Emerging Threats Projects

This page indexes the projects hosted at or closely connected and supported by the Emerging Threats Community. We highly encourage you to use and support these projects.


SnortValidator is a script which will parse your ruleset and tell you about a myriad of errors, style problems, and pcre issues. It tells you FAR more than Snort will. This is written and maintained by decoder.


SidReporter is a tool that allows Emerging Threats users to anonymously report their Snort hits and attackers. This will help improve the accuracy of the rulesets, and will result in block lists and highly tuned rulesets being fed back to the community!


Written by William Metcalf, this allows ease of PCAP file rotation and data retrieval from sensors where ring tcpdump is in use.

Remote BHO Scanner

This project allows you to scan a large number of Windows systems quickly for BHO’s installed. It’s very informative, very fast, and very accurate. The tool is very useful for finding rogue spyware installs in a large net. It uses the BHO listings from CastleCops?. Thanks to them for maintaining that list.

DavidGlosser? maintains this project.


Spyware Listening Post

The goal of the SpywareListeningPost is to build a self-sustaining spyware prevention and detection framework. We are accomplishing this by using existing tools such as the BlackHoleDNS? project, the User-Agents project, and our existing Emerging Threats Spyware Signatures (EmergingMalware). Hits from spyware infections are fed to a database and analyzed, new patterns and techniques are immediately recognized and new signatures are added to the ruleset. This project results in at least 10 new spyware signatures a week.

This project is maintained by Matt Jonkman.

Project Page -- SpywareListeningPost

Note: An interface to allow general access to the sanitized data is underway.

Snort BaitnSwitch

The Snort BaitnSwitch Project was written by WillMetcalf? and VictorJulien. This tool can be used to redirect hostile traffic in real-time to a honeypot or decoy net.

More information is available Here: BaitnSwitch.


This project is maintained by Will Metcalf and Victor Julien.

Snort.conf Samples Project

The goal of this project is to make a set of sample snort.conf files. These will represent different size and goal installs of snort. We do not intend to provide snort.conf files that you can use without modification or understanding, but guides to help you benefit from the experience of the community as a whole.The discussion to create these configuration files will occur on the emerging-sigs list.The files for this project will be stored here:


Project Page -- SnortConfSamples

CVS Repository

This project is maintained by JamesMcQuaid


The SnortClamAV project brings you a patched snort that using the ClamAV? virus database can alert and/or block viruses at the network level. This project is maintained by William Metcalf and Victor Julien.

SnortClamAV CVS Web Interface http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/snort-clamav/?cvsroot=snort-clamav

Spyware User-Agents List

The Spyware User-Agents project is a list of User-Agent strings used by common spyware, malware, and viruses, etc. The intention is to alow you to block these in proxy servers, write snort signatures from them, or identify unknown code.This project is currently dormant.


SPADE (Statistical Packet Anomaly Detection Engine) is a project built years go by Silicon Defense. It was left abandoned for a long time. Simon Bliles has revived the project and is beginning the long journey of modernizing and securing the code. There is a working version in CVS.

This project is maintained by Simon Biles.

SPADE CVS Web Interface


A number of patches for snort and related projects are located here:


Topic revision: r12 - 2009-08-21 - MattJonkman
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats