Archive for June, 2009

All Projects

This page indexes the projects hosted at Bleeding Snort other than the Snort Signatures. We highly encourage you to use and support these projects, they are all maintained by Bleeding Snort Community members and/or admins.

Snort Bait and Switch

The Snort Bait and Switch Project was written by Will Metcalf. In essence you can use this to redirect hostile traffic in realtime to a honeypot or decoy net.

This project is mainteined by Will Metcalf.

Spyware Listening Post

The goal of the Spyware Listening Post is to build a self-sustaining spyware prevention and detection framework.

We hope to accomplish this by using existing tools such as the Black Hole DNS project, the User-Agents project, and our existing Bleeding Snort Spyware Signatures to funnel known traffic to analysis points to identify the unknown.

We believe that in general we’re all losing the fight to spyware and malware. This project we hope will move us into the driver’s seat rather than continue our current reactionary tactics.

This project is maintained by Matt Jonkman.

Snort.conf Samples Project

The goal of this project is to make a set of sample snort.conf files. These will represent different size and goal installs of snort. We do not intend to provide snort.conf files that you can use without modification or understanding, but guides to help you benefit from the experience of the ocmmunity as a whole.

The discussion to create these configuration files will occur on the bleeding-sigs list.

The files for this project will be stored here:

This project is maintained by Matt Jonkman

SEC Rules

This is just a collection of rules that folks using SEC (Simple Event Correlator) are using. We welcome your contributions of those you can share.

SEC is a very powerful tool. You can learn more about it here:

This project is maintained by Matt Jonkman

Snort ClamAV

The Snort ClamAV project brings you a patched snort that using the ClamAV virus database can alert and/or block viruses at the network level.

This project is maintained by Victor Julien.

CoreMark Snort Test Suite

This project has a primary goal of building and maintaining a test suite. This suite will be used to test snort rules and rulesets for performance impact and acuracy (false positive and negative). Snort performance on different platforms and hardware will be measurable as well.

This project was started by the generous donation of a privately developed test suite by the folks as SensorLabs. They continue to be core developers of the project.

Project lead is to be announced.

Remote BHO Scanner

This project allows you to scan a large number of Windows systems quickly for BHO’s installed. It’s very informative, very fast, and very acurate.

This is very useful for finding rogue spyware installs in a large net. It uses the BHO listings from Castlecops. Thanks to them for maintaining
that list.

David Glosser maintains this project.

BlackHole DNS for Spyware

The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate spyware. This project creates the Bind and Windows zone files required to serve fake replies to localhost for any requests to these, thus preventing many spyware installs and reporting.

This project is maintained by David Glosser.

Spyware User-Agents List

The Spyware User-Agents project is a list of User-Agent strings used by common spyware, malware, and viruses, etc. The intention is to alow you to block these in projxy servers, write snort signatures from them, or identify unknown code.

This project is maintained by Chris Taylor.


SPADE (Statistical Packet Anomaly Detection Engine) is a project built years go by Silicon Defense. It was left abandoned for a long time. Simon Bliles has revived the project and is beginning the long
journey of modernizing and securing the code.

There is a working version in CVS. This is maintained by Simon Bliles.

Bleeding Snort Official Sponsors

There is plenty of room for new sponsors and donations. Bleeding Snort will not solicit Cash Donations. What keeps this project alive are the contributions of time and ideas. The primary requirements are manpower to test and write signatures, coders for the upcoming rule manager interface, admins to be ‘on call’ to seek and bring new signatures into the rulesets. Please contact if you would like to contribute resources or become an administrator.

The following Companies have made significant physical resources or manpower available to build and maintain the Bleeding Snort project.

Admins of Bleeding Snort:

Matt Jonkman — Infotex
Frank Knobbe — Praemunio
Blake Hartstein — Demarc
David Glosser
Chris Norton

Mark Scott
James Ashton — Vortech Hosting
Eric Hines — Applied Watch
Mark Warren — Praemunio
Joel Ebrahimi — Demarc

Significant Signature Contributions made by:

Abe Use
Brandon Barnes

Chich Thierry
Chris Norton
Christopher Harrington
Cody Hatch
Federico Petronio
James Ashton
Jason Haar
Joel Esler
Joe Stewart

Johnathan Norman
Jonathan Miner
Joseph Gama
Owen Crowe
Lin Zhong
Mark Scott
Matt Jonkman
Matt Sheridan

Michael Sconzo
Nick Hatch
Patrick Harper
Philippe Caturegli
Sam Evans
Thomas Alex
Vernon Stark

Many thanks to all who have and will contribute that are not named. We will try to periodically update this page, our way of saying thanks for stepping up and contributing to the community.

What is Bleeding Snort?

Bleeding Snort is a Free Zone for Snort signature development, and a number of other related security projects. Bleeding Snort brings together the most experienced, and the least experienced security professionals.

This site takes all the Snort Signatures we can find, and that are submitted to us, organizes them into coherent rulesets, makes basic quality tweaks, and distributes them free of charge to all who are interested. We welcome your contributions, ideas, or just tweaks. What makes this project so effective are both the ideas and peer review of all content. Our overriding goal is to make this process happen quickly to help all of us as security professionals respond quickly to known and unknown threats.

Free Zone means this is a space where any idea, regardless of how stupid or useless it may sound, can be brought up without fear of disparagement. The majority of the most innovative and unique ideas that make these rules so effective have come from our newest and least experienced users.

Our History

Bleeding Snort came about in early 2003 to satisfy a need in the community. Prior to our formation, security professionals had to monitor a large number of security mailing lists and websites to glean all of the new Snort signatures that were being discussed and distributed. There was no real way to make sure you had the latest version, or contribute effectively a tweak to improve a signature.

Bleeding Snort was founded by Matt Jonkman and James Ashton to fill that need. It is a completely volunteer run project using donated servers and resources. Bleeding Snort has a number of commercial sponsors, these sponsors generally donate the time of their security experts to help write signatures, and mature what is submitted.

If you have an idea for a signature, or another security project, please email it to the Bleeding-Sigs mailing list or

The Goods
A number of other security projects have found a home at Bleeding Snort, and we’re always looking for others that need a home and a community. The signatures can be found here:

All Rulesets

Browse Rules

All of our Projects

Our Sponsors and Admins

If you have a project that needs a home, want to volunteer to be a Bleeding Snort Admin, or have a signature or idea to contribute, please contact Bleeding Snort has been so useful and successful because of the user community. This is just a reflection of our collective work. Please continue to contribute!