On Sat, Jun 13, 2009 at 18:47, MySQL Student<mysqlstud...@gmail.com> wrote: > Hi John, > >> Botnet seems to have caught that just fine (it's listed in the rules >> which were triggered). The problem is either that you're running it >> at a lower score (which you could also do for Botnet0.8 if you wanted >> to upgrade -- their default scores are exactly the same), or you need >> other rules/configs to supplement your overall scoring system. > > Yes, I didn't intend to blame it on botnet; I realize the rule is being > triggered. > > I guess I was concerned about raising the score above my current 1.5, and > was thinking that instead some other rule was available, or being used by > someone on the list, in conjunction with botnet to catch these. > > If not, can you recommend an approach on calculating the right score for > botnet for my environment, so it doesn't tag so many FPs, or what an > appropriate value should be with my threshold being set to 5.0?
That's a can of worms I'm not willing to open :-) I haven't seen a consensus on the list about what the right score is. Everyone seems to have their own pet score for it (I run it at 5.0 and haven't had more than a hanfull of FP's for all of the years that has been true). If people did come up with a consensus for it, I'd be happy to even make that the default, and just run it at 5.0 for myself.
