RE: [sniffer] Call for beta testers... snfrv2r3b1
Paul, Did you have the persistent sniffer.exe running when this log was generated? Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOS Small Office Solutions / Reject / Wannepad 27 - 1066 HW -Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy - Installation - Maintenance Network Security - Internet - E-mail Software Development - Project Management -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer, LLC Sent: donderdag 18 maart 2004 15:15 To: [EMAIL PROTECTED] Subject: RE: [sniffer] Call for beta testers... snfrv2r3b1 Groet, RE: MDaemon: I guess I'm confused on how to determine the Content Filter poll time. Here's a (.txt snippet of my CF log file which does not show a delay (or at least to my level of skill abilities; which is minimal by-the-way). I'll be happy to test some things on our server if you have any specific instructions for me. We share the same objectives. Regards, Paul Roulier -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michiel Prins Sent: Thursday, March 18, 2004 2:59 AM To: [EMAIL PROTECTED] Subject: RE: [sniffer] Call for beta testers... snfrv2r3b1 Paul, Aren't you having problems that the polling times just make the waiting times in the CF longer? While normally my bottleneck was the loading of the rulebase, now it's the polling time which is way longer. Pete, With Mdaemon, where there's only one message being processed at a time, and there's no multithreading content filter yet, I would like to be able to set polling time to a fixed 25 or 30 ms. Normally, loading the rulebase would take 200, with polling I understand this could be reduced to 30 ms - if the time can be set to a fixed ms. Could you also consider the other options I asked? Groet, (regards) -- ing. Michiel Prins bsc [EMAIL PROTECTED] SOS Small Office Solutions / Reject / Wannepad 27 - 1066 HW -Amsterdam t.+31(0)20-4082627 - f.+31-(0)20-4082628 -- Consultancy - Installation - Maintenance Network Security - Internet - E-mail Software Development - Project Management -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer, LLC Sent: donderdag 18 maart 2004 4:21 To: [EMAIL PROTECTED] Subject: RE: [sniffer] Call for beta testers... snfrv2r3b1 _M, FYI: Have been running the beta ver 2.3b1 on MDaemon 7.0.0 for several hours now and all is stable. Everything is performing as advertised... paul roulier -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Wednesday, March 17, 2004 2:05 PM To: [EMAIL PROTECTED] Subject: [sniffer] Call for beta testers... snfrv2r3b1 Hello folks, I know folks are anxious to get their hands on this version so I'm going to play this beta round a little looser than usual. Version 2-3b1 implements a persistent mode feature for our cellular peer-server technology. Launching a persistent instance of Message Sniffer has the effect of creating a daemon so that all other instances will elect to be clients. We observed a DRAMATIC improvement in system performance on our NT4/Imail/Declude test bed. In static tests on my Toshiba 6100 we saw no memory leaks and consistent performance over the past 18+ hours of testing. This included several tests with more than 100+ concurrent client instances - all without failure and without making the system unresponsive (though the WinXP file system did start to show signs of strain). This beta is for the windows platform only... once we're happy with this version will will make the source and *nix versions available as always. Windows platform users who are interested in testing the new beta should download the following file: http://www.sortmonster.com/MessageSniffer/Betas/snfrv2r3b1.zip The file contains an executable and a short readme file. We are going to be extremely busy for the next few hours so we won't be able to provide support on this until later this evening. We have many updates and rulebase mods to attend to at the moment since we shifted resources heavily toward development last evening and through the night... The current spam storm continues to rage with more than 500 core rule-base changes yesterday alone! Be careful. Backup your current production version. Watch carefully. Enjoy :-) _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to
Re: [sniffer] Call for beta testers... snfrv2r3b1
At 08:08 PM 3/17/2004, you wrote: What is the number after Polled waited: That is the number of milliseconds the persistent server waited to poll the working directory for more jobs. This number will increase each time no jobs are found. When a job is found the persistent server will not wait before looking for the next job - so you will only see these messages when the persistent server finds no messages to process. I also noticed that when many emails are coming in I still see multiple Sniffer.exe programs running. That is normal. Each message being processed will load an instance of Sniffer. With the persistent server running all of the other instances should elect to be clients so they will simply record a job record (.QUE) and wait for the server instance to process their message (.FIN). Then they will pick up the result and exit - reporting the result back to the calling program. Client instances take very little memory and spend most of their time sleeping so they require very few CPU or IO resources. _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Bagle.Q rule added
We have just added a rule for the Bagle.Q worm derived from data at the following link: http://www.auscert.org.au/render.html?it=3957 The rule should be present in your next update. A full rule-base compile is under way. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] RunExeSvc for Persistent sniffer.
Ok, I think I did it. Only took a minute (thanks Bill). Here are some more precise directions, but consider them to be "beta" directions (please correct them if you find a problem): 1) Install the Windows 2000 Resource Kit, or download and install the INSTSRV.exe and SRVANY.exe files in a permanent location, preferably within your path. The individual files can be found at the following location: http://www.pyeung.com/pages/win2k/userdefinedservice.html 2) Open a command prompt (Click on the Start Button, Select Run, and type CMD) 3) Enter the following command (customize for the paths of the executables) C:\Progra~1\Resour~1\INSTSRV Sniffer C:\Progra~1\Resour~1\SRVANY.exe 4) Open up the Registry Editor (Click on the Start Button, select Run, and type REGEDIT) 5) Locate the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sniffer 6) From the Edit menu, select New, select Key, and name the new key Parameters 7) Highlight the Parameters key 8) From the Edit menu, select New, select String Value, and name the new value Application 9) From the Edit menu, select Modify, and type in the full path name and application name, including the drive letter and file extension (don't use quotes, customize path, executable name and authentication code) Example: C:\IMail\Declude\Sniffer\[yourlicx].exe [authenticationxx] persistent [yourlicx] = your license ID [authenticationxx] = your authentication string 10) Open the Services MMC 11) Start the Sniffer service 12) Set the Sniffer service to Automatic Matt Matt wrote: I'm going to give this one a try right now since I have the Resource Kit installed already. Just one question...do I need to change the arguments in my Declude config, or will the service definition take care of the 'persistence'? Thanks, Matt Bill Boebel wrote: We've been using svrany for years with several custom applications and it works great. This utility has been around since the NT4 Resource Kit... http://www.pyeung.com/pages/win2k/userdefinedservice.html Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Pete McNeil Sent: Friday, March 19, 2004 12:25 AM To: [EMAIL PROTECTED] Subject: [sniffer] RunExeSvc for Persistent sniffer. Hello folks, We've been continuing to test the new persistence enabled sniffer engine and some utilities that will allow it to run as a service. We found a free utility that seems to be very solid, and very simple. http://www.judoscript.com/goodies/RunExeSvc/runexesvc.html One of the scripts we used is: debug=false cmdline=c:\Projects\sniffer2-3\TestBed\snfrv2r2.exe xnk05x5vmipeaof7 persistent home=c:\Projects\sniffer2-3\TestBed (Note: The mismatch between the sniffer2-3 directory and the snfrv2r2.exe is not a type-o. We re-branded the 2-3 to use the snfrv2r2 license in our example - it was easier that than creating a new license. Note also that the cmdline parameter includes the full path to the executable - you will need to do this also. We could not get the service to start on our NT test bed without including the full path to the .exe) We've tested this on our XP based Toshiba laptop, and on our NT4 based IMail test bed. Both seem to setup and work fine. Auto-start works fine, so does logging out and logging in. Once you've set up a persistent sniffer instance as a service, go into your services control panel (usually via administrative tools), set the service to start automatically, and start it. A window will appear for the program - do not close the window! Minimize it. When you log out sniffer will continue to run in the background. When you log in the window will be visible again - it's harmless. If you close it though you will have ended the sniffer.exe out from under the service. This won't cause you any trouble, but you won't get the benefit of the persistent server until you stop and start the service again to relaunch the program. Using RunExeSvc, the actual service is the RunExeSvc program. That program launches sniffer as a client and stands in as a service stub for your OS. You can use this to run all sorts of things... The developer uses it to run Java based web servers, for example. Eventually we will build a win32 service version of Message Sniffer, but for now this is the fastest way we can bring you the features you need. Please give this a try and let us know how it works for you. If you find a different utility that you like better then please let us know. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and
Re: [sniffer] RunExeSvc for Persistent sniffer.
Pete, Although inconclusive, some screen caps of Task Manager seems to show a dramatic reduction in many of the peaks with the service turned on. It's hard to tell the exact impact due to the virus scanners not always being called, and SKIPIFWEIGHT settings disabling a mountain of custom Declude filters which both are processor hogs, but the smaller peaks. I believe the following before and after screen caps are representative of the impact (I looked for similar E-mail hit frequencies): Before http://www.mailpure.com/no_service.gif After (with service) http://www.mailpure.com/service.gif The real test will have to wait for rush hour though. Thanks, Matt Pete McNeil wrote: The service definition takes care of the persistence. Your Declude config should not be changed. _M At 01:05 AM 3/19/2004, you wrote: I'm going to give this one a try right now since I have the Resource Kit installed already. Just one question...do I need to change the arguments in my Declude config, or will the service definition take care of the 'persistence'? Thanks, Matt Bill Boebel wrote: We've been using svrany for years with several custom applications and it works great. This utility has been around since the NT4 Resource Kit... http://www.pyeung.com/pages/win2k/userdefinedservice.html Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil Sent: Friday, March 19, 2004 12:25 AM To: [EMAIL PROTECTED] Subject: [sniffer] RunExeSvc for Persistent sniffer. Hello folks, We've been continuing to test the new persistence enabled sniffer engine and some utilities that will allow it to run as a service. We found a free utility that seems to be very solid, and very simple. http://www.judoscript.com/goodies/RunExeSvc/runexesvc.html One of the scripts we used is: debug=false cmdline=c:\Projects\sniffer2-3\TestBed\snfrv2r2.exe xnk05x5vmipeaof7 persistent home=c:\Projects\sniffer2-3\TestBed (Note: The mismatch between the sniffer2-3 directory and the snfrv2r2.exe is not a type-o. We re-branded the 2-3 to use the snfrv2r2 license in our example - it was easier that than creating a new license. Note also that the cmdline parameter includes the full path to the executable - you will need to do this also. We could not get the service to start on our NT test bed without including the full path to the .exe) We've tested this on our XP based Toshiba laptop, and on our NT4 based IMail test bed. Both seem to setup and work fine. Auto-start works fine, so does logging out and logging in. Once you've set up a persistent sniffer instance as a service, go into your services control panel (usually via administrative tools), set the service to start automatically, and start it. A window will appear for the program - do not close the window! Minimize it. When you log out sniffer will continue to run in the background. When you log in the window will be visible again - it's harmless. If you close it though you will have ended the sniffer.exe out from under the service. This won't cause you any trouble, but you won't get the benefit of the persistent server until you stop and start the service again to relaunch the program. Using RunExeSvc, the actual service is the RunExeSvc program. That program launches sniffer as a client and stands in as a service stub for your OS. You can use this to run all sorts of things... The developer uses it to run Java based web servers, for example. Eventually we will build a win32 service version of Message Sniffer, but for now this is the fastest way we can bring you the features you need. Please give this a try and let us know how it works for you. If you find a different utility that you like better then please let us know. Thanks! _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription