[sniffer] Re: panic rule information

Wed, 09 Sep 2009 06:55:35 -0700 

Bonno Bloksma wrote:

Hi Pete/community,
If I understand things correctly then the detection of a panick rule is local to the system. So a few systems may have enough traffic to see that a rule is acting wrong and assume a panick for that rule. According to the WiKi that information is sent automatically to the folks at armresearch, but... As far as I know there is yet no mechanism to get that information automatically to the Sniffer comunity. Might it be a good idea to propagate rule panic info via tha GRUdb mechanism? As far as I understand information gets updated and transmitted a lot faster then rulebase updates. 


We are working on some upgrades like that -- but it's not quite as 
simple as it looks. Systems also sometimes autopanic good spam rules for 
new campaigns if they have been hit hard enough by a source before the 
rule arrives. So, we need to have the rule-panics reviewed before 
propagating them out.



We have plans to build a mechanism that ties together more sophisticated 
monitoring and analysis tools and then provides a list of spam rules 
that have been pulled in the past day or so -- including any that may 
have been triggered by auto-panics.



Systems will be able to use this list to periodically re-scan their 
quarantines to pre-release messages that may have been caught by rules 
that were pulled.



This too is not simple-- While most systems seem to agree on what is 
spam and what is not -- there is always a large class of messages that 
disagree, so any kind of automation like this must also take those 
customizations into account.



--- Anyway, you're on the right track and we're headed in that 
direction. Along the way we will also introduce incremental updates, a 
more compact rulebase, and a more sophisticated scanning engine.


"Dead rule alerts" are on the short list.

There is much to do.

_M


#############################################################
This message is sent to you because you are subscribed to
 the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to  <sniffer-requ...@sortmonster.com>















    











					Reply via email to