Hi, On Wed, 18 Feb 2004 12:15:05 -0800 Matthew Trent <[EMAIL PROTECTED]> wrote:
> On Wednesday 18 February 2004 11:49 am, Chris Santerre wrote: > > > > > Is it possible to score a single rule additively? That is, the rule's > > > final score is the sum of the number of times it matched, rather than > > > simply whether or not it matched? > > > > Yes and no. :-) > > > > Not in any release of SA as of yet. Although someone did write an eval to > > add to SA that does just this. I have it, and like everything in my office, > > it is lost somewhere in the vastness of knowledge...(OK, clutter!) I'll see > > if I can dig it up. > > This is exactly what I've been complaining about with regard to too-long SA > reports (but kind of a different tack on it). These huge sets of little rules > (Tripwire, etc) would be much improved with a single additive score like Mr. > Hardin described. The huge rulesets are likely more efficient than code to count the number of occurrences. What people sometimes forget is that the rules that work great on a machine filtering 1,000 messages a day for three people don't work at all for sites filtering 500,000 messages a day for 1,000 people. -- Bob
