Sunday, June 05, 2005

Test Your Snort Rules at

I missed the announcement in the Bleeding Snort forums last month of, a project supported by security vendor VigilantMinds. The idea is to submit a custom rule to see how it stacks up against other Snort rules in terms of "Relative Measure of Efficiency". Looking at the chart below, you see various RMEs for different Snort rule sets.

The important port is to notice how a rule like this BACKDOOR WinCrash 1.0 Server Active is considered "very slow" (probably due to PCRE matches), with a RME over 4 on Snort 2.2.0, compared to something like (IPS) ::MS-SQL Worm propagation attempt, with a RME around 1.4 on Snort 2.2.0. There's also a performance Wiki with speed tips.

I think sites like this are a great idea and I thank VigilantMinds for helping Snort users understand the speed effects of the rules they write. I don't really care how accurate it is at this point -- it's great just to know that a rule you write is much slower or much faster than an verage rule for a particular Snort rule set.

No comments: