Test Your Snort Rules at TurboSnortRules.org

I missed the announcement in the Bleeding Snort forums last month of TurboSnortRules.org, a project supported by security vendor VigilantMinds. The idea is to submit a custom rule to see how it stacks up against other Snort rules in terms of "Relative Measure of Efficiency". Looking at the chart below, you see various RMEs for different Snort rule sets.

The important port is to notice how a rule like this BACKDOOR WinCrash 1.0 Server Active is considered "very slow" (probably due to PCRE matches), with a RME over 4 on Snort 2.2.0, compared to something like (IPS) ::MS-SQL Worm propagation attempt, with a RME around 1.4 on Snort 2.2.0. There's also a performance Wiki with speed tips.

I think sites like this are a great idea and I thank VigilantMinds for helping Snort users understand the speed effects of the rules they write. I don't really care how accurate it is at this point -- it's great just to know that a rule you write is much slower or much faster than an verage rule for a particular Snort rule set.

Comments

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics