10:43 < jbrvenik> .
10:46 -!- cschear [~cschear@12.22.148.143] has joined #ossrc
10:47 -!- bmc [~bmc@sf-nat.sourcefire.com] has joined #ossrc
10:50 -!- cschear [~cschear@12.22.148.143] has quit [Read error: 104 (Connection reset by peer)]
10:54 -!- cschear [~cschear@12.22.148.143] has joined #ossrc
10:57 -!- adwarebofh [~watsonc@70.150.132.232] has joined #ossrc
10:57 -!- cschear [~cschear@12.22.148.143] has quit [Client Quit]
10:58 -!- kmx is now known as mattw
11:01 -!- Techie-Micheal [~Techie-Mi@techie-micheal.support.phpbb] has joined #ossrc
11:03 -!- bdo [~bdoctor@64.140.45.2] has joined #ossrc
11:04 < bdo> is the meeting at 11CDT or EST?
11:04 < bdo> the announcement isn't clear
11:04 -!- jonkman [~jonkman@12-210-206-213.client.insightBB.com] has joined #ossrc
11:04 -!- cschear [~cschear@12.22.148.143] has joined #ossrc
11:04 < sfirejennifer> 12:00 EDT 
11:12 -!- nigel_rules [~JimKirk@sf-nat.sourcefire.com] has joined #ossrc
11:12 < jonkman> I typo'd on our site. The meeting is 11 Central, 12 eastern
11:13 < jonkman> But feel free to hang out here till then   :) 
11:13 < jonkman> The waitress will be by for your drink orders shortly....
11:13 -!- adwarebofh [~watsonc@70.150.132.232] has left #ossrc ["Leaving"]
11:13 -!- joele23 [~Joel@69.56.130.10] has joined #ossrc
11:14 -!- mbldn [~mbldn@64.238.117.87] has joined #ossrc
11:14 -!- joele23 [~Joel@69.56.130.10] has left #ossrc ["Leaving"]
11:15 -!- dks [~dks@66.167.131.250] has joined #ossrc
11:15 < nigel_rules> who has the agenda?
11:15 -!- dks [~dks@66.167.131.250] has left #ossrc []
11:17 -!- joele23 [~Joel@c-24-5-109-25.hsd1.ca.comcast.net] has joined #ossrc
11:17 < sfirejennifer> * An overview of how the OSSRC will run
11:17 < sfirejennifer> * Overview of how we will elect board members
11:17 < sfirejennifer> * Discussion of SID allocation for the various rulesets
11:17 < sfirejennifer> * Discussion of sharing rulesets on the various web sites
11:18 < nigel_rules> hey, no flooding
11:21 -!- classicX [~ClassicX@gb.jb.102.158.revip.asianet.co.th] has joined #ossrc
11:23 -!- akirk [~akirk@sf-nat.sourcefire.com] has joined #ossrc
11:24 -!- helevius [~richard@pcp0010700723pcs.manass01.va.comcast.net] has joined #ossrc
11:27 -!- cschear [~cschear@12.22.148.143] has quit [Read error: 54 (Connection reset by peer)]
11:33 -!- Shirkdog [~chatzilla@pcp0011643558pcs.aberdn01.md.comcast.net] has joined #ossrc
11:43 -!- colingrady [pr00f@cerberus.llarian.net] has joined #ossrc
11:43 -!- dks [~dks@66.167.131.250] has joined #ossrc
11:44 -!- dks [~dks@66.167.131.250] has left #ossrc []
11:45 -!- cisc0man [~cisc0man@sidewinder.admin.utc.edu] has joined #ossrc
11:48 -!- qru [~bamm@cpe-67-11-158-107.satx.res.rr.com] has joined #ossrc
11:48 -!- darl-mcbride [~chatzilla@199.111.131.166] has joined #ossrc
11:48 -!- cschear [~cschear@12.22.148.143] has joined #ossrc
11:51 -!- hol [~hol@69-170-28-105.chvlva.adelphia.net] has joined #ossrc
11:51 -!- blake_ [~blake___@68.111.42.216] has joined #ossrc
11:55 -!- Wexler [~AsafW@gw-guilian.ser.netvision.net.il] has joined #ossrc
11:57 -!- Hanashi [~knoppix@g57.jlab.org] has joined #ossrc
11:57 -!- cschear [~cschear@12.22.148.143] has quit [Read error: 131 (Connection reset by peer)]
11:57 -!- Obiwan [~Obiwan@Obiwan.active.supporter.pdpc] has joined #ossrc
12:00 -!- slt [~slt@66.167.131.250] has joined #ossrc
12:01 < slt> Just testing my settings
12:01 -!- roesch [roesch@12.4.213.10] has joined #ossrc
12:01 < nigel_rules> just watching you do it
12:02 < sfirejennifer> well looks like it is 12:00 so let's get started 
12:02 -!- cschear [~cschear@12.22.148.143] has joined #ossrc
12:02 < jonkman> yup
12:03 -!- demcb [~dmcbride@c-24-6-171-178.hsd1.ca.comcast.net] has joined #ossrc
12:05 < sfirejennifer> thanks for coming out
12:05 < sfirejennifer> for those who don't already know, I'm Jennifer Steffens, Director Product Management for Snort at Sourcefire and mattw is Matt Watchinski, Director Vulnerability Research for Sourcefire 
12:05 < sfirejennifer> I'm gonna let Matt get things going here 
12:05 < jonkman> I think everyone knows me too, I'm Matt Jonkman with Bleeding snort
12:06 < jonkman> the meeting today is to get everyone on track with the OSSRC
12:06 < jonkman> What we want to do, and the adjusted timelines
12:06 < jonkman> things got a little sidetracked, but we're back to giving this full attention to get it rolling
12:06 < jonkman> Jennifer posted an agenda that we'd like to cover the major points of real quick, then open up to questions
12:07 < jonkman> feel free to pipe in once we get the agenda explained
12:07 < jonkman> First:
12:07 < mattw> For today the Agenda is as follows:  Agenda Item 1 - Disccusion of the structure of OSSRC and how the board will be elected and how members will join. 2 - New adjusted timelines for the project, 3. a discussion of possible projects.
12:07 -!- scottder [~scottder@ip68-9-109-110.ri.ri.cox.net] has joined #ossrc
12:07 -!- Wexler [~AsafW@gw-guilian.ser.netvision.net.il] has left #ossrc []
12:08 < mattw> Additionally this is being logged so we can post it for everyone to see.
12:08 -!- Wexler [~AsafW@gw-guilian.ser.netvision.net.il] has joined #ossrc
12:08 < jonkman> The structure of the ossrc will be rather simple
12:08 < jonkman> There will be two founding members, Bleeding Snort and SF that will always have a seat on the board
12:08 < jonkman> there will be (correct me if wront Mattw) three elected members
12:09 < mattw> yup.
12:09 < jonkman> this ensures that there will always be an elected majority in the event of discourse
12:09 < jonkman> Elected members will be nominated by ossrc members
12:09 < jonkman> anyone can be an ossrc member as long as they have valid contact info
12:09 < bmc> what defines "Valid contact info"?
12:09 < jonkman> All members may vote on nominated members
12:10 < jonkman> No dummy members, they need to have a valid email is all I believe, tut that's flexible
12:10 < sfirejennifer> valid name, e-mail and telephone to ensure members are reachable 
12:10 < nigel_rules> valid email != account from a free provider though right?
12:10 < darl-mcbride> like gmail?
12:10 < sfirejennifer> yes
12:11 -!- emaheo [~emaheo@209.242.11.94] has joined #ossrc
12:11 < sfirejennifer> we just need to be able to contact members
12:11 < jonkman> We may have to discuss that more, some folks in places like dod cannot use work email for these things, so we may have to make exceptions
12:11 < bmc> even igoring free providers that allows for some amount of ballot stuffing.
12:11 < jonkman> But that's a minor point
12:11 < jonkman> ya
12:12 < jonkman> Jennifer, can you discuss the new timeline?
12:12 < jonkman> That's the next agenda item
12:12 -!- darl-mcbride is now known as ppcxx
12:12 < mattw> I'll add a couple things to the election process real quick.
12:13 < mattw> Nominated canidates for the 3 open board chairs will be be approved by the 2 co-chairs before they get approved canidate status.
12:13 < mattw> after that all approved canidates will be voted on in general elections.
12:13 -!- cmg [~cmgreen@titanium.dso.uab.edu] has joined #ossrc
12:14 < mattw> The time line for nominations will be open for the next two weeks, at which time a list of approved canidates will be published.
12:14 < emf_> concordcet ballot? 
12:14 < cschear> So, each of the seats on the board by Bleeding Snort and SF actually have more control over board selection than regular chairs.
12:14 < mattw> at that time a date will be established for general elections.
12:15 < bmc> Playing devil's advocate here, if both of the co-chairs require approval before they get canidate status, that allows either BS or SF to deny any specific person from being elected?
12:15 < jonkman> Yes, the founding members have a greater degree of control
12:15 < jonkman> that's there more for a sanity check though, I can't imagine a situation where it'd be needed to have a denied nomination
12:16 < bmc> Then what is the purpose for it?
12:16 < ppcxx> how are those two representatives chosen by the two founding organizations?
12:16 < cschear> If control of the founding members are implicitly granted, what purpose does the board serve?
12:16 < cschear> (bmc beat me to the punch, sorry)
12:16 < mattw> however, once the board is elected it's 2 to 3 vote.
12:16 < emf_> you might want to write that in as a bootstrap just to make sure this doesn't go sideways from the start and then leave it free later.
12:17 < jonkman> We could allow the board once elected to remove that approval of nominations from the charter once the org is stable
12:17 < emf_> like anyone ever gives up granted power.  :) 
12:17 < jonkman> The motivation is as mentioned, to keep the initial board effective to get the org moving quickly
12:17 < ppcxx> right; it would have to be written in from the beginning
12:18 < jonkman> If that's a large concern I don't have major objections to changing that proviso, or extending the nominatino approval to the entire board by vote
12:18 < phear> write it in as "will be voted on by members every 6 mo till its gone"
12:18 < bmc> If that is the motivation, why not write that explicitly in the charter?
12:18 < phear> to either keep or do away with
12:19 < phear> gives you 6mo to get stable... then go on as members see fit
12:19 < brvenik> I don't see the issue with founding members having more control over the initial board. There needs to be quality assurance
12:19 < ppcxx> issue of the other three becoming "yes" men/women
12:19 < jonkman> I like the 6 month revote
12:19 < emf_> i agree with it being there initially, but please be explicit about the duration.
12:19 < cschear> brvenik: Then, it's not a board that is actually being formed - it's a committee, at best.
12:19 < jonkman> How about we specify at 6 months we put the charter back up for remorking by the board and then the new charter is voted on by the membership
12:20 < jonkman> In 6 months we'll have a better idea of what the org does and how it is run
12:20 < nigel_rules> sounds like a plan
12:20 < phear> gatta start somehwere..
12:20 < sfirejennifer> that is fine. we will write that in. 
12:20 < mattw> i think its easist to add a provision for a 6mo revote.
12:20 < jonkman> Excellent
12:20 < emf_> fine.
12:20 < jonkman> So, next thing is the timeline, but why don't we skip to projects first?
12:20 < jonkman> Then do timeline last
12:21 < jonkman> Good?
12:21 < phear> good
12:21 < mattw> timelines simple.
12:21 < mattw> we can just hit it quick.
12:21 < jonkman> Cool, go ahead then
12:21 < jonkman> projects is big
12:21 < mattw> Currently the time line is to open membership registration today.
12:22 < mattw> and begin accepting nominations for canidates today also.
12:22 < mattw> this will be open for the next two weeks.
12:22 < mattw> at the end of that two weeks a list of nominated and approved canidates will be provided.
12:22 < mattw> and a date for elections will be set.
12:23 < mattw> membership is open to everyone, fyi
12:23 < jonkman> Membership and nominations will be for the time being a manual process
12:24 < mattw> membership and nominatations should be sent jsteffens@sourcefire.com
12:24 < bmc> What should be sent?
12:24 < jonkman> For both organizations and individuals
12:24 < Obiwan> I suggest making a small PDF form to complete.
12:24 < sfirejennifer> we will make the form available on snort.org later today 
12:24 < nigel_rules> print it and snail mail it?
12:24 < emf_> good idea.
12:25 < jonkman> Organizations can get their membership listed on a supporters type of webpage that will be built down the road, logo and links
12:25 < jonkman> We hope that'll make membership more attractive to vars and integrators, and mssp's
12:25 < emf_> (might need to extend the 2 weeks if we're waiting on international snail mail)
12:25 < jonkman> As well as show their support for the open community
12:25 < Shirkdog> express mail
12:25 < Obiwan> Fax.
12:25 < sfirejennifer> I think e-mail is just fine 
12:26 < jonkman> Yes, I agree that email is best
12:26 < akirk> Membership will remain open past the 2 weeks
12:26 < jonkman> Any other questions on membership and timeline then?
12:26 < mattw> yup membership will remain open past the 2 weeks.
12:26 < jonkman> OK then, to projects
12:27 < mattw> Sounds like that sums it up.
12:27 < jonkman> The first project that the ossrc would be ideal for is the SID Range allocation
12:27 < bmc> can you list all of the projects first?
12:27 < mattw> yup
12:27 < mattw> The proposed list of projects is as follows
12:27 < bmc> err, proposed projects
12:27 < mattw> 1. SID Allocations.
12:27 -!- bdo [~bdoctor@64.140.45.2] has quit [Remote closed the connection]
12:27 < mattw> 2. Distributions of different rule sets.
12:28 < mattw> 3. Research and Information sharing on threats, vulnerabilities, and other network issues.
12:28 < jonkman> Reminder: We don't need to or have time to iron out every detail in all of these today. That's work for the first board and membership as we go
12:29 < jonkman> But first, sid allocation is a no-brainer
12:29 < emaheo> any thoughts to create a website to centralize all information.
12:29 < mattw> yes
12:29 -!- bdo [~bdoctor@64.140.45.2] has joined #ossrc
12:29 < sfirejennifer> we are working on that now 
12:29 < jonkman> There's enough space in the sid ranges to give everyone room, we just need to avoid conflicts
12:29 < mattw> and have a centralized place for distributing the sid allocation information.
12:30 < Shirkdog> will the website be a part of snort.org
12:30 < sfirejennifer> yes it will be ossrc.snort.org 
12:30 -!- Hanashi [~knoppix@g57.jlab.org] has quit [Remote closed the connection]
12:31  * roesch is glad he used u_int32_t instead of u_int16_t...
12:31 < Techie-Micheal> lol
12:31 < emf_> will ossrc.snort.org be operational today for membership requests?
12:31 < jonkman> To lay to rest concerns of independence, if there appears to be a problem down the road the board could move it if needed
12:31 < phear> dealing with sid allocation, will the SID's now need to be "requested" now through the OSSRC, or would it be "can we use this block to be compliant"?
12:31 < jonkman> Same as if it were ossrc.bleedingsnort.org
12:31 < emf_> (ossrc.org?)
12:31 < jonkman> We do also own ossrc.org, and will get that pointed there as well
12:32 < jonkman> I mean ossrc.net, not org
12:32 < jonkman> someone beat us to org
12:32 < akirk> Yeah, ossrc.org is some school in Ohio
12:32 < Shirkdog> lol
12:32 < Techie-Micheal> Blasted domain name poachers.  ;) 
12:32 < emf_> do they have a signature class?  :) 
12:33 < jonkman>  :) 
12:33 < jonkman> The second item, distribution of rulesets: I think that's down the line of making all of the different rulesets available in one place. Mirrored from their original sources
12:33 < Shirkdog> what sid block goes to ohio  :-) 
12:33 -!- ronaldov [~ronaldo@ash.cais.rnp.br] has joined #ossrc
12:33 -!- Hanashi [~Hanashi@g57.jlab.org] has joined #ossrc
12:33 < jonkman> We don't want to for instance move the bleeding snort sigs to ossrc
12:33 < jonkman> but we will mirror them to there, alongside the community sets, and anyone else that is interested
12:33 < jonkman> making a one stop shop for sigs that are up to date
12:33 < mattw> yup and making sure they are up to date and don't contain overlaps
12:34 < akirk> but leaving control decentralized for the paranoid
12:34 < jonkman> Yes, duplication prevention will be a challenging task for ossrc
12:34 < mbldn> overlaps are another issue..  are we explicitly not allowing duplicate signatures?
12:34 < roesch> not if everyone stays in their assigned sid blocks
12:34 < emf_> jonkman: unless you read the full ruleset often.  :) 
12:34 < jonkman> We can disallow duplicate sids of course easily
12:34 < mbldn> not sids, I mean two sigs that detect the same thing
12:34 < phear> dup's of functionality
12:34 < roesch> mbldn: you can have dupes, they should just have different rev numbers (although I don't recommend it)
12:35 < jonkman> What we may need is a set group of people that watch all new sigs and coordinate overlap between groups
12:35 < roesch> oh
12:35 < bmc> you can even have duplicate sid/revs without breaking snort, but again... not recommended.
12:35 < phear> but i'm not sure thats more of a prob for us
12:35 < phear> er
12:35 < mattw> allowing or disallowing things is really up to the requirements for each of the projects.  
12:35 < jonkman> That will be one of the first tasks of the new board to solve however seen fit
12:35 < phear> OSSRC as much as it should be for the admin
12:35 < akirk> It's not so much allowing or disallowing
12:35 < phear> differnet variants on rules that do similar things... isnt a bad thing
12:35 < roesch> mbldn: you can certainly have those kind of dupes, you'll just hammer performance into the groujnd
12:35 < akirk> It's providing a resource so that people can help eliminate redundancy if they want
12:35 < mattw> what we are talking about today is the general outline for the projects ossrc will attempt first.
12:35 < jonkman> yes
12:36 < jonkman> Right, as I mentioned we can't sove the details today
12:36 < mbldn> ok
12:36 < jonkman> The board and it's members will have the task of solving these problems
12:36 < jonkman> We just need to get them documented as needing solving  :) 
12:36 < Obiwan> Imho OSSRC should be a watchdog, but don't bite. Notify the overlapping projects, but don't twist their arm.
12:36 < jonkman> Yes
12:36 < Shirkdog> agree
12:36 < nigel_rules> as long as people conform to a standard in their rule writing, and they include correct and full reference information, finding duplicated rules should not be a huge problem
12:36 < akirk> That's how I've always envisioned it
12:36 < roesch> if everyone cross references against CVE as much as possible in their rule creation efforts then you should be able to look for duplicate functionality in rules and sort out the best ones that way
12:37 < jonkman> yes
12:37 < emf_> ossrc could go a step further and document cases of overlap so that others don't have to waste time in the weeds.
12:37 < brvenik> more like a NATO and less like a US then
12:37 < phear> haha
12:37 < mattw>  :) 
12:37 < Shirkdog> lol
12:37 < jonkman>  :)  Yes
12:37 < jonkman> What was the last project then Mattw?
12:37 < mattw> research sharing
12:37 < jonkman> oh ya, that's a tougher one
12:38 -!- andreaso_ [~andreas@2001:6b0:5:1095:211:aff:fe96:26c8] has joined #ossrc
12:38 < jonkman> The boad should be tasked to setup some form of list to share info on research and sig creation
12:38 < mattw> currently there are number of disjointed information resources for gathering information on lots of different types of threats
12:38 < bmc> Obiwan, so OSSRC should be like a toy poodle in terms of handling issues?
12:38 < bmc> (aka, lots of bark, no bite?)
12:38 < jonkman> I really want to avoid having 10 people making the same sig, let them work together rather than in parallel
12:38 < mattw> the ossrc should attempt to consolidate this information into a codified set that is easy to share and conduct research on.
12:38 < mbldn> what about the bleeding snort site?  it already shares research quite well
12:39 < jonkman> I think we do share well, I hope we can contribute that to the ossrc too
12:39 < jonkman> we don't want to not have that info cross our site
12:39 < jonkman> but we want to combine that with what other organizations can bring together
12:39 < jonkman> BS will be another member of ossrc and work with all the other members of it
12:40 < jonkman> We get a lot of info, but no where near all of it by any means
12:40 < Obiwan> So are you going to bridge snort-sigs with bleeding-sigs and drone-armies and whatnotsig-list?
12:40 < nigel_rules> the problem with sharing research and vuln info is the quality of that information, perhaps the ossrc could do something with the consolidation of information with lots of moderation done on it
12:40 < jonkman> I'm not sure a mailng listif the answer
12:40 < akirk> That could turn into an inbox flood
12:40 < cisc0man> wiki?
12:40 < jonkman> I think most of the researchers in this space are already part of the same lists
12:41 < jonkman> I hate the wiki idea, but something like that
12:41 < jonkman> web based may be more effective
12:41 < jonkman> rss feed, etc
12:41 < nigel_rules> nntp
12:41 < phear> rss i like
12:41 < jonkman> Again, that's another issue for the board and members to address to make happen
12:41 < jonkman> But a goal we want to set
12:41 < mattw> exactly
12:41 < jonkman> I think that covers all of the agenda items. Any projects to add, and any more questions?
12:42 < jonkman> Anything else from Mat or jennifer too?
12:42 < mattw> That essentially covers the main agenda items for today.
12:42 < roesch> bbs!
12:42 < phear>  :-) 
12:42 < emf_> yeah. dialup.
12:42 < mattw> unless anyone has any other ideas for additional projects to add to the list.
12:42 < akirk> Oooh, old school!  ;-) 
12:42 < Hanashi> nah, roesch.  A phone tree.
12:42 < Shirkdog> lol
12:42 < brvenik> sweet. 1200 and below only
12:42 < jonkman> I've got a 24k modem we can use to host it!!   :) 
12:42 < roesch> that'd be leet
12:42 < Shirkdog> 9600
12:42 < Obiwan>  /join #ossrc-incident-handlers
12:42 < bmc> bbs?  bbchat!
12:42 < ppcxx> i think i have a 300 baud
12:43 < jonkman> 300 it is then   :) 
12:43 < mattw> i've got an applecat around here somehwere.
12:43 < bmc> (bbs on vms!)
12:43 < emf_> i've got a couple of trailblazers still working.
12:43 < roesch> prolly want a silc server that's a little bit secure, irc is subject to people watching the watchers...
12:43 < ppcxx> i used to have some vaxstations   :( 
12:43 < nigel_rules> scoff you phillistines
12:43 < jonkman> Yes, I agree we should have a secyure com channel
12:43 < roesch> silc.snort.org/
12:43 < roesch> ?
12:43 < jonkman> silc is a good candidate
12:43 < brvenik> I like silc.snort.org/
12:44 < jonkman> I like jabber myself, another issue for the board
12:44 -!- illwill [~nis@69-170-28-105.chvlva.adelphia.net] has joined #ossrc
12:44 < Hanashi> Speaking of secure channels, perhaps OSSRC could somehow promote the use of digital signatures for snort rule bundles it distributes.
12:44 < brvenik> ppl can use jabber -> silc gateways
12:44 < emf_> Hanashi: nice... would be good for the rule management tools.
12:44 < nigel_rules> that's a good idea Hanashi 
12:44 < jonkman> yes
12:45 < jonkman> We have md5 hashes for our sigs available
12:45 < Hanashi> A central repository of snort rules is a big target.
12:45 < emf_> gpg.
12:45 < jonkman> though I don't think they're used often
12:45 < ppcxx> there you go, hanashi, offering useful advice
12:45 < Hanashi> md5 != signature
12:45 < jonkman> true
12:45 < Obiwan> heh... to what? Avoid "fake" rules? Rules with backdoors?
12:45 < mattw> i like the idea of gpg
12:45 < phear> ha
12:45 < jonkman> It's easy to implement, so no reason not to if someone will use it
12:45 < nigel_rules> for verification purposes
12:45 < akirk> To avoid rules that turn your box into a brick perhaps
12:45 < Hanashi> yes, obiwan.  Or cooler, rules which have had your favorite sploit detects removed.
12:45 < emf_> akirk: well, there go my rules then.  ;) 
12:45 < roesch> to avoid gratuitous injection of pcre....
12:45 < joele23> I have 2 questions:#1what about the sharing of Sourcefire's VRT info, and also the problems this may cause with rules that overlap, will this be completly seperate from the osscrc? #2 so the initial nominees must come from either BS or Sourcefire?
12:45 < nigel_rules>  :) 
12:46 < brvenik> gpg per rule? that gets ugly quickly
12:46 < jonkman> Speaking as bleeding snort: We will also benefit from the mirroring
12:46 < roesch> and tearing your sensor a new snorthole...
12:46 < jonkman> it's only a matte of time until we're ddos'd, etc
12:46 < Obiwan> roesch: lol... doesn't perfmon preprocessor catch that?
12:46 < jonkman> We already get hate mail regularly from spyware firms
12:46 < Shirkdog> lol
12:46 < jonkman> But... Sounds like we can officially adjourn the meeting then, barring further questions
12:46 < Techie-Micheal> jonkman: I imagine so.
12:46 < Hanashi> OSSRC shouldn't attempt to guard against bad (resource intensive) rules.  That's too much QA.  Let the downloader beware.  Just make sure the source is verified so you know who's rules you're actually getting.
12:46 < jonkman> and stick around for chatting
12:46 < mattw> brvenik: i'd say gpg per package.
12:46 < joele23> ?
12:46 < emf_> joele23:  uh, no.. three of them will be given a nod by SF/BS, but not necessarily part of it.
12:47 < roesch> Obiwan: it'll tell you that you're hosed, not why
12:47 < scottder> Hanashi, maybe some "education" on the impact of certain rules....
12:47 < roesch> gpg per bundle, signing every rule doesn't scale
12:47 < illwill> vote++ on gpg
12:47 < akirk> Now that's an idea
12:47 < jonkman> I really like turbosnort for this
12:47 < Obiwan> roesch:  Perhaps you need to extend it to report the performance sucking sig?  :) 
12:47 < Shirkdog> cron job
12:47 < jonkman> it's not a perfect statistical model, but easily find the hogs for us
12:47 < sfirejennifer> joele23: the idea behind the research sharing is to provide a way for all OSSRC members to share this kind of info 
12:47 < Shirkdog> performance sucker of the hour
12:48 < scottder> jonkman, exactly, sort of a performance rating system....
12:48 < demcb> help
12:48 < jonkman> The project we have going with NJIT and sensopry networks may augment them as well
12:48 < roesch> Obiwan: we'd need a profile mode for the detection engine, that's complex
12:48 < joele23> ok
12:48 < brvenik> Shirkdog: Isn't that the SSH BRUTE sigs??  :-) 
12:48 -!- demcb [~dmcbride@c-24-6-171-178.hsd1.ca.comcast.net] has quit []
12:48 < Hanashi> scottder, perhaps, but that's different from the issue of digital sigs.  I see them solely as a way to verify you get the rules from their intended source.  Not to verify the quality of the rules.
12:48 < roesch> I agree with Hanashi 
12:48 < jonkman> Should we add 2 more projects to be comsidered by the board?
12:49 < jonkman> Performance monitoring and integrity validation?
12:49 < emf_> lets get a board first, jonkman..  :) 
12:49 < jonkman> Details....
12:49 < nigel_rules> heh
12:49 < brvenik> 3 projects. Central documentation
12:49 < phear> agreed
12:49 < jonkman> Oooh, ya
12:49 < Hanashi> yes, I think two more project suggestions are in order.  Let the board accept or reject the suggestions once they are formed.
12:49 < jonkman> That's a big one
12:49 < mattw> I think we should take all the suggested projects from this chat and add them to the agenda for the next meeting.
12:49 < illwill> sig per rule would be nice but not required. just for end validation when questioned
12:49 < jonkman> agreed
12:49 < nigel_rules> you have no idea how big that one is
12:50 < sfirejennifer> we will make sure everything gets added to the next agenda 
12:50 < Obiwan> You really want to put wording into the charter that directors can form their own committee to assist with project tasks.
12:50 < jonkman> Great
12:50 < ppcxx> the board needs to have pre-set goals so they'll know what to do
12:50 < scottder> now sprinkle on some proactive synergy....
12:50 < scottder>  :) 
12:50 < jonkman> Thanks to Jennifer and Mattw and SF for getting this back on track
12:50 < Hanashi> Yes, thanks.  I think this could be very valuable.
12:50 < jonkman> I'd let it dwindle fearing nothing for the org to do, but obviously there is a lot to be done
12:51 < jonkman> I again think this is a worthwhile endeavor
12:51 < nigel_rules> I'd give thanks too, but I'm waiting for the pizza to be delivered here
12:51 < sfirejennifer> sorry we got sidetracked...too much travel on my part 
12:51 < jonkman> We'll get the transcript posted on BS and I think snort.org too
12:51 < roesch> hey, that's my line
12:51 < nigel_rules> where's my pizza sfirejennifer?
12:51 < jonkman> Thanks everyone for coming and contributing ideas
12:51 < Shirkdog> where is the punch and pie?
12:52 < ppcxx> wait!  we need a group photo!
12:52 < mattw> thanks everyone.
12:52 < scottder> say cheese
12:52 < nigel_rules> import -window root ossrc.jpg
12:52 < Techie-Micheal> gouda
12:52 < akirk> cheesy
12:52 < scottder> Rambol!
12:52 < scottder>  :) 
12:52 -!- PointlessEnd [~pointless@pcp0011552406pcs.anapol01.md.comcast.net] has joined #ossrc
12:53 < sfirejennifer> ok guys sounds like lunch is on a lot of folk's minds
12:53 < sfirejennifer> thanks for coming out
12:53 < nigel_rules> not at all
12:53 < sfirejennifer> we will have everything available on snort.org shortly 
12:53 < helevius> Nice listening to you all  :) 
12:53 < sfirejennifer> thanks again to jonkman for everything 
12:54 -!- Hanashi [~Hanashi@g57.jlab.org] has left #ossrc ["Leaving"]
12:55 < jonkman>  :)