Testing New Rules with TurboSnortRules.org

On Sunday I wrote about TurboSnortRules.org. Today I saw a post to snort-users asking if anyone had rules to detect W32.Mytob.DL@mm. One response recommended checking Bleeding Snort new rules. Looking there I found WORM_Mytob rules in a Web-browsable CVS format. Very nice.

I read the first rule and decided to see what TurboSnortRules.org had to say. I submitted the first rule after removing the classtype field, as TSR doesn't support it. Here was the response after a few minutes of waiting.



This looks like a good rule from a speed perspective; it is slightly faster than the average RME for most of the stock Snort rule sets.

VigilantMinds Customer Security Systems Manager Brian Dinello sent an email in response to my first story on TSR. As I learn what I can share about upcoming project developments, I will post word here.

Comments

Justin Mason said…
hmm! That RME system looks interesting for us over at SpamAssassin -- like SNORT we have rules that can hurt performance, and need profiling.

don't suppose you have a URL handy that explains (a) what RME measures and (b) how they do it?
Justin,

This is the best available RME link. I suggest sending an email to brian dot dinello at vigilantminds dot com for more information.
Justin Mason said…
sweet. thanks for that Richard -- I think that page (and the wiki) gives enough info. it'd be great to do something like that with SA...

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics