This element controls the generation of a rule match list X-header.

The content of the X-header will be a list of pattern matches found in the message and the final result indicating the pattern match that was selected to represent the message.

<matches on-off='on'>X-MessageSniffer-Rules</matches>

on-off='on' turns on the match list X-Header, on-off='off' turns it off.

X-MessageSniffer-Rules is the default name of the X-header. You can change this text to customize the name of the header.

Typical output of this X-header looks something like this:

X-MessageSniffer-Rules:
	57-1404199-965-976-m
	57-1404199-1352-1363-m
	57-1404199-965-976-f 
			

In this case there were two pattern matches - both matching the same rule (heuristic). The first one was selected to represent the message. This feature can be very helpful if you later have a false positive. This allows the offending rules to be immediately identified without hunting through log files.

57 - the symbol (rule group) of the rule that matched.

1404199 - the specific rule ID of the rule that matched.

965 - the index of the pattern.

976 - the endex of the pattern.

f - indicates the final result.

m - indicates a "match"

You might also see flags such as p for panic (indicating a rule in the panic list), w for white-rule or c for clean (no patterns matched).

Please email support@armresearch.com with any questions.