Kevin W. Gagel wrote: > I've been researching what rules get hit on my system. To do that I've > writen a small script to pull together a list of all the rules that > SA is using on my system and another to parse my log files to see > what rules were triggered, how often and how long it took to scan the > messages. > > I used a full month worth of data. I have 2,827 (give or take a few > for script logic errors) rules that SA checks on each message. For > December I had 256,542 messages that made it through blacklists and > then were evaluated by SA. A total of 1,087 rules were tripped in all > of those messages. > > Looking at the list of tripped rules (and how many times it was > tripped) and how long it took to process all of those messages (a > total of 569.732 hours) I wondered if I could improve performance by > cutting out rules that were not tripped or only tripped a very small > number of times. > > What I need guidance on, is this... > > I see multiple rules with descriptions writen in other languages to > catch the same thing as the english one. Are these treated by SA as > seperate rules, testing the message against each language? > > Before I go setting up scores of zero's for rules I think don't need > to be run, am I correct in thinking that setting the score to zero > will keep SA from running the rule? I seem to recall seeing emails on > the list that indicate that but others that say the rule is still > run... > > Any advice on this would be welcome.
Yes, if you set the score to 0, the rule will not be run. I think there have been one or two bugs that caused this not to work in some circumstances, but this is the correct way to disable a rule. The multiple language descriptions are probably just from the different language files. The main thing is the rule name. If the rule name is the same, it's just a translated description. If the rule name is different, it's a different rule. -- Bowie
