[Snort-users] Bug report : out of date url,'s in signature set VRT_PR-2.4

Gulfie gulfie at ...13618...
Fri Dec 2 03:18:26 EST 2005


	
	I was rooting through some snort rules, and found that some of the url,'z arn't responding anymore. 

	
	So I wrote a quick tool to help find which ones are there and which ones arn't.  I figured I could tell a man to fish, or give him a fishing pole. 

		http://www.grotto-group.com/~gulfie/projects/misc/snort_urlchecker.subpage.html

	There are some false positives in the methodology, but the signal / noise ratio is okay. 
	Most of the problems are caused by domains becoming unregistered, or companies getting accuired. 

	Examples : 
		www.atstake.com , www.packetfocus.com , www.tlsecurity.net, etc.

		Or www.wiretrip.net, which is still borked up.
		
		False positives include : 
			http://cme.mitre.org/data/list.html#681
			http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html
	
			not sure why. 
			
			The COMM-2.4 set seems to be clean save some false positives.

	Some example output is : 			
		
		http://www.grotto-group.com/~gulfie/projects/misc/snort_urlchecker/example/snortrules-VRT_PR-2.4/rules/backdoor.rules.urlmarkedup.html
	
		Note : http://www.tlsecurity.net/backdoor/Dagger.1.4.html   is nolonger responding.

		http://www.grotto-group.com/~gulfie/projects/misc/snort_urlchecker/example/snortrules-VRT_PR-2.4/rules/exploit.rules.urlmarkedup.html
		Note : www.bugtraq.org is nolonger in the whois database.


	
	Output for bunches of rules files: Bleeding, COMM-2.4 and VRT_PR-2.4

		http://www.grotto-group.com/~gulfie/projects/misc/snort_urlchecker/example/wrascle.index.html	

	
	

								-gulfie	







More information about the Snort-users mailing list