Tuesday, June 07, 2005

Testing New Rules with TurboSnortRules.org

On Sunday I wrote about TurboSnortRules.org. Today I saw a post to snort-users asking if anyone had rules to detect W32.Mytob.DL@mm. One response recommended checking Bleeding Snort new rules. Looking there I found WORM_Mytob rules in a Web-browsable CVS format. Very nice.

I read the first rule and decided to see what TurboSnortRules.org had to say. I submitted the first rule after removing the classtype field, as TSR doesn't support it. Here was the response after a few minutes of waiting.



This looks like a good rule from a speed perspective; it is slightly faster than the average RME for most of the stock Snort rule sets.

VigilantMinds Customer Security Systems Manager Brian Dinello sent an email in response to my first story on TSR. As I learn what I can share about upcoming project developments, I will post word here.

3 comments:

Justin Mason said...

hmm! That RME system looks interesting for us over at SpamAssassin -- like SNORT we have rules that can hurt performance, and need profiling.

don't suppose you have a URL handy that explains (a) what RME measures and (b) how they do it?

Richard Bejtlich said...

Justin,

This is the best available RME link. I suggest sending an email to brian dot dinello at vigilantminds dot com for more information.

Justin Mason said...

sweet. thanks for that Richard -- I think that page (and the wiki) gives enough info. it'd be great to do something like that with SA...