[Snort-sigs] If You're Using Bleeding Snort Rules Read This!!

Erik Fichtner emf at ...3056...
Thu Jun 9 06:25:04 EDT 2005


On Thu, Jun 09, 2005 at 08:05:50AM -0500, Matt Jonkman wrote:
> Ya, vars will be a good thing for ossrc to handle. 

No. it won't.  variables are a language feature. They are an
integral part of writing a rule.   You all need to get over
this silly misconception that we must deal only in atomic
units of a single line; "alert ... ( ... )"

The OSSRC won't have much to say about this when the new
configuration syntax gets dropped on us in 3.0 (or whenever
sourcefire plans on releasing it; it's only been vaguely
announced) and is much more like a programming language.

The OSSRC is not a substitute for your own change control
procedures.  It's depressing that a bunch of people who
should know better got burned by this, but honestly, if you
want someone else to make sure your sensors are configured
properly, perhaps you should pay someone to do that. 

I understand there's something called the VRT and they release
signatures on a subscription basis for people that cannot
handle building, testing, validating, and distributing the 
ruleset for their own customers.



-- 
Erik Fichtner; Unix Ronin

"Mathematics is something best shared between consenting adults
in the privacy of their own office" - Adam O'Donnell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050609/63b101d8/attachment.sig>


More information about the Snort-sigs mailing list