[Snort-sigs] [Fwd: Proposed change to the Virus Rule]

Brian bmc at ...95...
Wed Jul 7 07:40:32 EDT 2004


On Tue, Jul 06, 2004 at 06:10:31PM -0500, Matthew Jonkman wrote:
> Lots of rule changes got incorporated today, thanks Brian. Any idea when 
> an updated tarball will be available for the changes you've made?

When I am done QAing them.  

One of the many things Sourcefire has brought to Snort is QA.  I built
a regression test suite for the Snort ruleset that must have no
failures for us to "ship" new rules.  Currently, I am running over
2,500,000 separate unit tests, any failure requires fixing the
failure, and restarting the test.

Right now, I have the unit tests down to a few hours, but thats spread
across half a dozen high end Intel machines.  Each are dual xeons (3.0
Ghz) with 2 gigs of ram.

BTW, when you send me pcaps of false positives, once I verify that
there is a false positive in the rule, I add it to the test suite, and
*fingers crossed* we will never see that specific false positive
again.

> Side note, would it be possible to have the tarballs updated from cvs by 
> a cron job? CVS is a pain for scripted sensor managers.

This is already done.  What do you think the snapshots on the website
are made from?  I got into programming because I'm lazy.  Didn't
everyone else?

> On the post I made last week (below) I'm more concerned that there's a 
> pcre issue in snort. Several people have responded off list and we've 
> not got an answer yet. Should I shoot this over to snort-devel?

I have not got to that one yet.  It requires more thinking than "Yep"
or "nope" but it is in my queue.  Be patient :)

-b




More information about the Snort-sigs mailing list