RE: [sniffer] Rules Question

[Madscientist]

White rules are entered either upon request or in response to a false 
positive report with your permission. In some cases we will enter a white 
rule based on our own research or in response to a false positive report if 
we feel a core white rule would be more appropriate. We add core white 
rules without permission. We add local rules of any type only with 
permission or by request.

Hope this helps,
_M
At 06:43 PM 3/3/2004, you wrote:
Thanks for the aid.  One last question, you mentioned:

In a case where a white rule is present and a black rule is present the
white rule will always win
So if the White Rule fired 000, it would override a Porn Rule of 54?  If 
so, how are these White Rules entered?

Thanks,

Keith

        -----Original Message-----
        From: [EMAIL PROTECTED] on behalf of Madscientist
        Sent: Wed 3/3/2004 6:01 PM
        To: [EMAIL PROTECTED]
        Cc:
        Subject: Re: [sniffer] Rules Question


        At 04:55 PM 3/3/2004, you wrote:
        >I am using Declude and have indiv. Sniffer Tests and lets say the
        >following gets tripped in an email
        >
        >SNIFFER-WHTLIST result code 000
        >SNIFFER-PORN    result code 054
        >
        >Which would take precedence over the other, as far as which 
would be the
        >final code passed to Declude?

        There is some confusion about this.

        A zero result from Message Sniffer as seen by Declude could mean 
that a
        white rule has fired, or it could mean that no rules matched at all.

        In the first case - where an actual white rule has fired, the Message
        Sniffer log will show a "White" entry and the "Final" result will 
reflect
        that white rule. In this case, the white rule takes precedence. 
Declude
        will see a 0 result code.

        In the second case - where no rules matched, the Message Sniffer 
log will
        show a "Clean" entry and Declude will see a zero result.

        So, from Declude's perspective it will see a zero result in both the
        "Clean" and the "White" case. As a result, your SNIFFER-WHTLIST 
result code
        000 test will fire.

        In a case where a white rule is present and a black rule is 
present the
        white rule will always win. So, if Sniffer saw both rules match a 
message
        it would return a zero result.

        SNIFFER-WHTLIST is a misnomer. It's probably not a good idea to 
name the
        zero result test this way because most of the time a zero result 
doesn't
        mean "White" but instead means "Clean".

        If you wish to have the white rules in your rulebase separated 
out then we
        could code those to a 1 result and then you would be able to 
legitimately
        create a SNIFFER-WHTLIST test checking for a result of 1.

        I will point out here that this has been tried once or twice and 
in both
        cases the user switched back almost immediately because the 
results were
        confusing.

        In Sniffer we use white rules to force a "non result" more than 
we ever use
        them to indicate a true "white" result.

        Hope this helps,
        _M


        This E-Mail came from the Message Sniffer mailing list. For 
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

p/


This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html