Snort mailing list archives
Re: [Spam] Re: Possible FP 17363
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 26 Oct 2010 15:48:06 -0400
When a rule is updated, it basically starts over in the 30-day window. Rules are continually updated. J On Oct 26, 2010, at 3:26 PM, Lay, James wrote:
Ok awesome...that helps. So what that does mean is that after a rule is updated (rule 17363) I will have to just deal with the problems (FPs) for 30 days until the it's pushed to the Registered ruleset. The reality is that I will disable the rule (already done so), and will most likely not catch setting it in my oinkmaster log, then I'll have an updated rule that is disabled. Thanks for taking the time to help me understand...these types of issues are what I use to push going with a commercial product to the upper layers ;) James -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Tuesday, October 26, 2010 1:05 PM To: Lay, James Cc: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] [Spam] Re: Possible FP 17363 If you insert another 2 in between 3 and 4 and then insert a 2 after 4 somewhere as well. J :) On Oct 26, 2010, at 2:48 PM, Lay, James wrote:Thanks Joel, I think I get it. Hopefully not off topic, but what's the..."life" ofa rule? Is the below correct?1. Initial rule published to Subscription Users 2. Updates made/rev changed (if needed) 3. Published to Registered Users after 30 days 4.All updates to the rule go back to step 1 If this is the case, then this explains why I have rev 1 of rule17363, while Subscription Users have rev 3. Do I have it right?Thanks. James -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Tuesday, October 26, 2010 11:17 AM To: Lay, James Cc: <snort-sigs () lists sourceforge net> Subject: Re: [Snort-sigs] [Spam] Re: Possible FP 17363 While the VRT can do millions of tests against rules, it's also veryhelpful for us to receive these reports from our rule users (registered or subscriber). VRT can't emulate every kind of traffic that you all will run into. Updates are our way of making things more efficient and less false positive prone.J Sent from my iPhone On Oct 26, 2010, at 1:01 PM, "Lay, James" <james.lay () wincofoods com>wrote:I think this changes my thoughts on what the free registered feedis...from "30 days old" to "30 days old and possibly broken".---------------------------------------------------------------------- -------- Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumersin U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs-- Joel Esler 302-223-5974 ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- Joel Esler 302-223-5974 ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: [Spam] Re: Possible FP 17363 Lay, James (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Alex Kirk (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Lay, James (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Joel Esler (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Lay, James (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Joel Esler (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Lay, James (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Joel Esler (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Lay, James (Oct 26)
- Re: [Spam] Re: Possible FP 17363 Alex Kirk (Oct 26)