Snort mailing list archives
RE: CAUTION: Long Rant!!! Re: [Snort-sigs] Broken 1429.2 (POLICY poll.gotomypc.com access)
From: "Eric Hines" <eric.hines () appliedwatch com>
Date: Tue, 12 Oct 2004 12:07:27 -0500
Brian, I will have to concur with Matt Jonkman here. You have a track record of degrading people in open forums and have done so to me on several occasions with no hesitation since I first started posting. The first occurrence I can remember was attempting to help the community make signatures for a new worm that came out. Your only response was to attack me for using reserved SIDs. You attack people on a consistent basis and am frankly getting sick and tired of you and your ego trips. One instance recently I'd like to bring up was your response to my post to Sam Evans who was inquiring about anyone who had run Vmware server + Snort. I merely offered the fact that several of our customers use it and you took the opportunity to not only attack my post but put words in my mouth and attacked me in an open forum while doing so. I don't know what your story is Brian, but everyone I've spoken to that you've ripped a new hole in on mailing lists would like to see your attitude take a major change. After all, you are the face of snort.org -- you should represent it with more professionalism and courtesy to the community. Thank God someone here had the audacity to finally say something to you. One thing in life you'll learn pretty quickly is that respect is earned, not given to you because of your status or who you are. Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, Inc. -----Original Message----- From: Matt Jonkman [mailto:matt () infotex com] Sent: Tuesday, October 12, 2004 10:26 AM To: Brian Cc: snort-sigs () lists sourceforge net Subject: CAUTION: Long Rant!!! Re: [Snort-sigs] Broken 1429.2 (POLICY poll.gotomypc.com access) I didn't know I was making an official statement. Or that we were going to have a p*ssing contest over it or I'd have gone back to timestamps myself. I can image the drive and start an investigation if you need to protect your ego. You're right, the bleeding rule was missing the udp side, changed that. You had the wrong IP on your rule. If you're updating that then we don't need to keep a second copy of the rule at bleedingsnort. The bleeding rule came about because the traffic was not being detected. Had there been communication between us then there would have been one good rule instead of 2 bad ones. Why is it we can't work together here Brian? (hence why bleedingsnort exists) Tried to talk about this privately and haven't gotten even an email response from you, so I'm airing the dirty laundry publicly. Maybe you'll respond here. The response I (and the bleeding admins and users) would probably like to hear is something along the lines of: "As the official snort community rule maintainer I'm so incredibly excited that we all can continue to band together to respond in new and faster ways to deal with the new threats we all face, and help me (Brian Caswell) be even more effective in my job. We'd love to establish a relationship to let rules that work well in bleeding snort come over to the snort.org lists to avoid duplication. We also have an incredible base of knowledge and expertise on sourcefire to write rules we'd love to use to help these new rules mature. And Matt Jonkman is a great guy." Well all but the last sentence at least. What we hear now is you slamming and degrading every new idea, and especially any new person that comes into the community to learn and contribute. Go look over your posts for the last year on the list. Very few aren't degrading. I can name several people that used to contribute to bleeding and the snort community that have turned away pissed off because you essentially called them an idiot for asking or suggesting something, or worse yet putting up a rule that wasn't perfect. The most recent being Joseph Gama. He was putting tons of time into building hundreds of rules for us, most great, some not so great. One email from you and he's gone, won't even return a snort related email. Disclaimer: I have to specifically and vehemently exclude your peers at sourcefire. Everyone else has been supportive and had taken extra time to explain and help mature the rules the community is producing. Nigel and Matt W have been an excellent help to us and have supported us. But they aren't the rules maintainers and thus not who we need to interface with. It's very clear that Nigel and Matt W have not forgotten that they work for a commercial company who's success is based on an open project and open community. That's a very important aspect of our little world. I hope we're not coming to a point where that arrangement will become incompatible. That would be devastating to both the open source and commercial snort. Matt Bleedingsnort.com Brian wrote:
On Mon, Oct 11, 2004 at 07:58:04PM -0500, Matt Jonkman wrote:Wait, spoke too soon. Wasn't aware that snort.org had brought that rule in. The one we have at bleedingsnort was already on the new IP. But if the snort folks are going to update we'll take our rule out. Didn't know it went over there. Ours is sid 2000309.Please look at the timestamps of when those rules were added, then correct your statement. The rule in question was added to Snort's ruleset on November 6th, 2002 at 1:35 PM. (version 1.27 of policy.rules) Your rule was added June 8th 2004 at 4:13 PM. (version 1.24 of bleeding.rules) Also note, your rule misses some gotomypc traffic. While the majority of the traffic generated by gotomypc is TCP, at one point in time a UDP client was available. Thats alright, thats ok, <insert some whitty statement that a cheerleader might spout out at a football game here>. Brian
-- -------------------------------------------- Matthew Jonkman, CISSP Senior Security Engineer Infotex 765-429-0398 Direct Anytime 765-448-6847 Office 866-679-5177 24x7 NOC my.infotex.com www.offsitefilter.com -------------------------------------------- NOTICE: The information contained in this email is confidential and intended solely for the intended recipient. Any use, distribution, transmittal or retransmittal of information contained in this email by persons who are not intended recipients may be a violation of law and is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: CAUTION: Long Rant!!! Re: [Snort-sigs] Broken 1429.2 (POLICY poll.gotomypc.com access) Eric Hines (Oct 12)
- Re: CAUTION: Long Rant!!! Re: [Snort-sigs] Broken 1429.2 (POLICY poll.gotomypc.com access) Bamm Visscher (Oct 12)
- Message not available
- Re: CAUTION: Long Rant!!! Re: [Snort-sigs] Broken 1429.2 (POLICY poll.gotomypc.com access) Bamm Visscher (Oct 12)
- Message not available
- Message not available
- Re: CAUTION: Long Rant!!! Re: [Snort-sigs] Broken 1429.2 (POLICY poll.gotomypc.com access) Paul Schmehl (Oct 12)
- Re: Re: CAUTION: Long Rant!!! Re: [Snort-sigs] Broken 1429.2 (POLICY poll.gotomypc.com access) Matt Kettler (Oct 12)
- Re: Re: CAUTION: Long Rant!!! Re: [Snort-sigs] Broken 1429.2 (POLICY poll.gotomypc.com access) Jason (Oct 12)
- Re: CAUTION: Long Rant!!! Re: [Snort-sigs] Broken 1429.2 (POLICY poll.gotomypc.com access) Bamm Visscher (Oct 12)
- <Possible follow-ups>
- RE: Re: CAUTION: Long Rant!!! Re: [Snort-sigs] Broken 1429.2 (POLICY poll.gotomypc.com access) Esler, Joel - Contractor (Oct 12)