Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Bug report : out of date url,'s in signature set VRT_PR-2.4

From: Gulfie <gulfie () grotto-group com>
Date: Fri, 2 Dec 2005 03:16:59 -0800

        
        I was rooting through some snort rules, and found that some of the url,'z arn't responding anymore. 

        
        So I wrote a quick tool to help find which ones are there and which ones arn't.  I figured I could tell a man 
to fish, or give him a fishing pole. 

                http://www.grotto-group.com/~gulfie/projects/misc/snort_urlchecker.subpage.html

        There are some false positives in the methodology, but the signal / noise ratio is okay. 
        Most of the problems are caused by domains becoming unregistered, or companies getting accuired. 

        Examples : 
                www.atstake.com , www.packetfocus.com , www.tlsecurity.net, etc.

                Or www.wiretrip.net, which is still borked up.
                
                False positives include : 
                        http://cme.mitre.org/data/list.html#681
                        http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html
        
                        not sure why. 
                        
                        The COMM-2.4 set seems to be clean save some false positives.

        Some example output is :                        
                
                
http://www.grotto-group.com/~gulfie/projects/misc/snort_urlchecker/example/snortrules-VRT_PR-2.4/rules/backdoor.rules.urlmarkedup.html
        
                Note : http://www.tlsecurity.net/backdoor/Dagger.1.4.html   is nolonger responding.

                
http://www.grotto-group.com/~gulfie/projects/misc/snort_urlchecker/example/snortrules-VRT_PR-2.4/rules/exploit.rules.urlmarkedup.html
                Note : www.bugtraq.org is nolonger in the whois database.


        
        Output for bunches of rules files: Bleeding, COMM-2.4 and VRT_PR-2.4

                http://www.grotto-group.com/~gulfie/projects/misc/snort_urlchecker/example/wrascle.index.html   

        
        

                                                                -gulfie 





-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: