This page indexes the projects hosted at Bleeding Snort other than the Snort Signatures. We highly encourage you to use and support these projects, they are all maintained by Bleeding Snort Community members and/or admins.

Snort Bait and Switch

The Snort Bait and Switch Project was written by Will Metcalf. In essence you can use this to redirect hostile traffic in realtime to a honeypot or decoy net.

This project is mainteined by Will Metcalf.

Spyware Listening Post

The goal of the Spyware Listening Post is to build a self-sustaining spyware prevention and detection framework.

We hope to accomplish this by using existing tools such as the Black Hole DNS project, the User-Agents project, and our existing Bleeding Snort Spyware Signatures to funnel known traffic to analysis points to identify the unknown.

We believe that in general we’re all losing the fight to spyware and malware. This project we hope will move us into the driver’s seat rather than continue our current reactionary tactics.

This project is maintained by Matt Jonkman.

Snort.conf Samples Project

The goal of this project is to make a set of sample snort.conf files. These will represent different size and goal installs of snort. We do not intend to provide snort.conf files that you can use without modification or understanding, but guides to help you benefit from the experience of the ocmmunity as a whole.

The discussion to create these configuration files will occur on the bleeding-sigs list.

The files for this project will be stored here:

This project is maintained by Matt Jonkman

SEC Rules

This is just a collection of rules that folks using SEC (Simple Event Correlator) are using. We welcome your contributions of those you can share.

SEC is a very powerful tool. You can learn more about it here:

This project is maintained by Matt Jonkman

Snort ClamAV

The Snort ClamAV project brings you a patched snort that using the ClamAV virus database can alert and/or block viruses at the network level.

This project is maintained by Victor Julien.

CoreMark Snort Test Suite

This project has a primary goal of building and maintaining a test suite. This suite will be used to test snort rules and rulesets for performance impact and acuracy (false positive and negative). Snort performance on different platforms and hardware will be measurable as well.

This project was started by the generous donation of a privately developed test suite by the folks as SensorLabs. They continue to be core developers of the project.

Project lead is to be announced.

Remote BHO Scanner

This project allows you to scan a large number of Windows systems quickly for BHO’s installed. It’s very informative, very fast, and very acurate.

This is very useful for finding rogue spyware installs in a large net. It uses the BHO listings from Castlecops. Thanks to them for maintaining
that list.

David Glosser maintains this project.

BlackHole DNS for Spyware

The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate spyware. This project creates the Bind and Windows zone files required to serve fake replies to localhost for any requests to these, thus preventing many spyware installs and reporting.

This project is maintained by David Glosser.

Spyware User-Agents List

The Spyware User-Agents project is a list of User-Agent strings used by common spyware, malware, and viruses, etc. The intention is to alow you to block these in projxy servers, write snort signatures from them, or identify unknown code.

This project is maintained by Chris Taylor.


SPADE (Statistical Packet Anomaly Detection Engine) is a project built years go by Silicon Defense. It was left abandoned for a long time. Simon Bliles has revived the project and is beginning the long
journey of modernizing and securing the code.

There is a working version in CVS. This is maintained by Simon Bliles.