[Snort-sigs] Recent [unilateral, unannounced] Rule Changes

JP Vossen jp at ...1432...
Thu Jul 1 14:32:34 EDT 2010

On 07/01/2010 10:34 AM, Mike Guiterman wrote:

> The changes to the rules download process in April and again this
> month were designed to resolve two of the most common complaints from
> the community:

Sure, I get it, and I appreciate that.  The point was that you can't 
change things, even for the better, without *advance* notice to the 
people who are going to have to scramble to fix things on an emergency 
basis when you don't warn them.

> Yes - this was communicated on 4/26,
> but we provided a 30 day window to make the change  [...]

Yes, you did, but there was no warning ahead of time.  I agree that the 
30 day window, after the change, was a large mitigating factor for that 
change.  But still...  Changes without warning really bug the heck out 
of anal retentive change control (read large enterprise) folks.  And me 
too, can you tell?  :-)

> Given the headaches caused (and putting the inaccurate guidance I
> posted aside for this thread) we should have provided longer a window
> for users to digest the change and plan the update like we did in
> April.
> In the future I don't know that setting up yet another mailing list is
> the solution, but your point on communicating changes in advance is
> well taken.  For future changes I'll commit exhausting all of vehicles
> (mailing lists, VRT Blog, Snort.org) and ensure changes like this are
> communicated in advance and in a coordinated manner across the
> community.

Thank you, that will be *very* helpful!  I'll shut up about this now, I 
think we've beaten it enough on-list.

> For now - Anyone using VRT rules really should subscribe to snort-sigs
> and the VRT blog.  Those are the two primary communication outlets for
> the VRT.  We realize that many don't so we'll expand where these
> changes are announced.

FWIW, I agree, and I do monitor them.  I will note that most if not all 
of us have *lots* of similar feeds to keep track of though.  To mangle 
the quote, please "Inform early and often."

