On 7/22/2010 10:32 AM, Eric A. Hall wrote:
> Sometimes the AWL rule doesn't appear in the list.
That's correct.
At the very least, The AWL is a score averager, so the first message
from a given From: and source IP combination cannot be AWLed. This
definitely will cause a no-show. You need an existing history for that
sender to generate an AWL score against. There are other cases too..
(read on)
> From looking at the
> behavior it seems that the rule is only guaranteed to fire if the stored
> score for the tuple is significantly different than the message score, or
> if the stored tuple has a very high stored score. But if the stored score
> and message score are close and the stored tuple does not have a large
> score, then the rule will not fire.
>
Define "significant"..
If they are *exactly* the same, a hit will not occur (i.e.: the AWL will
never report a hit for a true zero).
Snippets of code:
$delta = $meanscore - $awlpoints;
$delta *= $pms->{main}->{conf}->{auto_whitelist_factor};
if ($delta != 0) {
$pms->got_hit("AWL", "AWL: ", ruletype => 'eval',
score => sprintf("%0.3f", $delta));
}
so got_hit never gets set if the score delta is 0.
> I assume the above reflects the logic for when to adjust the score, rather
> than reflecting when the tuple was matched. But the plugin text and code
> all talk about the rule firing on match, not when corrective scoring occurred.
>
Good point, it's a subtle difference, but given the code above, it is
firing on adjustment only. (AFAIK, all rules in SA only show if they
have non-zero score)
> Is this a bug? or should the text be changed?
>
Not a bug, but perhaps the text could be clarified.
> If the current code is intended, I'd like to request a new function call
> that tells if the tuple exists and the number of times it has been seen
>
For what purpose? (Not trying to be mean, just asking, because if it's
not of use to the general SA community, it doesn't belong in the
mainline release. However, if it's useful.....)
