Sniffer is suddenly creating a lot of False Positives. What do I do?

Most likely this is being caused by a new rule in the system. If you detect a critical false positive problem (Rulebase Panic) then you can do the following:

Rulebase Panic Procedure:

  1. Locate the rule ID in your Message Sniffer log which is causing the false positive.
  2. Create a rule-panic entry in your your snf_engine.xml (or sndmdplugin.xml) file in the <rule-panics/> section - this will temporarily deactivate the rule.
  3. Submit your false positive report normally.
  4. Send a note to support@armresearch.com indicating that you are having a critical false positive issue - we will expedite processing.
  5. Once the false positive issue is resolved (we will block, remove, or modify the rules that are causing you the false positive and we'll work with you to make that decision once we know which rules are involved), remove any rule-panic entries you have made.
Related Topics