I could be asking the same thing as Charles, if I am I apologize. I installed the rules below, ran the headers.txt file- thru SA and the rules did not trigger. Do I need to configure something else? Thanks Craig
>>> Charles Gregory <cgreg...@hwcn.org> 5/1/2009 9:48 AM >>> Uh, what do these 'ratware' rules trigger on? How effective are they, and what are the chances of false positives? - Charles On Thu, 30 Apr 2009, LuKreme wrote: > (single lines) > header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: > <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi > > # " > > header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: > <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi > > # " > > header KB_RATWARE_BOUNDARY ALL =~ /^Message-Id: > <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi > > # " > > score KB_RATWARE_BOUNDARY 2.0 > score KB_RATWARE_OUTLOOK_16 0.1 > > > -- > Exit, pursued by a bear. >