[Snort-sigs] Signature contributions

nnposter at ...592... nnposter at ...592...
Tue May 18 09:26:09 EDT 2004


I would like to solicit feedback, particularly from Sourcefire,
in how non-Sourcefire folks like me should contribute signature updates,
if at all.


Background: Over the course of last four weeks I have submitted update 
proposals for 16 rules with poor results:

Subject: Poor detection rate by 1:716:6 (TELNET access)
Date: Tue, 27 Apr 2004
==> rule updated

Subject: Avoidance of 1:1970:1 (WEB-IIS MDAC Content-Type overflow attempt)
Date: Tue, 27 Apr 2004
==> rule updated

Subject: Re: Avoidance of 1:1970:1 (WEB-IIS MDAC Content-Type overflow attempt)
Date: Thu, 29 Apr 2004
==> no update or feedback

Subject: False positives on 1:1054:6 (WEB-MISC weblogic/tomcat .jsp view source attempt)
Date: Thu,  6 May 2004
==> no update or feedback

Subject: False negatives on 1:491:6 (INFO FTP Bad login)
Date: Thu, 10 May 2004
==> no update or feedback


Overall, 2 out of 16 accepted and the rest silently ignored. I am not expecting
the contributions to be automatically accepted and expensive cars given as
rewards but I would appreciate if I was at least told why they were rejected.
This way I would have a chance to produce better update proposals in the future
or stop sending them if they are of no interest to the community.

Cheers




More information about the Snort-sigs mailing list