On Mon, 2009-12-14 at 21:23 +0000, Martin Gregorie wrote: > May I suggest that handling whitelist or blacklist rules and any > associated plugins by packaging them as separately installable modules > may be of benefit to SA maintainers. The idea is to reduce the SA dev > workload by handing off responsibility for maintaining and bugfixing > such modules to external developers. These may, as at present, be the > person who independently develops the module or the people who are > responsible for the resources it queries. Here's a little more detail:
The problem is scoring. masschecks are going to shape scores so that whitelists get a little boost if they are mediocre, and a large boost if they are good. Ditto for blacklists. And they two sets of scores will work in synergy. The big problem with "make them all external and let the universe pick a score at random" is that the relative effectiveness of the various lists isn't tested. I'd love to have the clamav unofficial signature families scored. I have a fine guess as to how relevant they are, but it is just that - a guess. I'd hate to have to guess for everyone's whitelist... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
