Hi
(I am just venturing into the SARE world, so am a newbie in this regard ;)
I have just installed basically all rules from rulesemporium.com - and had wonderful results :)
Just one thing that puzzles me at this stage:
I had a FP mainly due to the following two rules being matched from header_abuse.cf:
header FVGT_h_FROM_NONAME From =~ /\"\"\ \</ describe FVGT_h_FROM_NONAME FVGT - from has no name on purpose score FVGT_h_FROM_NONAME 1.666
and
header L_f_Noname From =~ /""\ \</i describe L_f_Noname Sender has blanked out name (RM) score L_f_Noname 1.666
Can someone please explain to me why both of these would be required. If I remove one of them I no longer have a false positive.
Regards
-- Deon de Villiers Technical Manager Hetzner Africa Tel: +27 21 970 2000 Fax: +27 21 970 2001 http://www.hetzner.co.za/index.php?id=245
[Awarded Top 50 ICT Company in South Africa for the] [period 2003/4 by the Corporate Research Foundation]
