Tracey Gates wrote: > Here is a list of the rulesets that I'm using: > > 70_sare_adult.cf 70_sare_unsub.cf > 70_sare_bayes_poison_nxm.cf 70_sare_uri0.cf > 70_sare_evilnum0.cf 70_sare_uri1.cf > 70_sare_evilnum1.cf 70_sare_uri3.cf > 70_sare_evilnum2.cf 70_sare_uri.cf > 70_sare_genlsubj0.cf 70_sare_uri_eng.cf > 70_sare_genlsubj1.cf 70_sc_top200.cf > 70_sare_genlsubj2.cf 72_sare_bml_post25x.cf > 70_sare_genlsubj3.cf 72_sare_redirect_post3.0.0.cf > 70_sare_genlsubj.cf 88_FVGT_body.cf > 70_sare_genlsubj_eng.cf 88_FVGT_headers.cf > 70_sare_genlsubj_x30.cf 88_FVGT_rawbody.cf > 70_sare_header0.cf 88_FVGT_subject.cf > 70_sare_header1.cf 88_FVGT_uri.cf > 70_sare_header2.cf 99_FVGT_meta.cf > 70_sare_header3.cf 99_FVGT_Tripwire.cf > 70_sare_header.cf 99_sare_fraud_post25x.cf > 70_sare_header_eng.cf antidrug.cf > 70_sare_header_x264_x30.cf backhair.cf > 70_sare_header_x30.cf bogus-virus-warnings.cf > 70_sare_highrisk.cf chickenpox.cf > 70_sare_html0.cf init.pre > 70_sare_html1.cf local.cf > 70_sare_html2.cf local.cf.orig > 70_sare_html3.cf local.cf.rpmsave > 70_sare_html4.cf mangled.cf > 70_sare_html.cf random.cf > 70_sare_html_eng.cf random.current.cf > 70_sare_html_x30.cf rules_du_jour > 70_sare_oem.cf RulesDuJour > 70_sare_random.cf tripwire.cf > 70_sare_specific.cf weeds.cf > 70_sare_spoof.cf
You are duplicating rules. If you are using 70_sare_uri.cf, you don't need 70_sare_uri[0-3].cf. The same goes for genlsubj, html, etc. Also, some of the rulesets specify versions. Since you are using 3.0.4, you shouldn't use any of the "x30" or "x264" rules. Read the descriptions of the rulesets on www.rulesemporium.com/rules.htm to decide which rules you should be running. -- Bowie
