[Snort-sigs] [Fwd: Proposed change to the Virus Rule]
bmc at ...95...
Wed Jul 7 07:40:32 EDT 2004
On Tue, Jul 06, 2004 at 06:10:31PM -0500, Matthew Jonkman wrote:
> Lots of rule changes got incorporated today, thanks Brian. Any idea when
> an updated tarball will be available for the changes you've made?
When I am done QAing them.
One of the many things Sourcefire has brought to Snort is QA. I built
a regression test suite for the Snort ruleset that must have no
failures for us to "ship" new rules. Currently, I am running over
2,500,000 separate unit tests, any failure requires fixing the
failure, and restarting the test.
Right now, I have the unit tests down to a few hours, but thats spread
across half a dozen high end Intel machines. Each are dual xeons (3.0
Ghz) with 2 gigs of ram.
BTW, when you send me pcaps of false positives, once I verify that
there is a false positive in the rule, I add it to the test suite, and
*fingers crossed* we will never see that specific false positive
> Side note, would it be possible to have the tarballs updated from cvs by
> a cron job? CVS is a pain for scripted sensor managers.
This is already done. What do you think the snapshots on the website
are made from? I got into programming because I'm lazy. Didn't
> On the post I made last week (below) I'm more concerned that there's a
> pcre issue in snort. Several people have responded off list and we've
> not got an answer yet. Should I shoot this over to snort-devel?
I have not got to that one yet. It requires more thinking than "Yep"
or "nope" but it is in my queue. Be patient :)
More information about the Snort-sigs