diff --git a/pkg/bincapz/render.go b/pkg/bincapz/render.go
index de50e1471..9a7637281 100644
--- a/pkg/bincapz/render.go
+++ b/pkg/bincapz/render.go
@@ -25,6 +25,7 @@ func forceWrap(s string, x int) string {
 	fw := []string{}
 	for _, w := range words {
 		if len(w) > x-2 {
+			klog.Infof("wrapping %s - longer than %d", w, x-2)
 			w = w[0:x-2] + ".."
 		}
 		fw = append(fw, w)
@@ -85,11 +86,13 @@ func RenderTable(fr *FileReport, w io.Writer) {
 		data = append(data, []string{"", "", "", ""})
 	}
 
-	valWidth := 24
 	width := terminalWidth()
-	if width > 110 {
-		valWidth += (width - 110)
+	valWidth := 8
+
+	if width > 90 {
+		valWidth = (width - 90)
 	}
+
 	if valWidth > 65 {
 		valWidth = 65
 	}
@@ -97,7 +100,7 @@ func RenderTable(fr *FileReport, w io.Writer) {
 	klog.Infof("terminal width: %d / val width: %d", width, valWidth)
 
 	for _, k := range kbs {
-		val := strings.Join(k.Behavior.Strings, "|||")
+		val := strings.Join(k.Behavior.Strings, "\n")
 		val = forceWrap(val, valWidth)
 		val = strings.ReplaceAll(val, "|||", "\n")
 
@@ -114,7 +117,7 @@ func RenderTable(fr *FileReport, w io.Writer) {
 			}
 		}
 
-		words, _ := tablewriter.WrapString(desc, 52)
+		words, _ := tablewriter.WrapString(desc, 40)
 		desc = strings.Join(words, "\n")
 
 		data = append(data, []string{fmt.Sprintf("%d/%s", k.Behavior.RiskScore, k.Behavior.RiskLevel), k.Key, val, desc})
@@ -122,7 +125,7 @@ func RenderTable(fr *FileReport, w io.Writer) {
 	table := tablewriter.NewWriter(os.Stdout)
 	table.SetAutoWrapText(false)
 	table.SetHeader([]string{"Risk", "Key", "Values", "Description"})
-	//table.SetBorder(false)
+	table.SetBorder(false)
 	for _, d := range data {
 		if strings.Contains(d[0], "LOW") {
 			table.Rich(d, []tablewriter.Colors{tablewriter.Colors{tablewriter.Normal, tablewriter.FgGreenColor}})
diff --git a/pkg/bincapz/report.go b/pkg/bincapz/report.go
index 4b8aee7c7..49d80d240 100644
--- a/pkg/bincapz/report.go
+++ b/pkg/bincapz/report.go
@@ -64,6 +64,7 @@ var yaraForgeJunkWords = map[string]bool{
 	"encoded":           true,
 	"forensicartifacts": true,
 	"lnx":               true,
+	"linux":             true,
 }
 
 var dateRe = regexp.MustCompile(`[a-z]{3}\d{1,2}`)
diff --git a/rules/combo/backdoor/macos/alert_socket_getpid.yara b/rules/combo/backdoor/alert_socket_getpid.yara
similarity index 100%
rename from rules/combo/backdoor/macos/alert_socket_getpid.yara
rename to rules/combo/backdoor/alert_socket_getpid.yara
diff --git a/rules/combo/backdoor/macos/debug_post_execute.yara b/rules/combo/backdoor/debug_post_execute.yara
similarity index 100%
rename from rules/combo/backdoor/macos/debug_post_execute.yara
rename to rules/combo/backdoor/debug_post_execute.yara
diff --git a/rules/combo/backdoor/macos/dlsym_and_openpty.yara b/rules/combo/backdoor/dlsym_and_openpty.yara
similarity index 100%
rename from rules/combo/backdoor/macos/dlsym_and_openpty.yara
rename to rules/combo/backdoor/dlsym_and_openpty.yara
diff --git a/rules/combo/backdoor/macos/dlsym_pthread_exec.yara b/rules/combo/backdoor/dlsym_pthread_exec.yara
similarity index 100%
rename from rules/combo/backdoor/macos/dlsym_pthread_exec.yara
rename to rules/combo/backdoor/dlsym_pthread_exec.yara
diff --git a/rules/combo/backdoor/macos/exec_getprogname_waitpid.yara b/rules/combo/backdoor/exec_getprogname_waitpid.yara
similarity index 100%
rename from rules/combo/backdoor/macos/exec_getprogname_waitpid.yara
rename to rules/combo/backdoor/exec_getprogname_waitpid.yara
diff --git a/rules/combo/backdoor/macos/hostinfo_collector.yara b/rules/combo/backdoor/hostinfo_collector.yara
similarity index 100%
rename from rules/combo/backdoor/macos/hostinfo_collector.yara
rename to rules/combo/backdoor/hostinfo_collector.yara
diff --git a/rules/combo/backdoor/macos/ioplatform_sketchy.yara b/rules/combo/backdoor/ioplatform_sketchy.yara
similarity index 100%
rename from rules/combo/backdoor/macos/ioplatform_sketchy.yara
rename to rules/combo/backdoor/ioplatform_sketchy.yara
diff --git a/rules/combo/backdoor/linux/iptables_gdns_http.yara b/rules/combo/backdoor/iptables_gdns_http.yara
similarity index 100%
rename from rules/combo/backdoor/linux/iptables_gdns_http.yara
rename to rules/combo/backdoor/iptables_gdns_http.yara
diff --git a/rules/combo/backdoor/linux/iptables_ssh.yara b/rules/combo/backdoor/iptables_ssh.yara
similarity index 100%
rename from rules/combo/backdoor/linux/iptables_ssh.yara
rename to rules/combo/backdoor/iptables_ssh.yara
diff --git a/rules/combo/backdoor/linux/iptables_upload_http.yara b/rules/combo/backdoor/iptables_upload_http.yara
similarity index 100%
rename from rules/combo/backdoor/linux/iptables_upload_http.yara
rename to rules/combo/backdoor/iptables_upload_http.yara
diff --git a/rules/combo/backdoor/linux/listen_terminal_exec.yara b/rules/combo/backdoor/listen_terminal_exec.yara
similarity index 100%
rename from rules/combo/backdoor/linux/listen_terminal_exec.yara
rename to rules/combo/backdoor/listen_terminal_exec.yara
diff --git a/rules/combo/backdoor/macos/listpids_libcurl.yara b/rules/combo/backdoor/listpids_libcurl.yara
similarity index 100%
rename from rules/combo/backdoor/macos/listpids_libcurl.yara
rename to rules/combo/backdoor/listpids_libcurl.yara
diff --git a/rules/combo/backdoor/macos/macos_kitchen_sink.yara b/rules/combo/backdoor/macos_kitchen_sink.yara
similarity index 100%
rename from rules/combo/backdoor/macos/macos_kitchen_sink.yara
rename to rules/combo/backdoor/macos_kitchen_sink.yara
diff --git a/rules/combo/backdoor/linux/multiple_sys_commands.yara b/rules/combo/backdoor/multiple_sys_commands.yara
similarity index 100%
rename from rules/combo/backdoor/linux/multiple_sys_commands.yara
rename to rules/combo/backdoor/multiple_sys_commands.yara
diff --git a/rules/combo/backdoor/linux/selinux_firewall.yara b/rules/combo/backdoor/selinux_firewall.yara
similarity index 100%
rename from rules/combo/backdoor/linux/selinux_firewall.yara
rename to rules/combo/backdoor/selinux_firewall.yara
diff --git a/rules/combo/backdoor/linux/sensitive_linux_logs.yara b/rules/combo/backdoor/sensitive_logs.yara
similarity index 91%
rename from rules/combo/backdoor/linux/sensitive_linux_logs.yara
rename to rules/combo/backdoor/sensitive_logs.yara
index 05a26efd8..2f9aa3e3d 100644
--- a/rules/combo/backdoor/linux/sensitive_linux_logs.yara
+++ b/rules/combo/backdoor/sensitive_logs.yara
@@ -1,5 +1,4 @@
-
-rule system_log_references {
+rule system_log_references : suspicious {
   meta:
 	description = "Accesses multiple sensitive Linux logs"
   strings:
diff --git a/rules/combo/backdoor/macos/sw_vers_libcurl.yara b/rules/combo/backdoor/sw_vers_libcurl.yara
similarity index 100%
rename from rules/combo/backdoor/macos/sw_vers_libcurl.yara
rename to rules/combo/backdoor/sw_vers_libcurl.yara
diff --git a/rules/combo/backdoor/linux/system_write_geteuid_sleep.yara b/rules/combo/backdoor/system_write_geteuid_sleep.yara
similarity index 100%
rename from rules/combo/backdoor/linux/system_write_geteuid_sleep.yara
rename to rules/combo/backdoor/system_write_geteuid_sleep.yara
diff --git a/rules/combo/worm/ssh.yara b/rules/combo/worm/ssh.yara
index 3ed4b8d0d..d90e4c527 100644
--- a/rules/combo/worm/ssh.yara
+++ b/rules/combo/worm/ssh.yara
@@ -1,6 +1,6 @@
-rule generic_scan_tool : critical {
+rule generic_scan_tool : suspicious {
   meta:
-	description = "Probably an SSH worm, like SSH-Snake"
+	description = "possible SSH worm like SSH-Snake"
   strings:
 	$s_dot_ssh = ".ssh"
 	$s_authorized_keys = "authorized_keys"
diff --git a/rules/data/embedded-pem-private_key.yara b/rules/data/embedded-pem-private_key.yara
index d9fadfe5f..f7506196a 100644
--- a/rules/data/embedded-pem-private_key.yara
+++ b/rules/data/embedded-pem-private_key.yara
@@ -1,4 +1,4 @@
-rule begin_key {
+rule begin_private_key : notable {
 	meta:
 		description = "Contains PRIVATE KEY directive"
 	strings:
@@ -7,4 +7,15 @@ rule begin_key {
 		any of them
 }
 
+rule rsa_private_key : notable {
+	meta:
+		description = "Contains RSA PRIVATE KEY directive"
+	strings:
+		$ref = "RSA PRIVATE KEY-----"
+	condition:
+		any of them
+}
+
+
+
 
diff --git a/rules/data/embedded-ssh-key.yara b/rules/data/embedded-ssh-key.yara
index abfb4853d..28cea60d8 100644
--- a/rules/data/embedded-ssh-key.yara
+++ b/rules/data/embedded-ssh-key.yara
@@ -1,5 +1,6 @@
-rule ssh_pubilc_key : suspicious {
+rule ssh_public_key : suspicious {
 	meta:
+		description = "contains SSH public key"
 	    ref = "https://unfinished.bike/qubitstrike-and-diamorphine-linux-kernel-rootkits-go-mainstream"
 	strings:
 	    $ssh_rsa = /ssh-[dr]sa [\w\+\/\=]{0,1024} [\w\-\.]{0,32}\@[\w\.\-]{1,64}/
diff --git a/rules/ref/email.yara b/rules/ref/email.yara
index 9a114238e..d07995fed 100644
--- a/rules/ref/email.yara
+++ b/rules/ref/email.yara
@@ -1,4 +1,4 @@
-rule email_addr {
+rule email_addr : harmless {
   meta:
 	description = "Contains an email address"
   strings:
diff --git a/rules/techniques/code_eval.yara b/rules/techniques/code_eval.yara
index c4a4780b1..7cd807763 100644
--- a/rules/techniques/code_eval.yara
+++ b/rules/techniques/code_eval.yara
@@ -6,3 +6,4 @@ rule eval : suspicious {
 	condition:
 		any of them
 }
+