On Thu, 16 Aug 2012, RW wrote:
On Thu, 16 Aug 2012 12:18:44 -0400
Alex wrote:
What effect do whitelist entries have on autolearning
None at all because they are marked as "userconf".
bummer.
In other words, my whitelist_from_rcvd entries add -100 to the score,
which would be way beyond the -3 I have required for autolearn.
Setting a threshold of -3 is a bad idea unless you are going to write a
lot of local rules with negative scores. The OP would be much better
off zeroing the scores of the the offending DNSWL rules.
Then we get to the situation of the administrator has to know to do that
or SA goes off the rails.
It seems that the proper approach is to set "tflags noautolearn" on any
DNS-based base rule that has a negative score...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
An operating system design that requires a system reboot in order to
install a document viewing utility does not earn my respect.
-----------------------------------------------------------------------
8 days until the 1933rd anniversary of the destruction of Pompeii
