Monday, February 27, 2012

Community submissions to the VRT Ruleset

Recently, submissions from the Snort community have increased into the VRT ruleset, so I just wanted to share this with you.

We are accepting signatures into the ruleset via our email address at research [at]  When we receive a signature we follow our standard internal procedures, which I won't talk a lot about here, but it involves the heavy QA of the signature, testing, optimization for performance, and even sending the rule out our internal and external testing groups.

If you don't know how to write a Snort rule, but have information on a new exploitation method, backdoor, malware, vulnerability, exploit kit, etc.  We'll take that information as well and produce detection (if possible) for you.  For example, sid:21442 for Jason Wallace below.  While Jason didn't write the sig, he did donate the time to scrape together infection information about a machine he manages, and we provided detection for that infection.

These rules are put out in the VRT ruleset, available to our customers and the Snort community as a whole via our normal process, if a submission to our group makes it into the VRT ruleset, we will give the author a free year-long subscription to our ruleset...  we've also been known to send various levels of swag along to our big submitters.  Including our nice professional button down Sourcefire shirts.

Our pledge to you is that we will provide you feedback about how to improve your rules.  What you should and should not do, tips and tricks involved with the latest versions of Snort and it's keywords, as well as giving the author full attribution for their submissions.

We recently had several submissions which I haven't had the chance to acknowledge yet, and I wanted to ensure I called out the authors of the rules and give them credit for their submissions:

Nathan Fowler --
1:21375 <-> WEB-PHP Remote Execution Backdoor Attempt Against Horde
1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit
1:21438 <-> SPECIFIC-THREATS Blackhole Exploit Kit JavaScript carat string splitting with hostile applet (specific-threats.rules)

Jason Wallace --
1:21246 <-> BLACKLIST USER-AGENT known malicious user-agent string DataCha0s
1:21255 <-> BLACKLIST known malicious FTP login banner - 0wns j0
1:21256 <-> BLACKLIST known malicious FTP quit banner - Goodbye happy r00ting
1:21257 <-> BLACKLIST URI - known scanner tool muieblackcat
1:21442 <-> BLACKLIST URI request for known malicious URI - base64 encoded

We'd like to thank the community for their rule submissions, as well as the continued submission of false positive reports.

Again, if you'd like to submit to the VRT ruleset please email us at research [at] with your rule and research behind it (pcap, ascii dump, references, anything!) please do!

As always False positive reports belong here:  This link allows us to process the FP quickly and efficiently.