Wednesday, March 10, 2004, 7:23:55 AM, you wrote:
BG> Similarly, I'd like to be able to create a meta that says "if a hit from
BG> this set (i.e. bigevil) [+optional other conditions] then score X". I'm BG> probably after a wildcard match for rule names in metas here, but even BG> that seems cumbersome and error-prone.
BG> Is there any such capability I'm missing?
Yes -- simply change the scores on the rules.
I didn't explain that well. I'd essentially like two things:
1. Rules SETS like bigevil, blacklist-uri.cf to NOT score (or be able to centrally adjust their scores). This can be done with sed filters and the like, but that's error prone if automated. (Not a big deal if not, but sure easier.)
2. ALSO have a meta that can detect if any rule FROM A SET (without writing a monster-meta) matched. Something like:
meta LOCAL_BIGEMATCHED (BigEvil_* && OTHER_TESTS)
I modify the scores on bigevil before installing any new copy (the scores as distributed are too low for my systems, since we run with a required-hits of 9).
Are you using a simle sed filter or the like? I've done that as well, and it does work well. A large rule set is labor-intensive to write and modify, particularly if it's complex. I think it might be handy to have "local variables" in a set (file) for scores -- Score $LEVEL1 5pts, $LEVEL2 10pts etc. and allow those to be over-ridden in a local.cf. (i.e. "from ruleset X and $LEVEL1 = 7pts")
You can also change the scores on the BLACKLIST rule to lessen the impact of the William Stearns' contributed blacklist. (I prefer to simply review the list before installing, and remove entries that I know are a problem here. But then, I don't use AWL.)
True enough, and though I THOUGHT I'd tested that, it is working quite well now. I'm as concerned about defaults as any add-ons.
- Bob
