First off I'd make sure you ran lint to see if you still have any old 2.6x
options in your 3.0 config. That seems to have happened to a lot of people,
and can screw things up.
In general 3.0.4 seems to be better than 2.64, which was the expected end
goal. The earlier 3.0 and 3.0.x releases had some assorted
problems/annoyances. Perhaps the worst of these was the low score assigned
to bayes_99 that made it near useless.
I would upgrade your new 3.0.2 installation to 3.0.4. I believe that 3.0.2
has a known DOS vunerability. Also, the bayes_99 score has been fixed in
3.0.4, as have several other things.
If you are using SARE rules, make sure to check them. Several rule files
need to change when going from 2.6x to 3.0.x.
With all of the above done, you really should be getting better detection on
3.0.4 than on 2.64.
The only thing that seems to be happening that causes some FNs for some
people is if you have user rules. Occasionally you will see an 'insecure
dependency' line in your log, and this will usually correspond to a spam
that slips through without getting scored. YOu should look at the FNs you
have been getting and see if they have SA scores, or if they made it through
unscored.
Loren
