On Fri, 2009-06-19 at 13:28 +0100, sanesecurity@xxxxxxxxxxxx wrote: > McDonald, Dan wrote: > >> What's stopping you from continuing to use the same format, but making > >> the signature name stay the same for a particular signature each time a > >> new file is generated? > > > > Then he'd have to remember the unique number assigned to each string, > > when he could just generate the md5sum on the fly and not have to worry > > about history. > > > > Like SYN-Cookies for spam patterns... > > All you'd have to do is read in the details from the current signature > file before generating the new one ... Presumably that's already being > done for any automated sanity checks anyway ... So joejob.example.com is listed, is determined to be a FP, taken out, then two days later collects a phish and is put back in. The admin cleans up the mess, and the sig is pulled again. Then a bright young intern decides to spam the world... Same number each time? Different number? The md5sum stays the same no matter how many times it is removed. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com