I could be asking the same thing as Charles, if I am I apologize.
I installed the rules below, ran the headers.txt file- thru SA and the rules
did not trigger. Do I need to configure something else?
Thanks
Craig
>>> Charles Gregory <cgreg...@hwcn.org> 5/1/2009 9:48 AM >>>
Uh, what do these 'ratware' rules trigger on?
How effective are they, and what are the chances of false positives?
- Charles
On Thu, 30 Apr 2009, LuKreme wrote:
> (single lines)
> header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id:
> <....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi
>
> # "
>
> header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id:
> <....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi
>
> # "
>
> header KB_RATWARE_BOUNDARY ALL =~ /^Message-Id:
> <....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi
>
> # "
>
> score KB_RATWARE_BOUNDARY 2.0
> score KB_RATWARE_OUTLOOK_16 0.1
>
>
> --
> Exit, pursued by a bear.
>
