Greetings Daniel:
This worked. A rough draft of the rules I'm using follows:
<group name="mailfoundry,">
<rule id="200000" level="0" noalert="1">
<decoded_as>mailfoundry</decoded_as>
<description>Grouping of themailfoundry rules.</description>
</rule>
<rule id="200001" level="12">
<if_sid>200000</if_sid>
<match>system load is too high</match>
<description>Mail Foundry system load is too high</description>
<group>mf_load,</group>
</rule>
<rule id="200002" level="12" frequency="10" timeframe="180">
<if_matched_sid>200001</if_matched_sid>
<same_source_ip />
<description>Multiple Mail Foundry system load is too high in a
small period of time.</description>
<group>mf_load,</group>
</rule>
<rule id="200003" level="4">
<if_sid>200000</if_sid>
<match>Red Listing</match>
<description>Mail Foundry Red Listed IP</description>
<group>mf_load,</group>
</rule>
<rule id="200004" level="9" frequency="10" timeframe="180">
<if_matched_sid>200003</if_matched_sid>
<same_source_ip />
<description>Multiple Mail Foundry Red Listing in a small period
of time.</description>
<group>mf_load,</group>
</rule>
</group> <!-- mailfoundry -->
Thank you.
