[Emerging-Sigs] Emerging Threats Sells Out!!!
evilghost at packetmail.net
Fri Oct 1 19:49:21 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
On 10/01/2010 05:45 PM, Martin Holste wrote:
> I'm late to the party on this comment train, but I do have a few
> comments to share.
That's an amazingly fair/accurate synopsis that I can't find any aspect
that I could disagree with. Thanks for sharing this. It's nice to get
some validation that the closed-source GID3 rules aren't evil because
they're closed-source but they're evil because they stifle just about
every aspect of investigation rendering them largely useless.
I have false positives with GID3 to the same frequency with GID1. GID1
I can view the rule, view the offending data, and also look forward/back
against data captured with daemonlogger or other libpcap based solutions
which record traffic. GID3 I'm faced with a "trust us" aspect and the
false positives negate my ability to react intelligently.
I've also lost confidence in the VRT team to properly apply the needed
QA; time and time again they have proved that QA is a second-thought and
rush-job rule releases result in epic failure.
I've been known to submit crap upstream, the difference is I'm not
digging in your wallet, and my intentions aren't profit motivated. When
I won the Signature Contest I sent my SWAG over to the VRT team and to
Matt Olney; I never heard if they got it.
I'd like to think at night, when no ones watching, they secretly wear it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Emerging-sigs