[sanesecurity] Re: jurlbl signature name stability
- From: "McDonald, Dan" <Dan.McDonald@xxxxxxxxxxxxxxxx>
- To: <sanesecurity@xxxxxxxxxxxxx>
- Date: Fri, 19 Jun 2009 07:37:51 -0500
On Fri, 2009-06-19 at 13:28 +0100, sanesecurity@xxxxxxxxxxxx wrote:
> McDonald, Dan wrote:
> >> What's stopping you from continuing to use the same format, but making
> >> the signature name stay the same for a particular signature each time a
> >> new file is generated?
> >
> > Then he'd have to remember the unique number assigned to each string,
> > when he could just generate the md5sum on the fly and not have to worry
> > about history.
> >
> > Like SYN-Cookies for spam patterns...
>
> All you'd have to do is read in the details from the current signature
> file before generating the new one ... Presumably that's already being
> done for any automated sanity checks anyway ...
So joejob.example.com is listed, is determined to be a FP, taken out,
then two days later collects a phish and is put back in. The admin
cleans up the mess, and the sig is pulled again. Then a bright young
intern decides to spam the world... Same number each time? Different
number? The md5sum stays the same no matter how many times it is
removed.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
Other related posts:
