Snort mailing list archives
Re: DPX starter kit output: No alert generated
From: Jianyu Li via Snort-users <snort-users () lists snort org>
Date: Fri, 19 Oct 2018 09:38:44 +0000
Hi Russ,
Thank you for providing the example patch! I will try to do the patch.
But when I try to use dpx to alert on UDP, there is still no alerts generated:
root@ubuntu1:/home/ubuntu# $my_path/bin/snort --plugin-path /root/snort-3.0.0/lib -c
/root/snort-3.0.0/etc/snort/snort.lua --lua "dpx={port=53, max=128}; ips.enable_builtin_rules=true" --bpf "udp port 53"
-r /tmp/dns-zone-transfer-ixfr.cap -A csv -q
Then I changed the "dpx={port=53, max=128}" to "dpx={port=53, max=20}" because I think the packet's payload size is
less than 128, so maybe I should set "max" to a lower value. But there is still no alert:
root@ubuntu1:/home/ubuntu# $my_path/bin/snort --plugin-path /root/snort-3.0.0/lib -c
/root/snort-3.0.0/etc/snort/snort.lua --lua "dpx={port=53, max=20}; ips.enable_builtin_rules=true" --bpf "udp port 53"
-r /tmp/dns-zone-transfer-ixfr.cap -A csv -q
The pcap file I used is:
root@ubuntu1:/home/ubuntu# tcpdump -vnr /tmp/dns-zone-transfer-ixfr.cap
reading from file /tmp/dns-zone-transfer-ixfr.cap, link-type EN10MB (Ethernet)
11:27:18.296576 IP (tos 0x0, ttl 128, id 245, offset 0, flags [none], proto UDP (17), length 115)
1.1.1.2.1028 > 1.1.1.1.53: 16384 [1n] IXFR? etas.com. (87)
11:27:18.297050 IP (tos 0x0, ttl 128, id 3537, offset 0, flags [none], proto UDP (17), length 243)
1.1.1.1.53 > 1.1.1.2.1028: 16384 5/0/0 etas.com. SOA training2003p. hostmaster. 4 60 600 86400 3600, etas.com. SOA
training2003p. hostmaster. 3 60 600 86400 3600, etas.com. SOA training2003p. hostmaster. 4 60 600 86400 3600,
index.etas.com. A 1.1.1.100, etas.com. SOA training2003p. hostmaster. 4 60 600 86400 3600 (215)
Do you have any idea about this problem?
Thanks,
Jianyu Li
________________________________
From: Snort-users <snort-users-bounces () lists snort org> on behalf of Russ via Snort-users <snort-users () lists
snort org>
Sent: 19 October 2018 03:10
To: snort-users () lists snort org
Subject: Re: [Snort-users] DPX starter kit output: No alert generated
Hey Jianyu,
As written, the dpx example only alerts on UDP. If you want to alert on TCP, you will need to patch the code. Here is
a patch that changes to TCP. If you save that to file you can do this in snort3_extra:
$ patch -p 1 < dpx.diff
Hope that helps get you going.
Russ
diff --git a/src/inspectors/dpx/dpx.cc b/src/inspectors/dpx/dpx.cc
index c3a541b..843bcfa 100644
--- a/src/inspectors/dpx/dpx.cc
+++ b/src/inspectors/dpx/dpx.cc
@@ -70,7 +70,7 @@ void Dpx::show(SnortConfig*)
void Dpx::eval(Packet* p)
{
// precondition - what we registered for
- assert(p->is_udp());
+ assert(p->is_tcp());
if ( p->ptrs.dp == port && p->dsize > max )
DetectionEngine::queue_event(DPX_GID, DPX_SID);
@@ -180,7 +180,7 @@ static const InspectApi dpx_api
mod_dtor
},
IT_NETWORK,
- PROTO_BIT__UDP,
+ PROTO_BIT__TCP,
nullptr, // buffers
nullptr, // service
nullptr, // pinit
On 10/18/18 6:06 PM, Jianyu Li via Snort-users wrote:
Hi Russ,
I don't understand clearly, do you mean the dpx example provided by Snort3 can only alert UDP packets? I changed the
bpf from UDP to TCP because I would like to alert TCP packets. Do you know if there is any way I can do it?
Thanks,
Jianyu Li
________________________________
From: Snort-users <snort-users-bounces () lists snort org><mailto:snort-users-bounces () lists snort org> on behalf of
Russ via Snort-users <snort-users () lists snort org><mailto:snort-users () lists snort org>
Sent: 18 October 2018 22:42
To: snort-users () lists snort org<mailto:snort-users () lists snort org>
Subject: Re: [Snort-users] DPX starter kit output: No alert generated
Oops ... there's a copy/paste error. That bpf should be udp not tcp.
The Snort 3 example just alerts on a UDP packet on the configured port with a length above the configured limit.
On 10/18/18 3:37 PM, Jianyu Li via Snort-users wrote:
Hi Russ,
Thank you very much for your reply!
I tried the commend you provided but there is no any output:
root@ubuntu1:/home/ubuntu# $my_path/bin/snort --plugin-path /root/snort-3.0.0/lib/ -c
/root/snort-3.0.0/etc/snort/snort.lua --lua "dpx={port=8, max=128}; ips.enable_builtin_rules=true" --bpf "tcp port 8"
-r test.pcap -A csv -q
root@ubuntu1:/home/ubuntu#
The output without "-q" is as followed:
root@ubuntu1:/home/ubuntu# $my_path/bin/snort --plugin-path /root/snort-3.0.0/lib/ -c
/root/snort-3.0.0/etc/snort/snort.lua --lua "dpx={port=8, max=128}; ips.enable_builtin_rules=true" --bpf "tcp port 8"
-r test.pcap -A csv
--------------------------------------------------
o")~ Snort++ 3.0.0-247
--------------------------------------------------
Loading /root/snort-3.0.0/etc/snort/snort.lua:
ssh
pop
binder
stream_tcp
gtp_inspect
dce_http_proxy
stream_icmp
normalizer
ftp_server
stream_udp
dce_smb
ips
modbus
rpc_decode
latency
wizard
appid
file_id
ftp_data
smtp
back_orifice
port_scan
dce_http_server
dce_tcp
telnet
ssl
sip
classifications
http2_inspect
http_inspect
stream_user
stream_ip
dnp3
ftp_client
stream
references
arp_spoof
dns
dce_udp
imap
stream_file
Finished /root/snort-3.0.0/etc/snort/snort.lua.
Loading builtin:
Finished builtin.
--------------------------------------------------
rule counts
total rules loaded: 471
builtin rules: 471
option chains: 471
chain headers: 1
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 471 0 0 0
total 471 0 0 0
Snort BPF option: tcp port 8
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] test.pcap
-- [0] test.pcap
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
pcaps: 1
received: 4
analyzed: 4
allow: 4
rx_bytes: 216
--------------------------------------------------
codec
total: 4 (100.000%)
eth: 4 (100.000%)
ipv4: 4 (100.000%)
tcp: 4 (100.000%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
analyzed: 4
--------------------------------------------------
appid
packets: 4
processed_packets: 2
ignored_packets: 2
total_sessions: 2
--------------------------------------------------
binder
packets: 2
inspects: 2
--------------------------------------------------
port_scan
packets: 4
--------------------------------------------------
stream_tcp
sessions: 2
max: 2
created: 2
released: 2
instantiated: 2
setups: 2
syn_ack_trackers: 2
syn_acks: 2
--------------------------------------------------
latency
total_packets: 4
total_usecs: 123
max_usecs: 67
--------------------------------------------------
stream
tcp_flows: 2
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
runtime: 00:00:00
seconds: 0.215936
packets: 4
pkts/sec: 4
o")~ Snort exiting
I didn't find any information about dpx inspector in the output, do you think I need to enable when the configuration
of snort?
I followed the github readme to install snort3.
https://github.com/snort3/snort3
The pcap file I used is:
root@ubuntu1:/home/ubuntu# tcpdump -vr test.pcap
reading from file test.pcap, link-type EN10MB (Ethernet)
01:53:28.392198 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40)
10.1.2.3.12345 > 10.9.8.7.8: Flags [S], cksum 0x608d (correct), seq 1, win 256, length 0
01:53:28.392236 IP (tos 0x0, ttl 64, id 2, offset 0, flags [none], proto TCP (6), length 40)
10.9.8.7.8 > 10.1.2.3.12345: Flags [S.], cksum 0x607b (correct), seq 1, ack 2, win 256, length 0
01:53:28.392273 IP (tos 0x0, ttl 64, id 3, offset 0, flags [none], proto TCP (6), length 40)
10.1.2.3.12345 > 10.9.8.7.http: Flags [.], cksum 0x6034 (correct), ack 2, win 256, length 0
01:53:28.392324 IP (tos 0x0, ttl 64, id 4, offset 0, flags [none], proto TCP (6), length 40)
10.4.5.6.12345 > 10.9.8.7.8: Flags [S], cksum 0x5d85 (correct), seq 1, win 256, length 0
01:53:28.392353 IP (tos 0x0, ttl 64, id 5, offset 0, flags [none], proto TCP (6), length 40)
10.9.8.7.8 > 10.4.5.6.12345: Flags [S.], cksum 0x5d75 (correct), seq 1, ack 2, win 256, length 0
01:53:28.392392 IP (tos 0x0, ttl 64, id 6, offset 0, flags [none], proto TCP (6), length 40)
10.4.5.6.12345 > 10.9.8.7.http: Flags [.], cksum 0x5d2e (correct), ack 2, win 256, length 0
Thanks,
Jianyu Li
________________________________
From: Snort-users <snort-users-bounces () lists snort org><mailto:snort-users-bounces () lists snort org> on behalf of
Russ via Snort-users <snort-users () lists snort org><mailto:snort-users () lists snort org>
Sent: 17 October 2018 23:36
To: snort-users () lists snort org<mailto:snort-users () lists snort org>
Subject: Re: [Snort-users] DPX starter kit output: No alert generated
Hi - if you want to give Snort 3 a try instead, here is an example:
$ src/snort --plugin-path install/lib -c install/etc/snort/snort.lua --lua "dpx = { port = 53, max = 128 };
ips.enable_builtin_rules = true" --bpf "udp port 53" -r test.pcap -A csv -q
10/17-18:40:25.535685, 1, UDP, raw, 157, C2S, 10.1.2.3:48620, 10.9.8.7:53, 256:1:1, allow
On 10/17/18 5:45 PM, Jianyu Li via Snort-users wrote:
From: Snort-users <snort-users-bounces () lists snort org><mailto:snort-users-bounces () lists snort org> on behalf of
wkitty42--- via Snort-users <snort-users () lists snort org><mailto:snort-users () lists snort org>
Sent: 17 October 2018 21:22
To: snort-users () lists snort org<mailto:snort-users () lists snort org>
Subject: Re: [Snort-users] DPX starter kit output: No alert generated
On 10/17/18 4:07 PM, Jianyu Li via Snort-users wrote:
I followed the link below to build DPX. https://www.snort.org/documents/dpx-readme
But there is no alert generated in the output of ./test.sh I am using snort-2.9.12, daq-2.0.6, ubuntu 18.04.1 LTS on VirtualBox.
i don't know anything about dpx but what are the four short rules and what
traffic was sent to be analyzed? the output looks to have passed the traffic...
it may be that you need to add "-k none" to your snort command line to ensure
that checksums are ignored...
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list unless*
*a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>
Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Hi wkitty42,
Thank you very much for your reply!
I am new to snort. I tried to add the "-k none" in snort command line but it didn't work, there is still no alert in
the output.
The content of test.sh is:
root@ubuntu3:~/dpx-1.7#<mailto:root@ubuntu3:%7E/dpx-1.7#> cat test.sh
#!/bin/bash
if [ ! -e setup.sh ] ; then
echo "ERROR: you must echo SNORT=/path/to/snort/dir > setup.sh first"
exit -1
fi
. ./setup.sh
export SNORT_PP_DEBUG=0x80000000
$SNORT/src/snort -c test/snort.conf -A console:test -r test/test.pcap
So I think the test/snort.conf is used as the configuration file, the content of test/snort.conf is:
root@ubuntu3:~/dpx-1.7/test#<mailto:root@ubuntu3:%7E/dpx-1.7/test#> cat snort.conf
# default configuration
dynamicpreprocessor directory lib/snort_dynamicpreprocessor
preprocessor dpx: port 8
config binding: 10.1.conf net 10.1.0.0/16
include rules.conf
But there are only two snort rules inside rules.conf, I am not sure why there are 4 snort rules showed in the result:
root@ubuntu3:~/dpx-1.7/test#<mailto:root@ubuntu3:%7E/dpx-1.7/test#> cat rules.conf
#config autogenerate_preprocessor_decoder_rules
alert ( msg:"tcp src port match"; gid:256; sid:1; )
alert ( msg:"tcp dst port match"; gid:256; sid:2; )
The test/test.pcap was sent to be analyzed:
root@ubuntu3:~/dpx-1.7/test#<mailto:root@ubuntu3:%7E/dpx-1.7/test#> tcpdump -vr test.pcap
reading from file test.pcap, link-type EN10MB (Ethernet)
01:53:28.392198 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40)
10.1.2.3.12345 > 10.9.8.7.8: Flags [S], cksum 0x608d (correct), seq 1, win 256, length 0
01:53:28.392236 IP (tos 0x0, ttl 64, id 2, offset 0, flags [none], proto TCP (6), length 40)
10.9.8.7.8 > 10.1.2.3.12345: Flags [S.], cksum 0x607b (correct), seq 1, ack 2, win 256, length 0
01:53:28.392273 IP (tos 0x0, ttl 64, id 3, offset 0, flags [none], proto TCP (6), length 40)
10.1.2.3.12345 > 10.9.8.7.http: Flags [.], cksum 0x6034 (correct), ack 2, win 256, length 0
01:53:28.392324 IP (tos 0x0, ttl 64, id 4, offset 0, flags [none], proto TCP (6), length 40)
10.4.5.6.12345 > 10.9.8.7.8: Flags [S], cksum 0x5d85 (correct), seq 1, win 256, length 0
01:53:28.392353 IP (tos 0x0, ttl 64, id 5, offset 0, flags [none], proto TCP (6), length 40)
10.9.8.7.8 > 10.4.5.6.12345: Flags [S.], cksum 0x5d75 (correct), seq 1, ack 2, win 256, length 0
01:53:28.392392 IP (tos 0x0, ttl 64, id 6, offset 0, flags [none], proto TCP (6), length 40)
10.4.5.6.12345 > 10.9.8.7.http: Flags [.], cksum 0x5d2e (correct), ack 2, win 256, length 0
In my understanding, the DPX is a Dynamic Preprocessor Example, which can be downloaded from the snort website. I was
trying to test the dynamic preprocessor example, the output should generate the alerts since the dpx preprocessor will
listen on port 8(according to the 3rd line of snort.conf file), and the tcpdump showed that some packets' ports are 8.
Thanks,
Jianyu Li
________________________________
From: Jianyu Li
Sent: 17 October 2018 21:07:21
To: snort-users () lists snort org<mailto:snort-users () lists snort org>
Subject: DPX starter kit output: No alert generated
Hi
I followed the link below to build DPX.
https://www.snort.org/documents/dpx-readme
But there is no alert generated in the output of ./test.sh
I am using snort-2.9.12, daq-2.0.6, ubuntu 18.04.1 LTS on VirtualBox.
The following is the output of ./test.sh
root@ubuntu3:~/dpx-1.7#<mailto:root@ubuntu3:%7E/dpx-1.7#> ./test.sh
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "test/snort.conf"
Tagged Packet Limit: 256
Loading all dynamic preprocessor libs from lib/snort_dynamicpreprocessor...
Loading dynamic preprocessor library lib/snort_dynamicpreprocessor/libdpx.so... done
Finished Loading all dynamic preprocessor libs from lib/snort_dynamicpreprocessor
Log directory = /var/log/snort
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
4 Snort rules read
4 detection rules
0 decoder rules
0 preprocessor rules
2 Option Chains linked into 2 Chain Headers
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-------------------[Rule Port Counts]---------------------------------------
| tcp udp icmp ip
| src 0 0 0 0
| dst 0 0 0 0
| any 4 0 0 0
| nc 4 0 0 0
| s+d 0 0 0 0
+----------------------------------------------------------------------------
+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------
+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------
+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
+-----------------------[event-filter-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
[ Port Based Pattern Matching Memory ]
pcap DAQ configured to read-file.
Acquiring network traffic from "test/test.pcap".
Reload thread starting...
Reload thread started, thread 0x7f2fb2e68700 (4175)
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.12 GRE (Build 325)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.8.1
Using PCRE version: 8.39 2016-06-14
Using ZLIB version: 1.2.11
Preprocessor Object: dpx Version 1.6 <Build 1>
Commencing packet processing (pid=4174)
===============================================================================
Run time for packet processing was 0.302 seconds
Snort processed 6 packets.
Snort ran for 0 days 0 hours 0 minutes 0 seconds
Pkts/sec: 6
===============================================================================
Memory usage summary:
Total non-mmapped bytes (arena): 4296704
Bytes in mapped regions (hblkhd): 31576064
Total allocated space (uordblks): 3490960
Total free space (fordblks): 805744
Topmost releasable block (keepcost): 659328
===============================================================================
Packet I/O Totals:
Received: 6
Analyzed: 6 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 6 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 6 (100.000%)
Frag: 0 ( 0.000%)
ICMP: 0 ( 0.000%)
UDP: 0 ( 0.000%)
TCP: 6 (100.000%)
IP6: 0 ( 0.000%)
IP6 Ext: 0 ( 0.000%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 0 ( 0.000%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 0 ( 0.000%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
Other: 0 ( 0.000%)
Bad Chk Sum: 0 ( 0.000%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 0 ( 0.000%)
S5 G 2: 0 ( 0.000%)
Total: 6
===============================================================================
Action Stats:
Alerts: 0 ( 0.000%)
Logged: 0 ( 0.000%)
Passed: 0 ( 0.000%)
Limits:
Match: 0
Queue: 0
Log: 0
Event: 0
Alert: 0
Verdicts:
Allow: 6 (100.000%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 0 ( 0.000%)
Blacklist: 0 ( 0.000%)
Ignore: 0 ( 0.000%)
Retry: 0 ( 0.000%)
===============================================================================
Snort exiting
It would be greatful if you can help me to find out the problem.
Thanks,
Jianyu Li
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 17)
- Re: DPX starter kit output: No alert generated wkitty42--- via Snort-users (Oct 17)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 17)
- Re: DPX starter kit output: No alert generated Russ via Snort-users (Oct 17)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 18)
- Re: DPX starter kit output: No alert generated Russ via Snort-users (Oct 18)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 18)
- Re: DPX starter kit output: No alert generated Russ via Snort-users (Oct 18)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 19)
- Re: DPX starter kit output: No alert generated Russ via Snort-users (Oct 19)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 20)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 20)
- Re: DPX starter kit output: No alert generated Russ via Snort-users (Oct 17)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 18)
- Re: DPX starter kit output: No alert generated wkitty42--- via Snort-users (Oct 19)
- Re: DPX starter kit output: No alert generated Jianyu Li via Snort-users (Oct 20)