Hi Pete, I'm look over Decludes recommended Sniffer configuration and trying to understand how much overlap there is between these options:
IPREPUTATION SNFIPREP x 0 10 -5 SNFIPCAUTION SNFIP x 4 5 0 SNFIPBLACK SNFIP x 5 10 0 SNFIPTRUNCATE SNFIP x 6 10 0 SNFTRUNCATE SNF x 20 10 0 SNIFFER-IP-RULES SNF x 63 10 0 Looking at the Sniffer documentation IP test result codes http://www.armresearch.com/support/articles/software/snfClient/resultCodes.j sp it seems that the SNFIP tests for "4", "5" and "6" (SNFIPCAUTION, SNFIPBLACK, SNFIPTRUNCATE) might coincide with 40, 63 and 20. However, Declude ALSO tests for your Rule Group Result Codes "20" and "63" which are documented here: http://www.armresearch.com/support/articles/software/snfServer/core.jsp 1. It seems to me, as if their SNFTRUNCATE is the same as their SNFIPTRUNCATE, and their SNIFFER-IP-RULES is the same as their SNFIPBLACK -- effectively artificially inflating (doubling) the weights for these tests? 2. How do those Caution/Black/Truncate exit codes relate to SNFIPREP. There, any reputation > 0 (up to 1) is given an extra weight of 10. But doesn't SNFIPREP report from the same reputation data as the SNFIP (and possibly even group result codes 20 and 63)? In other words, are those IP addresses that generate a reputation factor of > 0 ALSO reported as Caution/Black or Truncate - if so, we'd now TRIPLE count that score. Best Regards, Andy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [email protected], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
