[Request] Snort VRT categories list cleanup


  • Banned

    Currently, the following categories are empty, abandoned and not coming back:

    
    snort_attack-responses.rules
    snort_backdoor.rules
    snort_bad-traffic.rules
    snort_botnet-cnc.rules
    snort_chat.rules
    snort_ddos.rules
    snort_dns.rules
    snort_dos.rules
    snort_experimental.rules
    snort_exploit.rules
    snort_finger.rules
    snort_ftp.rules
    snort_icmp-info.rules
    snort_icmp.rules
    snort_imap.rules
    snort_info.rules
    snort_misc.rules
    snort_multimedia.rules
    snort_mysql.rules
    snort_nntp.rules
    snort_oracle.rules
    snort_other-ids.rules
    snort_p2p.rules
    snort_phishing-spam.rules
    snort_policy.rules
    snort_pop2.rules
    snort_pop3.rules
    snort_rpc.rules
    snort_rservices.rules
    snort_scada.rules
    snort_scan.rules
    snort_shellcode.rules
    snort_smtp.rules
    snort_snmp.rules
    snort_specific-threats.rules
    snort_spyware-put.rules
    snort_telnet.rules
    snort_tftp.rules
    snort_virus.rules
    snort_voip.rules
    snort_web-activex.rules
    snort_web-attacks.rules
    snort_web-cgi.rules
    snort_web-client.rules
    snort_web-coldfusion.rules
    snort_web-frontpage.rules
    snort_web-iis.rules
    snort_web-misc.rules
    snort_web-php.rules
    
    

    @bmeeks: On next package update, it would be nice to get rid of this useless clutter in the GUI. Upstream planned to "delete them soon" – 2 years ago - probably not gonna ever happen.  ::) It's almost half of the categories pointlessly bloating the GUI list.

    Thanks for considering.  ;)

    P.S. While at it, emerging-rbn-malvertisers.rules and emerging-rbn.rules from ET are also abandoned forever.



  • Yeah, I was hoping upstream would take care of it eventually.  Right now I just extract the contents of the rules tarball "as is" from the vendors.  Since the cleanup appears to maybe never be happening, I will see about removing them myself.

    Bill



  • This change is coded and has been successfully tested.  I use a plain text file called deprecated_rules in the base Snort RULES directory to determine which categories are obsolete and should be removed.  I built the initial file using @doktornotor's list.  Future updates will be as simple as adding the category file name to the text file.  This change will be in the next Snort package update which should be out soon.

    Bill


  • Banned

    @bmeeks:

    This change will be in the next Snort package update which should be out soon.

    Excellents, thanks! Going to do the same for suricata as well?



  • @doktornotor:

    Excellents, thanks! Going to do the same for suricata as well?

    Yeah, I will port the same fixes/features in Snort over to Suricata.  The Suricata GUI code was cloned from Snort's anyway, so they share a ton of functions with identical code.

    Bill