On 4/26/12 8:50 AM, Grayhat wrote: > Emanuele... not sure it's doable nor if you can/want take the time to > do it but... in a past we discussed the same thing (timeframe) while > dealing with "InetMsg-Spamdomains"; the solution (ok the approach) was > to have separate signature files ... so one may either pick the "2 > weeks" one or the bigger "2 months" one This will be extremely easy to do for me: all the sigs are stored in a DB and choosing the timeframe is just a matter of how to compose the query that extracts them. If you think it's going to help, I can generate a separate malware sigfile with -say- the last 2 weeks only. Not sure it's worth generating one for each db: the cracked and phishing URLs are much more persistent and smaller in size so the 3 months timeframe is probably OK for those...