On Wed, 20 Oct 2010 14:10:57 -0400, Derek Morris <[email protected]> wrote: > I would have to say the Upgrade process. I have to do a diff on numerous > rules files that i have edited and takes quite a bit of pain staking work > to > complete.
I see this as being a continuous risk for you that won't be changed. Since the supported method of tuning is only by using local_rules.xml, you'll always have to do this. On the other hand, we should have a better way to alert the user that something in the local rules could be affected by something in the official rules that is changing (e.g. if_sid, if_group, etc). Some work on automated regression testing on official rules has already been done, and that should help in this area. -- [I] Immutable Security Information Security, Privacy and Personal Liberty http://www.immutablesecurity.com
