Hello All
thanks for the responses so far.
The reason I was hoping to exclude and no apply a response rule is I don't even want to track these Info/HTTP
For example these info for the policy, lets say its looking for CC#. Just to gather data we were looking at all numbers. Generally we may not be concerned with any under 2, but we see that there maybe be perhaps some broken business process that we want to address that only fall into the SMTP and 1 match.
What I am seeing for the same incident and HTTP and 1 match 99% of the time is this garbage false positives with these arbitrary numbers (and keywords from data identifiers) in the web address, many of which are ....\postback
I was trying to tune out those false positives
Open to other suggestions on how to accomplish this. This probably has to be on a policy level as I dont know how it would effect future policies