The Snort.org Sample IP Block List, available via snort.org, is intended as a resource open source users may take advantage of to test the IP blocking functionality of Snort.

The Snort.org Sample IP Block List represents less than 1% of the IP Block List maintained and produced by the Talos team at any given time. As such we do not recommend users rely on this list as their primary source of IPs to block or automate updates of this list.

Usage of this list is not comparable to having the benefit of Talos security or protection

Users that are interested in Talos service or protection should reach out to their Cisco Account Manager or partner.

Daemonlogger™ is a packet logger and soft tap developed by Martin Roesch. The libpcap-based program has two runtime modes:

1. It sniffs packets and spools them straight to the disk and can daemonize itself for background packet logging. By default the file rolls over when 2 GB of data is logged.
2. It sniffs packets and rewrites them to a second interface, essentially acting as a soft tap. It can also do this in daemon mode.

These two runtime modes are mutually exclusive, if the program is placed in tap mode (using the -I switch) then logging to disk is disabled.

Make SURE you read the included COPYING file so that you understand how this file is licensed by Cisco, even though it's under the GPL v2 there are some clarifications that we have made regarding the licensing of this program.

Project Razorback™ is an undertaking by Talos. Razorback is a framework for an intelligence driven security solution. It consists of a Dispatcher at the core of the system, surrounded by Nuggets of varying types.

Pulled_Pork is tool written in perl for managing Snort rule sets. Pulled_Pork features include:

• Automatic rule downloads using your Oinkcode
• MD5 verification prior to downloading new rulesets
• Full handling of Shared Object (SO) rules
• Generation of so_rule stub files
• Modification of ruleset state (disabling rules, etc)
• The project is run by Mike Shirk & JJ Cummings

Tool for parsing and generating usable information from Snort's performance metric output.

OfficeCat™ is a command line utility developed by Talos that can be used to process Microsoft Office Documents to determine the presence of potential exploit conditions in the file. OfficeCat is available for Windows and Linux. While this software has been incorporated into Razorback, you can still find the officecat download in the nuggets section.

Snort-vim is the configuration for the popular text based editor VIM, to make Snort configuration files and rules appear properly in the console with syntax highlighting. This has been merged into VIM, and can be accessed via "vim filetype=hog".

Barnyard2 provides the following enhancements to the original

• Parsing of the new unified2 log files.
• Maintains majority of the command syntax of barnyard.
• Addressed all associated bug reports and feature requests arising since barnyard-0.2.0.
• Completely rewritten code based on the GPLv2 Snort making it entirely GPLv2.
• SnortSam functionality

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! For more information, or to contact the author, please see http://securityonion.net.

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to real time events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).

This tool is a small Linux Daemon that greps the Snort Alert file and blocks the offending hosts via iptables for a given amount of time. iBlock supports the whitelisting of IP addresses so those IPs will never be blocked.

BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

OSSIM stands for Open Source Security Information Management. Its goal is to provide a comprehensive compilation of tools which, when working together, grant a network/security administrator with detailed view over each and every aspect of his networks/hosts/physical access devices/server/etc

Snorby is a new, open source front-end for Snort. The basic fundamental concepts behind Snorby are simplicity and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use. To download Snorby visit the project site.

PacketFence is a fully supported, Free and Open Source network access control (NAC) system. PacketFence is actively maintained and has been deployed in numerous large-scale institutions over the past years. It can be used to effectively secure networks - from small to very large heterogeneous networks. PacketFence has been deployed in production environments where thousands of users are involved.

SNEZ is a web interface to the popular open source IDS program SNORT® . The main design feature of SNEZ is the ability to filter (or dismiss) alerts without having to delete.

bProbe is a Snort IDS that is configured to run in packet logger mode. It can be installed on a pc and inserted at a key juncture in a network to monitor and collect network activity data. The data collected is sent to a central "receiver" server (not included), which is any software capable of interpreting IDS data such as Snort or its variants.

bProbe uses Snort, Barnyard2, and Pulled_Pork, which are provided pre-configured on a Linux Centos 64-bit cd to save you time and maintenance.

NST is a bootable ISO live CD/DVD is based on Fedora. The toolkit was designed to provide easy access to best-of-breed Open Source Network Security Applications and should run on most x86 platforms.

This tool is used to query and view IDS alert data stored in a Sguil database. The design philosophy is somewhat.. OK, loosely, analogous to reading a newspaper.