Hi Pete,
I'm look over Declude's recommended Sniffer configuration and trying to
understand how much (if any) overlap there is between these options they
implemented and recommend:
IPREPUTATIONSNFIPREPx 0 10 -5
SNFIPCAUTIONSNFIP x 4 5 0
SNFIPBLACK SNFIP x 5 10
0
SNFIPTRUNCATE SNFIP x 6 10 0
SNFTRUNCATE SNF x 20 10
0
SNIFFER-IP-RULESSNF x 63 10
0
Looking at the Sniffer documentation IP test result codes
http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j
sp
it seems that the SNFIP tests for 4, 5 and 6 (SNFIPCAUTION,
SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20.
However, Declude ALSO tests for your Rule Group Result Codes 20 and 63
which are documented here:
http://www.armresearch.com/support/articles/software/snfServer/core.jsp
1. It seems to me, as if their SNFTRUNCATE is the same as their
SNFIPTRUNCATE, and their SNIFFER-IP-RULES is the same as their SNFIPBLACK --
effectively artificially inflating (doubling) the weights for these tests?
2. How do those Caution/Black/Truncate exit codes relate to SNFIPREP.
There, any reputation 0 (up to 1) is given an extra weight of 10. But
doesn't SNFIPREP report from the same reputation data as the SNFIP (and
possibly even group result codes 20 and 63)? In other words, are those IP
addresses that generate a reputation factor of 0 ALSO reported as
Caution/Black or Truncate - if so, we'd now TRIPLE count that score.
Best Regards,
Andy
#
This message is sent to you because you are subscribed to
the mailing list sniffer@sortmonster.com.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: sniffer-...@sortmonster.com
To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com
To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com
Send administrative queries to sniffer-requ...@sortmonster.com
