Re: Re[4]: [sniffer] Rash of false positives

[Darin Cox]

Hi Pete,   I'll send the logs for the past two days separately to support (at).  We do run snf2check on every downloaded rulebase, so that shouldn't be an issue.   The one thing I didn't think to do was to revert to an old rulebase, but we only keep the previous, so it would have already been too late when we saw the problem this morning.   Thanks, Darin.     ----- Original Message ----- From: Pete McNeil To: Darin Cox Sent: Tuesday, November 08, 2005 4:03 PM Subject: Re[4]: [sniffer] Rash of false positives On Tuesday, November 8, 2005, 3:25:20 PM, Darin wrote: > Hi Pete,   There was a consistent stream of false positives over the mentioned time period, not just a blast at a particular time.  They suddenly started at 5pm (shortly after a 4:30pm rulesbase update), and were fairly evenly spread from 5pm - 11pm and 6am - 10am today (not many legitimate emails came in between 11pm and 6am)...spanning 4 other rulebase updates at 8:40pm, 12am, 3am, and 6:20am.  There were a number of different rules involved, and over 45 false positives in that time period. This is highly unusual -- I didn't remove many rules, and normally only one or two would be responsible. If you found that a large number of rules were responsible then something else happend and we need to look at that... I'd need to see your SNF logs from that period since the changes (removals anyway) in the rulebase were very small and unrelated - that just doesn't line up with your description. One thing does-- in the past if snf2check was not used to check a new download then a corrupted rulebase could cause SNF to produce erratic results... since snf2check has been in place we have not seen this. Is it possible that a bad rulebase file got pressed into service on your system? -- probably a look at the logs would help there too since this kind of failure is accompanied by very specific oddities in the logs. Hope this helps, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html