CF RULES

[Martin Sapsed]

Me again!

Martin Sapsed wrote:
> Randal, Phil wrote:
>
>> It looks very effective so far.  The chickenpox rules give me more
>> problems
>> with false positives, so I may have to lower the scores on those.
>
> I took a lot of = signs out of the chickenpox rules because I was
> getting quite a few false positives on e-mails to the Samba list - ones
> with smb.conf files pasted in!

and now I've taken it out altogether after some more FPs. At the moment
the local_WORDWORD_10 & 15 rules someone posted here (forgot who -
sorry!) are the most effective extra SA rules I'm using. A lot of the
stuff that BigEvil picks up either hits WORDWORD or DCC or both anyway.
The clever HABEAS_FORGERY rules do quite well too. BACKHAIR does ok but
often on messages that WORDWORD has picked up anyway.

Cheers,

Martin

--
Martin Sapsed
Information Services               "Who do you say I am?"
University of Wales, Bangor             Jesus of Nazareth