[Snort-sigs] Packet Payload database?

Matthew Watchinski mwatchinski at ...435...
Mon May 24 13:08:10 EDT 2004


To my knowledge there aren't any public pcap archives.  If anyone knows of one 
I'd love to know about it.  We've been working on putting one together for unit 
testing over here and it's been a tedious process.

If anyone has good quality pcaps of real network traffic (not forged, invented, 
netdude'd, contains full session, etc) for snort rules and is willing to part 
with them I'd definately be interested in looking at them.  Maybe there is even 
a "Snort This" T-Shirt in for the contributor.

Cheers,
-matt

Scott Zawalski wrote:
> Is there a database available to the public that has captures of what 
> some of these rules are looking for? I have looked around and not been 
> able to find one.
> 
> If older rules have broad defniitions that later on produce false 
> positives, people cannot improve them without knowing what the rule was 
> originally constructed for. With a database like this available it will 
> help older rules be even more fined tuned as newer net traffic 
> (homegrown apps)  might incorporate traffic bits that produces false 
> positives.
> 
> I think that something along these lines would fit in perfectly with the 
> current snort-rules documentation and would be easy to keep up to date. 
> As new rules come up simply attach the payload you produced it from.
> 
> Scott
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g. 
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list