Selasa, 07 Juni 2005

Testing New Rules with TurboSnortRules.org

On Sunday I wrote about TurboSnortRules.org. Today I saw a post to snort-users asking if anyone had rules to detect W32.Mytob.DL@mm. One response recommended checking Bleeding Snort new rules. Looking there I found WORM_Mytob rules in a Web-browsable CVS format. Very nice.

I read the first rule and decided to see what TurboSnortRules.org had to say. I submitted the first rule after removing the classtype field, as TSR doesn't support it. Here was the response after a few minutes of waiting.



This looks like a good rule from a speed perspective; it is slightly faster than the average RME for most of the stock Snort rule sets.

VigilantMinds Customer Security Systems Manager Brian Dinello sent an email in response to my first story on TSR. As I learn what I can share about upcoming project developments, I will post word here.

0 komentar:

Posting Komentar