[Snort-users] RE: CAUTION: Long Rant!!! Re: [Snort-sigs] Broken 1429.2 (POLICY poll.gotomypc.com access)

Eric Hines eric.hines at ...8860...
Tue Oct 12 10:08:17 EDT 2004


I will have to concur with Matt Jonkman here. You have a track record of
degrading people in open forums and have done so to me on several occasions
with no hesitation since I first started posting. The first occurrence I can
remember was attempting to help the community make signatures for a new worm
that came out. Your only response was to attack me for using reserved SIDs.
You attack people on a consistent basis and am frankly getting sick and
tired of you and your ego trips. 

One instance recently I'd like to bring up was your response to my post to
Sam Evans who was inquiring about anyone who had run Vmware server + Snort.
I merely offered the fact that several of our customers use it and you took
the opportunity to not only attack my post but put words in my mouth and
attacked me in an open forum while doing so. 

I don't know what your story is Brian, but everyone I've spoken to that
you've ripped a new hole in on mailing lists would like to see your attitude
take a major change. After all, you are the face of snort.org -- you should
represent it with more professionalism and courtesy to the community.

Thank God someone here had the audacity to finally say something to you.

One thing in life you'll learn pretty quickly is that respect is earned, not
given to you because of your status or who you are.

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, Inc.

-----Original Message-----
From: Matt Jonkman [mailto:matt at ...12231...] 
Sent: Tuesday, October 12, 2004 10:26 AM
To: Brian
Cc: snort-sigs at lists.sourceforge.net
Subject: CAUTION: Long Rant!!! Re: [Snort-sigs] Broken 1429.2 (POLICY
poll.gotomypc.com access)

I didn't know I was making an official statement. Or that we were going to
have a p*ssing contest over it or I'd have gone back to timestamps myself. I
can image the drive and start an investigation if you need to protect your

You're right, the bleeding rule was missing the udp side, changed that. 
You had the wrong IP on your rule. If you're updating that then we don't
need to keep a second copy of the rule at bleedingsnort. The bleeding rule
came about because the traffic was not being detected. Had there been
communication between us then there would have been one good rule instead of
2 bad ones.

Why is it we can't work together here Brian? (hence why bleedingsnort
exists)  Tried to talk about this privately and haven't gotten even an email
response from you, so I'm airing the dirty laundry publicly. Maybe you'll
respond here.

The response I (and the bleeding admins and users) would probably like to
hear is something along the lines of:

"As the official snort community rule maintainer I'm so incredibly excited
that we all can continue to band together to respond in new and faster ways
to deal with the new threats we all face, and help me (Brian
Caswell) be even more effective in my job. We'd love to establish a
relationship to let rules that work well in bleeding snort come over to the
snort.org lists to avoid duplication. We also have an incredible base of
knowledge and expertise on sourcefire to write rules we'd love to use to
help these new rules mature. And Matt Jonkman is a great guy."

Well all but the last sentence at least.

What we hear now is you slamming and degrading every new idea, and
especially any new person that comes into the community to learn and
contribute. Go look over your posts for the last year on the list. Very few
aren't degrading. I can name several people that used to contribute to
bleeding and the snort community that have turned away pissed off because
you essentially called them an idiot for asking or suggesting something, or
worse yet putting up a rule that wasn't perfect. The most recent being
Joseph Gama. He was putting tons of time into building hundreds of rules for
us, most great, some not so great. One email from you and he's gone, won't
even return a snort related email.

Disclaimer: I have to specifically and vehemently exclude your peers at
sourcefire. Everyone else has been supportive and had taken extra time to
explain and help mature the rules the community is producing. Nigel and Matt
W have been an excellent help to us and have supported us. But they aren't
the rules maintainers and thus not who we need to interface with.

It's very clear that Nigel and Matt W have not forgotten that they work for
a commercial company who's success is based on an open project and open
community. That's a very important aspect of our little world. I hope we're
not coming to a point where that arrangement will become incompatible. That
would be devastating to both the open source and commercial snort.


Brian wrote:
> On Mon, Oct 11, 2004 at 07:58:04PM -0500, Matt Jonkman wrote:
>>Wait, spoke too soon. Wasn't aware that snort.org had brought that
>>rule in.
>>The one we have at bleedingsnort was already on the new IP. But if
>>the snort folks are going to update we'll take our rule out. Didn't
>>know it went over there. Ours is sid 2000309.
> Please look at the timestamps of when those rules were added, then
> correct your statement.
> The rule in question was added to Snort's ruleset on November 6th,
> 2002 at 1:35 PM.  (version 1.27 of policy.rules) Your rule was added
> June 8th 2004 at 4:13 PM.  (version 1.24 of bleeding.rules)
> Also note, your rule misses some gotomypc traffic.  While the majority
> of the traffic generated by gotomypc is TCP, at one point in time a
> UDP client was available.  
> Thats alright, thats ok, <insert some whitty statement that a
> cheerleader might spout out at a football game here>.
> Brian

Matthew Jonkman, CISSP
Senior Security Engineer
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC

NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.

This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-users mailing list