On 4/30/2010 5:54 PM, Andy Schmidt wrote:
Hi Pete,
I'm look over Declude's recommended Sniffer configuration and trying to
understand how much (if any) overlap there is between these options they
implemented and recommend:
This was cross-posted from the Declude.JunkMail list and I answered it
there.
For completeness I will copy my answer here too:
I am not intimately familiar with Declude's configuration and SNF
integration --- not like I used to be anyway (soooo many platforms now).
I _think_ these tests work like this:
The SNFIPREP test gives you a variable weight based on the IP reputation
in GBUdb. This allows you to get some weighting positively or negatively
based on the reputation even when that reputation is not in one of the
defined GBUdb envelopes. It's a subtle nudge in the right direction.
The SNFIP test gives you a hard result code based only on the IP
reputation when that reputation is within one of the envelopes defined
for GBUdb. So if the IP reputation is in the Caution, Black, or Truncate
range then that test will fire.
Presumably all of the IP tests happen before SNF scans the message --
because they can -- I don't know that they do, but I know that IP
reputations can be queried before and separately from a scan. (Scans
MUST happen in order for GBUdb to build up reputation data however).
Finally the SNF test responds to the normal blended result codes that
SNFClient would return.
So result code 20 is Truncate- meaning that the IP reputation was so bad
that SNF stopped the scan and returned the result code.
Result code 63 is Black which could mean that an SNF IP rule fired (rare
these days) or that no pattern matched but the IP was in the Black range
in GBUdb so GBUdb took over and forced the result code from 0 (no
pattern found) to 63 (Black).
Other result codes are also possible:
http://www.armresearch.com/support/articles/software/snfClient/resultCodes.jsp#msgScan
David -- if I got any of this wrong please correct me.
However, Declude ALSO tests for your Rule Group Result Codes "20" and
"63"
which are documented here:
http://www.armresearch.com/support/articles/software/snfServer/core.jsp
1. It seems to me, as if their SNFTRUNCATE is the same as their
SNFIPTRUNCATE, and their SNIFFER-IP-RULES is the same as their
SNFIPBLACK --
effectively artificially inflating (doubling) the weights for these
tests?
Yes -- if you have them configured that way. Some of the results are
predictable.
If SNFIP is Black or Caution then you are virutally guaranteed to get a
Black or Caution result from SNF -- Unless SNF matches a pattern in
which case you will get a pattern result code from the SNF test.
If SNFIP is Truncate then SNF should also return Truncate.
The weights you assign to these should be set accordingly.
2. How do those Caution/Black/Truncate exit codes relate to SNFIPREP.
There, any reputation> 0 (up to 1) is given an extra weight of 10. But
doesn't SNFIPREP report from the same reputation data as the SNFIP (and
possibly even group result codes 20 and 63)? In other words, are those IP
addresses that generate a reputation factor of> 0 ALSO reported as
Caution/Black or Truncate - if so, we'd now TRIPLE count that score.
That's not quite true...
I presume the SNFIPREP test uses a sliding numeric value that combines
the probability factor and the confidence factor for the IP. This is not
the same thing as Caution, Black, and Truncate.
The SNFIPREP result is a sliding value that will work even when the
reputation is not in the (White) Caution, Black, and Truncate ranges.
When an IP's reputation is in one of those ranges then the appropriate
result from SNFIP will either be returned or not (On or Off).
Now-- I presume that even when SNFIP does return Caution, Black, or
Truncate that SNFIPREP continues to work and in that case will provide
some shading to those values... so, if you will, more or less Black, etc.
I don't think that I would necessarily use all of these together --
though it is possible to do so. It seems to be that it might become very
complicated since there is some overlap.
That said -- I do think that some of these tests can be combined
successfully without too much confusion... it's just a matter of knowing
how they interact. Hopefully my description is helpful (and my
assumptions are correct).
Best,
_M
--
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to <sniffer-requ...@sortmonster.com>
