Documentation Home

<rulepanics/>

The rule-panics section is a container for <rule/> entries. These entries identify pattern rule IDs that should be locally disabled (presumably because the rule causes false positives). When a rule is identified with a rule-panic entry that rule is rendered inert. Other rules may still match a message and cause it to be marked as spam, however rules identified with rule-panic entries cannot.

This mechanism allows an adminstrator (or even an automated system) to gain immediate relief from false positives caused by rules that are not compatible with their system. They should then also follow our false positives handling process so that we can make the appropriate adjustments to the rulebase and remove the need for the rule-panic entry.

The rule-panic mechanism is not intended to operate as a long-term solution to false positives. It is intended as a blunt, immediate solution that allows time for a more thorough and detailed solution to be found.

When a rule-panic entry is created and the configuration file is saved the effect is essentially immediate. Within a second or so the new configuration will be loaded and the indicated rule will be inert. There is no need to restart the SNFMulti engine for configuration changes to be recognized.

By default one or more example rule-panic entries are included in the snf_engine.xml file and commented out. A rule panic entry looks like this:

<rule id='123456'/>

The id='123456' establishes that the rule id 123456 should be made inert. Note that the rule id is distinct from the rule group ID for a rule. The rule group ID is used as the scan result code for a number or rules. A rule-panic entry must identify the rule specifically. Rule IDs can be found in <matches/> X- headers when they are enabled or in scan/activity log files.

In X- headers the above rule ID might look something like this:

X-MessageSniffer-Rules:
	57-123456-965-976-m
	57-123456-965-976-f

In XML log files the rule ID might look something like this:

<m s='48' r='123456' i='965' e='976' f='m'/>

In classic log files the rule ID might look something like this:

snf2beta 20021204081147 Db8c1112.SMD 15 45 Final 123456 57 965 976 36

Please email support@armresearch.com with any questions.

Related Topics

Copyright © 2007 - 2020 ARM Research Labs, LLC