Hi,
have a look at rulesemporium.com
There are descriptions of the rules, and definitely you should use only
one out pof each set
of similar named ones
Wolfgang Hamann
Be careful there. It depends on what you mean by "similarly named".
It is perfectly valid to have
70_sare_html0.cf
70_sare_html1.cf
70_sare_html2.cf
70_sare_html3.cf
70_sare_html4.cf
on your system. Each higher numbered file adds more 'dangerous' tests to
the previous one.
It would NOT be valid to have only
70_sare_html1.cf
70_sare_html3.cf
70_sare_html4.cf
These depend on html0, so you would need that. And it would not make much
sense to have 3 and 4 without 2.
Also, the following would be wrong:
70_sare_html.cf
70_sare_html0.cf
70_sare_html1.cf
70_sare_html2.cf
The "html" file includes html0, html1, and I belive most all the others
except maybe html4. So if you had the above configuration you would have a
whole lot of duplicate rules.
The other thing to look out for is versioned files:
70_sare_whitelist_pre30.cf
72_sare_bml_post23x.cf
99_sare_fraud_post25x.cf
This is legal, IF you are running 2.63. However, assuming we had
70_sare_whitelist_pre30.cf
70_sare_whitelist_post30.cf
It would NOT be valid to have BOTH of those in your configuration.
Loren
