Subject: [Snort-users] Catchall Rule
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0019_01C2CD56.B80545B0
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: 7bit
>
> Hello everyone...
>
> We're working on a project, where as a part of it, we would like to use
> snort to add *every* packet it reads in a file to the DB.
>
> I've got the command line down, but I'd like to check on a rule that
> will set *every* packet to generate a flag.
>
> After looking through this doc..
>
> http://www.snort.org/docs/writing_rules/chap2.html
>
> I'm thinking something like this:
>
> Alert tcp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
> Alert udp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
> Alert icmp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
>
> My concern is the third "any"...not sure if that will work.
>
> Does anyone have any input on this?
>
> I'd appreciate any advice!
>
> Thanks!
>
> John Cherbini
>
> ------=_NextPart_000_0019_01C2CD56.B80545B0
> Content-Type: text/html;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> 6.0.4630.0">
> <TITLE>Catchall Rule</TITLE>
> </HEAD>
> <BODY>
> 
>
> Hello everyone…..
> 
>
> We're working on a project, where as a =
> part of it, we would like to use snort to add *every* packet it reads in =
> a file to the DB.
>
> I've got the command line down, but I'd =
> like to check on a rule that will set *every* packet to generate a =
> flag.
> 
>
> After looking through this =
> doc….
> 
>
> <A =
> HREF=3D"http://www.snort.org/docs/writing_rules/chap2.html"> COLOR=3D"#0000FF" SIZE=3D2 =
> FACE=3D"Arial">http://www.snort.org/docs/writing_rules/chap2.html<=
> /U></A>
> 
>
> I'm thinking something like =
> this:
> 
>
> Alert tcp any any -> any =
> (content:"|45 00|"; msg: "Catchall Rule";)
>
> Alert udp any any -> any =
> (content:"|45 00|"; msg: "Catchall Rule";)
>
> Alert icmp any any -> any =
> (content:"|45 00|"; msg: "Catchall Rule";)
> 
>
> My concern is the third =
> "any"…..not sure if that will work.
> 
>
> Does anyone have any input on =
> this?
> 
>
> I'd appreciate any advice!
> 
>
> Thanks!
> 
>
> John Cherbini
> 
>
> </BODY>
> </HTML>
> ------=_NextPart_000_0019_01C2CD56.B80545B0--
>
>
>
> --__--__--
>
> Message: 5
> From: "John Cherbini" <cher...@dakotacom.net>
> To: "'Snort User Groups'" <snort...@lists.sourceforge.net>
> Subject: RE: [Snort-users] Catchall Rule
> Date: Wed, 5 Feb 2003 21:28:35 -0700
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0021_01C2CD5D.8DCE10E0
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: 7bit
>
> We wanted to have them all logged into a DB, and most importantly,
> parsed! And we didn't feel like writing our own parser.
>
> I've got it figured out though......with these rules
>
> ######CATCHALL RULES########
> alert tcp any any -> any any (msg: \"tcp traffic\";)
> alert udp any any -> any any (msg: \"udp traffic\";)
> alert icmp any any -> any any (msg: \"icmp traffic\";)
> ############################
>
> John C.
>
> > -----Original Message-----
> > From: Jacob Redding [mailto:dex...@WiredGeek.com]
> > Sent: Wednesday, February 05, 2003 9:18 PM
> > To: John Cherbini
> > Cc: 'Snort User Groups'
> > Subject: Re: [Snort-users] Catchall Rule
> >
> >
> > Why not just use tcpdump??
> >
> > -Jacob
> >
> > On Wed, 5 Feb 2003, John Cherbini wrote:
> >
> > > Hello everyone...
> > >
> > > We're working on a project, where as a part of it, we would like to
> > > use snort to add *every* packet it reads in a file to the DB.
> > >
> > > I've got the command line down, but I'd like to check on a
> > rule that
> > > will set *every* packet to generate a flag.
> > >
> > > After looking through this doc..
> > >
> > > http://www.snort.org/docs/writing_rules/chap2.html
> > >
> > > I'm thinking something like this:
> > >
> > > Alert tcp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
> > > Alert udp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
> > > Alert icmp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
> > >
> > > My concern is the third "any"...not sure if that will work.
> > >
> > > Does anyone have any input on this?
> > >
> > > I'd appreciate any advice!
> > >
> > > Thanks!
> > >
> > > John Cherbini
> > >
> >
>
>
>
> ------=_NextPart_000_0021_01C2CD5D.8DCE10E0
> Content-Type: text/html;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> 6.0.4630.0">
> <TITLE>RE: [Snort-users] Catchall Rule</TITLE>
> </HEAD>
> <BODY>
> 
>
> We wanted to have them all logged =
> into a DB, and most importantly, parsed!  And we didn't feel like =
> writing our own parser.
>
> I've got it figured out =
> though......with these rules
> 
>
> ######CATCHALL =
> RULES########
>
> alert tcp any any -> any any =
> (msg: \"tcp traffic\";)
>
> alert udp any any -> any any =
> (msg: \"udp traffic\";)
>
> alert icmp any any -> any any =
> (msg: \"icmp traffic\";)
>
> New">############################
> 
>
> John C.
> 
>
> > -----Original =
> Message-----
>
> > From: Jacob Redding =
> [<A HREF=3D"mailto:dex...@WiredGeek.com"> COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Courier =
> New">mailto:dex...@WiredGeek.com</A> FACE=3D"Courier New">]
>
> > Sent: Wednesday, February =
> 05, 2003 9:18 PM
>
> > To: John Cherbini
>
> > Cc: 'Snort User =
> Groups'
>
> > Subject: Re: [Snort-users] =
> Catchall Rule
>
> > 
>
> > 
>
> >   Why not just =
> use tcpdump??
>
> > 
>
> > -Jacob
>
> > 
>
> > On Wed, 5 Feb 2003, John =
> Cherbini wrote:
>
> > 
>
> > > Hello =
> everyone...
>
> > >
>
> > > We're working on a =
> project, where as a part of it, we would like to
>
> > > use snort to add =
> *every* packet it reads in a file to the DB.
>
> > >
>
> > > I've got the command =
> line down, but I'd like to check on a
>
> > rule that
>
> > > will set *every* =
> packet to generate a flag.
>
> > >
>
> > > After looking through =
> this doc..
>
> > >
>
> > > <A =
> HREF=3D"http://www.snort.org/docs/writing_rules/chap2.html"> COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Courier =
> New">http://www.snort.org/docs/writing_rules/chap2.html</A>
>
> > >
>
> > > I'm thinking something =
> like this:
>
> > >
>
> > > Alert tcp any any =
> -> any (content:"|45 00|"; msg: "Catchall =
> Rule";)
>
> > > Alert udp any any =
> -> any (content:"|45 00|"; msg: "Catchall Rule";) =
> 
>
> > > Alert icmp any any =
> -> any (content:"|45 00|"; msg: "Catchall =
> Rule";)
>
> > >
>
> > > My concern is the =
> third "any"...not sure if that will work.
>
> > >
>
> > > Does anyone have any =
> input on this?
>
> > >
>
> > > I'd appreciate any =
> advice!
>
> > >
>
> > > Thanks!
>
> > >
>
> > > John Cherbini
>
> > >
>
> > 
> 
> 
>
> </BODY>
> </HTML>
> ------=_NextPart_000_0021_01C2CD5D.8DCE10E0--
>
>
>
> --__--__--
>
> Message: 6
> Date: Wed, 5 Feb 2003 20:31:52 -0800 (PST)
> From: twig les <twi...@yahoo.com>
> Subject: Re: [Snort-users] Catchall Rule
> To: John Cherbini <cher...@dakotacom.net>,
> 'Snort User Groups' <snort...@lists.sourceforge.net>
>
> Well if I break out my dusty TCP/IP skills it seems that those three rules
would miss any packets
> that have TCP options since the 5 in |45 00| equates to a 20-byte header.
But since I've had a
> string of stupid mistakes in the last week anyone can correct me. :)
>
> What I'm wondering even more though is why you don't just write a rule
based on IP instead of the
> 3 protocols that are embedded in IP. Of course curiosity forces me to ask
why you are using snort
> to cram everything into a database too.
>
> --- John Cherbini <cher...@dakotacom.net> wrote:
> > Hello everyone...
> >
> > We're working on a project, where as a part of it, we would like to use
> > snort to add *every* packet it reads in a file to the DB.
> >
> > I've got the command line down, but I'd like to check on a rule that
> > will set *every* packet to generate a flag.
> >
> > After looking through this doc..
> >
> > http://www.snort.org/docs/writing_rules/chap2.html
> >
> > I'm thinking something like this:
> >
> > Alert tcp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
> > Alert udp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
> > Alert icmp any any -> any (content:"|45 00|"; msg: "Catchall Rule";)
> >
> > My concern is the third "any"...not sure if that will work.
> >
> > Does anyone have any input on this?
> >
> > I'd appreciate any advice!
> >
> > Thanks!
> >
> > John Cherbini
> >
>
>
> =====
> -----------------------------------------------------------
> Know yourself and know your enemy and you will never fear defeat.
> -----------------------------------------------------------
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
>
>
> --__--__--
>
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest

-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

0 new messages