Snort mailing list archives
Bug report : out of date url,'s in signature set VRT_PR-2.4
From: Gulfie <gulfie () grotto-group com>
Date: Fri, 2 Dec 2005 03:16:59 -0800
I was rooting through some snort rules, and found that some of the url,'z arn't responding anymore. So I wrote a quick tool to help find which ones are there and which ones arn't. I figured I could tell a man to fish, or give him a fishing pole. http://www.grotto-group.com/~gulfie/projects/misc/snort_urlchecker.subpage.html There are some false positives in the methodology, but the signal / noise ratio is okay. Most of the problems are caused by domains becoming unregistered, or companies getting accuired. Examples : www.atstake.com , www.packetfocus.com , www.tlsecurity.net, etc. Or www.wiretrip.net, which is still borked up. False positives include : http://cme.mitre.org/data/list.html#681 http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html not sure why. The COMM-2.4 set seems to be clean save some false positives. Some example output is : http://www.grotto-group.com/~gulfie/projects/misc/snort_urlchecker/example/snortrules-VRT_PR-2.4/rules/backdoor.rules.urlmarkedup.html Note : http://www.tlsecurity.net/backdoor/Dagger.1.4.html is nolonger responding. http://www.grotto-group.com/~gulfie/projects/misc/snort_urlchecker/example/snortrules-VRT_PR-2.4/rules/exploit.rules.urlmarkedup.html Note : www.bugtraq.org is nolonger in the whois database. Output for bunches of rules files: Bleeding, COMM-2.4 and VRT_PR-2.4 http://www.grotto-group.com/~gulfie/projects/misc/snort_urlchecker/example/wrascle.index.html -gulfie ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bug report : out of date url,'s in signature set VRT_PR-2.4 Gulfie (Dec 02)