On Wed, 2009-06-10 at 17:39 -0400, Adam Katz wrote:
> Karsten Bräckelmann wrote:
> > That said, I seem to recall that at least published SARE rule-sets
> > have been mentioned to be added to stock and thus obsoleted.
>
> I suppose this is a point for Daryl (DOS) or whomever "maintains" SARE
> (read: runs the DNS), but they are not configured to obsolete nicely:
Err... No. Actually, I was specifically about backhair or one of those
rule-sets. Note the "added to stock" part.
As for *all* SARE rule-sets, there is *one* definite source of status.
Rulesemporium. The very front page claims loudly the stuff is not
maintained. Each rule-set got a hint about last updated, last mass-
checked, and there are lots of sets specifically mentioning a SA version
number it is intended for.
Daryl provides a mirror of that stuff for anyone who deliberately WANTS
these rules. He is not to blame, but the admin who installs 5 years old
rules.
There is no way for sa-update to fade out or obsolete a rule-set. There
is a version number to indicate an update. Installing them is on the
discretion of the admin.
Oh, and some, well, one(?) are actually updated these days and alive.
> > Also, there's no communications channel announcing sa-update rule
> > updates in detail.
>
> Ooh, I like the idea of an RSS feed or a bot that posts to this list
> (or the dev list), specifically for retractions/removals and security
> updates, and hopefully not for any minor score tweak (or perhaps a
> ~weekly digest of such things). This might be as simple as a script
> monitoring SVN checkins.
There is an svn checkins list.
> > Speaking about rules posted to the list: Those often will be
> > changed slightly in the sandbox after the initial post. Let alone
> > some rules being posted in various versions on this list -- which
> > one do you run?
>
> I'm not sure if you actually want this, but ... Rules I've pushed to
> and taken from this list are attached.
While I'm glad to see a couple KB prefixed rules right at the top... :)
No, I did not mean you to post them. That was a remark for the reader to
*think* about the various versions posted, and how many (read all) of
them are spread around thousands of systems.
That effectively means that a note about such rules going into stock
needs to include all of the versions, mentioning their specific overlap,
fuzziness, ... Impossible.
Let alone local tweaks to those rules. Ultimately, the admin is
responsible for ANY third-party stuff he installed.
BTW, all my RATWARE_OUTLOOK variants are super-sets of the 08 one, as I
have mentioned on this list when I first posted them here. The 08 one is
the one, the rest where meant for debugging only.
guenther
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
