Thanks for the info, Pete.  Appreciate your proactiveness on this.

Hope you had a good Thanksgiving!

Darin.



From: Pete McNeil
Sent: Tuesday, December 01, 2015 5:57 PM
To: Message Sniffer Community
Subject: [sniffer] Short Match FPs.

Hi Folks,

I'm sorry to report there is a problem.

For the past few days we have been seeing some intermittent corruption in 
some rulebase updates.

Since we made no changes to precipitate this and since it's only been 
reported by a few systems intermittently it's a bit of a challenge to nail 
down. However, it is out top priority at the moment.

Here is what we do know about it:


  a.. The problem appears to have started around Nov 29.
  b.. It is highly intermittent and random.
  c.. It causes some false positives.
  d.. You can identify a short-match event by looking at the index and endex 
of a rule match. If the difference is less than 5 then you have a short rule 
match.
  e.. You can mitigate the problem by temporarily putting the associated 
rule ID in your rule-panic list in your SNF configuration.
  f.. Normally the problem goes away on the next rulebase update.
  g.. Sometimes it doesn't go away but changes the associated rule ID.
For now the best thing to do is add a rule-panic entry when you spot one of 
these. That will solve the problem for that update.


Be sure to remove your rule panic entries occasionally since they won't help 
you after a day.


We will continue to work on this until we understand it and it is resolved.


Best,


_M


-- 
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044 x7010
twitter/codedweller

#############################################################

This message is sent to you because you are subscribed to

  the mailing list <sniffer@sortmonster.com>.

This list is for discussing Message Sniffer,

Anti-spam, Anti-Malware, and related email topics.

For More information see http://www.armresearch.com

To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>

To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>

To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>

Send administrative queries to  <sniffer-requ...@sortmonster.com>

Reply via email to