MikroTik

tomfisk

There is someone who used this work as the basis of a github project, https://github.com/elmaxid/ips-mikrotik-suricata Hi TomFisk, I see your point. Maybe you can help me to do step-by-step list what and how to use your methid with SELKS. As you pointed additional components in SELKS really add lot ...

tomfisk

Hi, So what problem are you trying to solve? SELKS is an IDS/IPS reporting/visualization and management platform that uses Suricata to implement network firewall rules. There is nothing inherent in Suricata to implement the firewall rules through a Microtik device. SELKS doesn't change that. That is...

tomfisk

Glad you got it working Pranav! Hi Tom, I suspect the problem was that I was using the pppoe interface. https://groups.google.com/forum/#!topic/security-onion/XUUNgIGqsv4 gave me a clue; I have run the test script mentioned at the above URL and am getting alerts ever since I set the sniffer interfac...

tomfisk

Hi Tom, Your sniffer streaming from the mikrotik is set up and you are seeing data? PL] Yes. Your streaming server is your suricata host? PL] Yes. The interface is the port connected to your ISP? PL] Ahem, I have a pppoe connection so that is the interface I have defined for sniffing. Should I defi...

tomfisk

Your sniffer streaming from the mikrotik is set up and you are seeing data? Your streaming server is your suricata host? The interface is the port connected to your ISP? /tool sniffer set filter-interface=ether1 filter-ip-address=!1.2.3.4/32 filter-stream=yes streaming-enabled=yes streaming-server=1...

tomfisk

I believe that will work going through a file...here is how I start my instance of suricata: nohup /usr/local/bin/tzsp2pcap -f | /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r /dev/stdin & So pipe the output of tzsp2pcap into suricata through stdin. If you ran a port scan, and those port...

tomfisk

Hi Tom, Thanks for confirming the use of tzsp2pcap. Is there any documentation on how to get it going? I have cloned its source and see the make file but I suspect I need to install headers etc., to build the program. Check this blog entry for instructions on compiling [url]https://bløgg.no/2015/03...

tomfisk

Yes, the format from the sniffer stream needs to be converted with tzsp2pcap.

Hi,
I am sending the stream from the sniffer tool directly to a Linux box on which I have installed suricata. Do I need an intermediate tool?

Pranav

tomfisk

You have tzsp2pcap running to capture stream and send to suricata? Here are my processes on my suricata host: snort 656 1 0 Nov18 ? 05:27:05 /usr/local/bin/tzsp2pcap -f snort 658 1 4 Nov18 ? 1-02:37:00 /usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r /dev/stdin snort 24966 1 8 00:01 ? 00:45:40...

tomfisk

Hi all, Could someone please point me to a resource that shows me how to set up Suricata from scratch? I have a server running Ubuntu 19.10 and a mikrotik RB751g-2hnd router. The router is the gateway to my home network. It handles PPPOE authentication with my ISP. I already have the firewall confi...

tomfisk

Hey, Currently we don't have Mikrotik. We have some "homebuilt" Linux routers running our internal routing and firewalling, along with Suricata. We block bad IPs with a couple of ipset sets and iptables rules. How does Mikrotik's perform when they have to block a list of say 200.000 IPs? ...

tomfisk

Yes, time lag is very short. Less than 2 seconds. Q1. Simple answer, of course, is "that depends". I do have services that I have open to the wild, so in my case I do want to stop someone trying to gain access through those services. If you don't have any services published, and are just a...

tomfisk

Hi, First of all, I think it is important for you to understand what a network threat detection engine, like Suricata, does. It ingests network packets, runs those packets against a set of rules, and then reports on those packets which match the rules. Suricata also provides the ability to do intrus...

tomfisk

Do I have to run suricata through trafr? Nope. Haven't heard of trafr until your message. Can't find trafr officially listed on the MikroTik downloads page either. It's referenced on the Wiki but looks pulled? Presumably "tzsp2pcap" is the drop in replacement and MikroTik moved to the TZS...

tomfisk

Why in rule / ip firewall add action = drop chain = forward comment = "Drop any traffic going to bad actors" dst-address-list = Blocked you have entered dst-address-list? If it was src-address-list, then the package from the aggressor would not go to the internal network and eg. the inter...

tomfisk

Why in rule / ip firewall add action = drop chain = forward comment = "Drop any traffic going to bad actors" dst-address-list = Blocked you have entered dst-address-list? If it was src-address-list, then the package from the aggressor would not go to the internal network and eg. the inter...

tomfisk

1. Packet sniffer on Mikrotik is used, streaming output to specific IP address. 2. tzsp2pcap is used to receive stream (/usr/local/bin/tzsp2pcap -f) 3. Output from tzsp2pcap goes to suricata (/usr/bin/suricata -v -c /etc/suricata/suricata.yaml -r -) Thank you. This image was not found in the descri...

tomfisk

Do I have to run suricata through trafr? Nope. Haven't heard of trafr until your message. I found this information in threads about Snort. I wonder how Suricata receives packets from the mikrotik sniffer with the Tazmen Sniffer Protocol (TZSP) 1. Packet sniffer on Mikrotik is used, streaming output...

tomfisk

Do I have to run suricata through trafr?

Nope. Haven't heard of trafr until your message.

tomfisk

Hi Halimzhz, Sorry for the delayed reply. I'm sorry but I really don't have time to be able to help you with this. This solution uses the insert trigger from barnyard2 to grab events that subsequently get processed. It only processes those rules that match what is in the sigs_to_block table in mysql...

tomfisk

OK, I thought you wanted to stop scanning traffic that was already blocked by a firewall rule. So you're saying don't delete and re-add a firewall rule if it already exists for in IP address? Let me look at suricata_block.php and see if that can be added as an option. Dear Tomfisk, I have another id...

tomfisk

I understand what you are saying. Have you looked at the number of packets that would be blocked vs. the total volume? There would be a threshold where passing the packets after the firewall would make sense. I'm not sure what that threshold would be, but I would suspect that it would have to be a &...

tomfisk

Hi Halimzhz, I don't think it is possible to get the packets only after they've gone through the firewall. The first firewall rule drops all packets from blocked IP addresses. I've look to see if the next rule could run the traffic through a virtual interface (possible), but then you'd have to get t...

tomfisk

1. These scripts are running in the background and are started as a service. 2. You can get an email alert when an IP address has been blocked by changing the $email_alert variable in suricata_block.php Dear All, I have few question about this script: 1- I would like to know this script is running o...

tomfisk

Do I need calea packege to restream packets .Snort need calea. Alsa will hap ac2 4 core cPU handle suricata+ few qos+25filter rules?

No, just stream packets with the sniffer tool to the suricata host. Yes, I don't see any problem with the ability to handle that configuration.

tomfisk

This is awesome...if only I could get this on a RB450G...is there? Should work fine with RB450G. Just need to stream the packet sniffer to the suricata box and follow the installation instructions. So, are you saying one has to have a separate Suricata box for this to work? The RB450G only has 512M...

tomfisk

This is awesome...if only I could get this on a RB450G...is there?

Should work fine with RB450G. Just need to stream the packet sniffer to the suricata box and follow the installation instructions.

tomfisk

So it looks like it doesn't get connected :o :o :? :? Since I didn't write that code I'm at a loss as well. I understand, I enabled debug (to test connection) and it works: Connection attempt #1 to 192.168.100.1:8728... <<< [6] /login Connection attempt #2 to 192.168.100.1:8728... <<< [6] /login Con...

tomfisk

Since I didn't write that code I'm at a loss as well. It looks like to me that the connection to your Mikrotik isn't open. Did you configure your mikrotik connection parameters? $mikrotik_addr = "__someip__"; $mikrotik_user = "admin"; $mikrotik_pwd = "__somesecret__"; I...

tomfisk

It looks like to me that the connection to your Mikrotik isn't open. Did you configure your mikrotik connection parameters? $mikrotik_addr = "__someip__"; $mikrotik_user = "admin"; $mikrotik_pwd = "__somesecret__"; Hi, I am using a Debian 9 (before I used Ubuntu 16 and ...

tomfisk

Yes, sniffer does stop FastPath and FastTrack. I have an RB951G-2HnD running with a sniffer and I am still able to achieve my ISP's full bandwidth of 350mbs. Just my observation...I'm not a networking professional so I can't fully address your concern. Perhaps you can turn on the sniffer and do a ba...

tomfisk

Oops! Looks like I left some debug code in fast2mikrotik.php :( echo "Target will be: " . $target . "\r\n"; return true; try { $API->connect($mikrotik_addr, $mikrotik_user, $mikrotik_pwd); } catch (Exception $e) { die('Unable to connect to RouterOS. Error:' . $e); } Delete the &q...

tomfisk

The "!" goes in the little box before the IP address. Just click on it and it should change to "!". Interesting. That should work, but let's tackle the problem in a different and more efficient manner. In the setup on the Mikrotik sniffer, let's just drop all of the packets from ...

tomfisk

Interesting. That should work, but let's tackle the problem in a different and more efficient manner. In the setup on the Mikrotik sniffer, let's just drop all of the packets from the IP you want to ignore set that it doesn't get sent to suricata in the first place. Set up a filter to exclude the ad...

tomfisk

You'd have to ask the developers that question...just what I found in the documentation

This:
Code: Select all
suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX
Done! thanks. A bit question. I was using gen_id 1 always, why now 0?

tomfisk

This: suppress gen_id 0, sig_id 0, track_by_src, ip 213.98.XX.XX I think you can justset gen_id and sig_id to 0 and it should apply to all events for that IP address. Hi, How could I add an IP as whitelist? Thanks. I put a line in threshold.config indicating the specific rule and IP address to suppr...

tomfisk

I think you can justset gen_id and sig_id to 0 and it should apply to all events for that IP address. Hi, How could I add an IP as whitelist? Thanks. I put a line in threshold.config indicating the specific rule and IP address to suppress. suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168....

tomfisk

I've included a script, fast2mikrotik.php, that will do what I think you are looking for. Check the original post.

Someone who can help me, I need sent Mikrotik from the Suricata, without MySQl some easy php like https://wiki.mikrotik.com/wiki/Mikrotik_IPS_IDS

tomfisk

In my post titled Suricata IDS/IPS integration with Mikrotik (now with OSSEC) I provided a system to: scan network traffic going through a Mikrotik router, creating IPS (Intrusion Prevention System) events that would, trigger the creation of firewall rules to prevent access to the target network. Th...

tomfisk

The Mikrotik interface to sniff should be the one that is connected to your ISP. That is where all of the traffic in/out of your network is. Make sure tzsp2pcap is running. In /var/log/suricata/ check suricata.log to make sure it started successfuly and fast.log to see if events are being flagged. I...

tomfisk

It is possible to customize and/or build a SELKS distribution and there are guides here https://github.com/StamusNetworks/SELKS/wiki/Customizing-SELKS and here https://github.com/StamusNetworks/SELKS/wiki/Building-SELKS . Including this functionality into the SELKS distribution would be possible, bu...

tomfisk

Hi,

How could I add an IP as whitelist?

Thanks.

I put a line in threshold.config indicating the specific rule and IP address to suppress.

suppress gen_id 1, sig_id 2010066, track by_src, ip 192.168.100.2

tomfisk

From your attachments, you are trying to route to a specific address and not the tunnel. I can't see your interface list window...but like I said before, my take is that you need to assign an address to the tunnel, and then route to that address, not the public address of the remote end. See my conf...

tomfisk

I have a similar setup and I think all you need to do is add an address for the IPIP tunnel: add address=10.0.0.2/30 interface=IPIP_Plainview network=10.0.0.0 Now add route to the remote address range, pointing at the address for the tunnel: add check-gateway=ping comment="Route to Plainview&qu...

tomfisk

The warning for mysqli is normal. If you want to send email notifications, then you'll have to change the location to sendmail on your system. Do whereis sendmail and modify suricata_block.php as necessary. It's me again ... I run suricata_block.pxp from the command line: php -f /usr/bin/suricata_bl...

tomfisk

Excellent! Glad it worked! You must have MySQL version 5.7.5 or greater. I believe you will need to disable the ONLY_FULL_GROUP_BY sql_mode with the following: sudo nano /etc/mysql/my.cnf Add this to the end of the file [mysqld] sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR...

tomfisk

You must have MySQL version 5.7.5 or greater. I believe you will need to disable the ONLY_FULL_GROUP_BY sql_mode with the following: sudo nano /etc/mysql/my.cnf Add this to the end of the file [mysqld] sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AU...

tomfisk

I do it in my oinkupdate.sh script. #!/bin/bash /usr/local/bin/oinkmaster.pl -C /etc/suricata/oinkmaster.conf -o /etc/suricata/rules chown snort:snort /etc/suricata/rules/* pkill -USR2 -u snort -f /usr/bin/suricata /etc/init.d/aanval restart /etc/init.d/barnyard2 stop sleep 5 /etc/init.d/barnyard2 s...

tomfisk

In my nightly process to update the rules, I issue the following command to suricata: pkill -USR2 -u snort -f /usr/bin/suricata This might help with the problem. A little thing. I monitor my servers with Nagios and my IDS server is increasing always process without kill old process, are there way to...

tomfisk

Good day i've made this, added a new column for queue_block table ALTER TABLE block_queue ADD que_ip_adrlan VARCHAR(64) COLLATE utf8_unicode_ci NOT NULL; modify trigger .... INSERT INTO block_queue SET que_ip_adr =NEW.ip_src, `que_ip_adrlan = NEW.ip_dst,` que_timeout = timeout, que_sig_name = this_...

tomfisk

Thanks for your comments Percanta. I will look at adding in the IP of the internal source/destination to the comment.

Tom

tomfisk

Without a way to do packet inspection over the life of a session, I don't think there is a reliable way. I use suricata which I have integrated with the Mikrotik router as an IDS/IPS. See this post: https://forum.mikrotik.com/viewtopic.php?f=2&t=111727 It might be more than you are looking for, ...

tomfisk

Hello, I'm try to implement this one, but I don't know how to test it, works or not. Please help my! There are several tutorials on testing the alerts on Suricata. For example, look at paragraph 1.5 of this tutorial to test if the rules are firing. https://web.nsrc.org/workshops/2015/pacnog17-ws/ra...

tomfisk

This looks like one of the things i've been searching for however i would like to know how much CPU is needed for this. Would using a quad core ARM A17 with gigabit ethernet would be sufficient for gigabit speeds? I would like to keep things as low power as possible and my routerboard has a usb por...

tomfisk

Hey tom, i think there is an issue with the routeros_api.class.php file i got. Is there a dedicated link to the one you used? I got mine from https://github.com/BenMenking/routeros-api/blob/master/routeros_api.class.php and when i run it, i get errors such as: PHP Warning: fwrite() expects paramete...

tomfisk

Ok, new record are added to firewall's access list. One issue with it, is that they are added as unsigned long. Somehow they are not converted to addresses. Check the records in the block_queue table. Should be populated with IP v4 addresses. They are converted from numeric to IP v4 address by the ...

tomfisk

Hey guys, i am stuck on the whole Database Trigger part. Whenever i try to add the trigger, I get a syntax error. I tried to add it to the triggers using phpMyAdmin, but still i got the same error. I am really eager to try this as it seems fairly interesting, Thanks! error.JPG Does my reply from Mo...

tomfisk

+-----------+------------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-----------+------------------+------+-----+---------+-------+ | sid | int(10) unsigned | NO | PRI | NULL | | | cid | int(10) unsigned | NO | PRI | NULL | | | signature | int(10) unsigne...

tomfisk

Hi, Tried to implement this solution. I use Ubuntu 16.04 with mysql 5.7.18. When I put a trigger in place I get this while loading barnyard2: ERROR: database mysql_error: Unknown column 'event.id' in 'field list' SQL=[INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, ip_tos, ip_len, ip_...

tomfisk

Wow, this is fantastic :) . A great way to do it without having to use an inline IPS. Just one question: can we do it without snorby? Could you maybe provide a full sql schema instead of just your additions for barnyard to write to? I usually use suricata with evebox (json api) so I was just trying...

tomfisk

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it? I have logs with info, as /etc/ossec/logs/active-responses.log Here a examp...

tomfisk

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it? I have logs with info, as /etc/ossec/logs/active-responses.log Here a examp...

tomfisk

Hi again Tomfisk, I have a little question about OSSEC. My mikrotik never receive any entry by OSSEC. I think that OSSEC isn't adding any info to SQL because I have logs in the script and all is empty. How could I debug it? I have logs with info, as /etc/ossec/logs/active-responses.log Here a examp...

tomfisk

Check the update to suricata_block.php that I just made. :) Thanks! Its an email very useful :D :D I have to change some values on my mail server because I'm using TLS 587 but I will let you know when its done and working fine. Thanks again for your job. I have a little problem, when the event noti...

tomfisk

There is not an email function within Suricata or my implementation. Would you like an email every time a block is sent to the Mikrotik? I added that option, in rule I marked "Log" and i receive emails when Mikrotik blocks but I would like an email from Suricata if blocks anything. The em...

tomfisk

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login) How could I enable it? Thanks. Are you referring to maximan's implementat...

tomfisk

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login) How could I enable it? Thanks. Are you referring to maximan's implementat...

tomfisk

Hi, I'm trying to enable notifications via email to my account but I was reading and reading and I haven't luck. I use postfix and I'm trying to send it to a server with TLS (I created file sasl in postfix with details login) How could I enable it? Thanks. Are you referring to maximan's implementat...

tomfisk

Hi, yesterday I had a false positive with this: fast.log.2:04/25/2017-14:05:58.149205 [**] [1:2002994:7] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack [**] [Classification: Misc activity] [Priority: 3] {TCP} alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP C...

tomfisk

Hi, yesterday I had a false positive with this: fast.log.2:04/25/2017-14:05:58.149205 [**] [1:2002994:7] ET SCAN Rapid IMAP Connections - Possible Brute Force Attack [**] [Classification: Misc activity] [Priority: 3] {TCP} alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP C...

tomfisk

OSSEC installed and running fine (excelent & easy manual). Two question, I installed too web UI for OSSEC and its running fine too, but I would like to have logs from anothers servers to check integrity, logs, etc. Most important question. Should I install agent on servers or since everything i...

tomfisk

OSSEC installed and running fine (excelent & easy manual). Two question, I installed too web UI for OSSEC and its running fine too, but I would like to have logs from anothers servers to check integrity, logs, etc. Most important question. Should I install agent on servers or since everything i...

tomfisk

Hmmmm...can you post the definition of your block_queue table? mysql> show table create block_queue; Here: mysql> SHOW CREATE TABLE block_queue\G; *************************** 1. row *************************** Table: block_queue Create Table: CREATE TABLE `block_queue` ( `que_id` int(11) NOT NULL A...

tomfisk

Hmmmm...can you post the definition of your block_queue table? mysql> show table create block_queue; Here: mysql> SHOW CREATE TABLE block_queue\G; *************************** 1. row *************************** Table: block_queue Create Table: CREATE TABLE `block_queue` ( `que_id` int(11) NOT NULL A...

tomfisk

It is your script. Its weird because now script sent 2 rules to Mikrotik but in third test, script has stopped. Some is killing that script which I can't see what neither why. Here output file php (which its always showing but doesn't matter because with that error if I don't leave shell, Mikrotik ...

tomfisk

Yes, I edited my own message to be more clear: Yes, suricata is getting rules because I can see it on Snorby. When I start script again, Mikrotik receive all rules which Suricata/Barnyard2/Snorby had captured. I have to re-start it again because script stops when I leave shell and access a new bad ...

tomfisk

Yes, when I run script again Mikrotik receive all rules which Suricata/Barnyard2/Snorby had captured. I have to re-run it again because script is stopped when I leave shell. Here my tests in fast.log 04/10/2017-09:47:00.315253 [**] [1:2404571:4579] ET CNC Ransomware Tracker Reported CnC Server grou...

tomfisk

Hi, I added my HOME_NET to suricata.yaml: HOME_NET: "[192.168.0.0/16,10.0.0.0/8,192.168.5.0/24]" And I too added a line in threshold.config to avoid that alert from my IP. Could you say me if its right? suppress gen_id 1, sig_id 2006380, track by_src, ip 192.168.5.100 suppress gen_id 1, s...

tomfisk

Hi, I added my HOME_NET to suricata.yaml: HOME_NET: "[192.168.0.0/16,10.0.0.0/8,192.168.5.0/24]" And I too added a line in threshold.config to avoid that alert from my IP. Could you say me if its right? suppress gen_id 1, sig_id 2006380, track by_src, ip 192.168.5.100 suppress gen_id 1, s...

tomfisk

I will look to test it. My Mikrotik has banned my own mail IP, are there way to add a whitelist in suricata or script or Mikrotik? Could I create a rule in first place to allow traffic to my mail address? Thanks again. A couple of different ways to do this in suricata. First of all in /etc/suricata...

tomfisk

A add trigger deleting old trigger, I think that its works ,but I discovered a new thing: If I do from myqsl console set inet_ntoa(NEW.ip_src) -> I get real IP But MK is adding the number without decipher. Any idea? Thanks So if you do this in MySQL: use snorby; Select * from block_queue; What do y...

tomfisk

A add trigger deleting old trigger, I think that its works ,but I discovered a new thing: If I do from myqsl console set inet_ntoa(NEW.ip_src) -> I get real IP But MK is adding the number without decipher. Any idea? Thanks So if you do this in MySQL: use snorby; Select * from block_queue; What do y...

tomfisk

Thanks you for reply. I am using this: # mysql -V mysql Ver 14.14 Distrib 5.5.54, for debian-linux-gnu (x86_64) using readline 6.3 For other side, I used your script php but I added the tables using the package from maximan. Are you tables inserted different way to thim and for that reason Mysql is...

tomfisk

Hi, I installed correctly this but I get bad address on Mikrotik, could anyone help me please? Here a picture: http://i64.tinypic.com/2zjiyxc.png What version of MySql are you using? inet_ntoa was introduced in version 5.5.3. Thanks you for reply. I am using this: # mysql -V mysql Ver 14.14 Distrib...

tomfisk

Hi, I installed correctly this but I get bad address on Mikrotik, could anyone help me please? Here a picture: http://i64.tinypic.com/2zjiyxc.png What version of MySql are you using? inet_ntoa was introduced in version 5.5.3. Thanks you for reply. I am using this: # mysql -V mysql Ver 14.14 Distrib...

tomfisk

Hi, I installed correctly this but I get bad address on Mikrotik, could anyone help me please?

Here a picture:

What version of MySql are you using? inet_ntoa was introduced in version 5.5.3.

tomfisk

Looks good. There are a couple of reasons I don't clean out the block_queue table: I do some analytics to see who my repeat offenders are. The top repeat offenders get added into the address list on the mikrotik with no expiration time. If the mikrotik gets rebooted, then the blocked address list is...

tomfisk

If you are using phpMyAdmin to define the trigger, you can't do it in an SQL window. Go to the "Triggers" tab on the iphdr table and add the new trigger. addtrigger.png Otherwise just put the code in a file and execute it from the command line: mysql -u username -p database_name < trigger_...

tomfisk

Update 7-December-2017 For those who don't want to fuss with MySQL, I've added fast2mikrotik.php that will read the suricata events from fast.log and create the firewall rules. Update 26-November-2017 Look at my post Historical IP address analysis for Intrusion Prevention on how event history can b...

Search found 89 matches