I've had a few weeks now to delve into how the rule process works and it is
convoluted. However, I'm not sure there is a good, easy fix. I'm just
coming up to speed with how best to get rules to "release quality" standards
because I feel that rules built-in to SA have to really be of the highest
quality. The recent addition of sa-update may change my position on that.
However, adding more people writing rules and trying to explain the
difference between .* and .{0,30} and False Positives could get very
tiresome. Some people make it over the hill and start writing good rules
but I still see a lot of crazy or simply inefficient rules.
That said, there have been a lot of rule writers who have been frustrated
over the years (myself included) with the difficulty of rules submission and
rules update. I think the creation of SARE/rules emporium would be an
example of this but again sa-update seems like an excellent step towards
this.
Therefore, I think a web-based rule submission system with attached spamples
could be very useful for adding rules directly for testing. It should be
simple and quick.
After that, I think growing the corpus for testing new rules and getting
more systems running honeypots and nightly mass check would be the next
step.
Finally, allowing to sa-update to quickly use these new rules would be
ideal. I would setup thresholds (some automatic) like:
brand new (lints but hasn't been run through nightlymasscheck)
experimental (has XYZ result with nightlymasscheck)
...
released (will be in the next release / current sa-update threshold)
This would allow something akin to sa-update --threshold=experimental which
in addition to the new SA rules would also get the rules that are
experimental.
Regards,
KAM
It strikes me that the process to become an ASF committer is turning out
to be a little too onerous for some of our purposes.
