[sniffer] Re: FPs on Sniffer-Schemes
On 3/13/2012 11:19 AM, Scott Fosseen [Prairie Lakes AEA] wrote: Can you check to see if all looks ok with my copy as well. Sure. I'll respond off-list _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: FPs on Sniffer-Schemes
Pete, It has been a while since I have done anything with Sniffer. Can you check to see if all looks ok with my copy as well. I think I am registered as aea8.k12.ia.us Thanks. - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Monday, March 12, 2012 6:22 PM Subject: [sniffer] Re: FPs on Sniffer-Schemes On 3/12/2012 5:41 PM, Darin Cox wrote: Started getting hits at 4:30pm EST up to 15 minutes ago (5:25pm EST). I think I can see part of the problem (possibly). I do not have telemetry from your system (based on looking up your Id from your domain). I suspect this means that you are running an older version of SNF. By extension, that would mean a couple of things: * Your rulebase update would not come as quickly as for most systems. * Your SNF engine won't match on many of the newer rules. * Your SNF engine will not have GBUdb and also will not be able to auto-panic new rules that conflict with IP reputation data. Am I right about these assumptions? If not, then we should figure out why I don't see your telemetry. Thanks, _M -- Pete McNeil Chief Scientist
[sniffer] Re: FPs on Sniffer-Schemes
HI Pete, We are running the older version, and get our updates about every 50-60 minutes. We're using GBUdb as a test in Declude, separately from Message Sniffer. I'll look up the info on upgrading gracefully. Hadn't had much time to do that previously. Darin. - Original Message - From: Pete McNeil To: Message Sniffer Community Sent: Monday, March 12, 2012 6:22 PM Subject: [sniffer] Re: FPs on Sniffer-Schemes On 3/12/2012 5:41 PM, Darin Cox wrote: Started getting hits at 4:30pm EST up to 15 minutes ago (5:25pm EST). I think I can see part of the problem (possibly). I do not have telemetry from your system (based on looking up your Id from your domain). I suspect this means that you are running an older version of SNF. By extension, that would mean a couple of things: * Your rulebase update would not come as quickly as for most systems. * Your SNF engine won't match on many of the newer rules. * Your SNF engine will not have GBUdb and also will not be able to auto-panic new rules that conflict with IP reputation data. Am I right about these assumptions? If not, then we should figure out why I don't see your telemetry. Thanks, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: FPs on Sniffer-Schemes
On 3/12/2012 5:41 PM, Darin Cox wrote: Started getting hits at 4:30pm EST up to 15 minutes ago (5:25pm EST). I think I can see part of the problem (possibly). I do not have telemetry from your system (based on looking up your Id from your domain). I suspect this means that you are running an older version of SNF. By extension, that would mean a couple of things: * Your rulebase update would not come as quickly as for most systems. * Your SNF engine won't match on many of the newer rules. * Your SNF engine will not have GBUdb and also will not be able to auto-panic new rules that conflict with IP reputation data. Am I right about these assumptions? If not, then we should figure out why I don't see your telemetry. Thanks, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: FPs on Sniffer-Schemes
On 3/12/2012 5:41 PM, Darin Cox wrote: Started getting hits at 4:30pm EST up to 15 minutes ago (5:25pm EST). Not sure if the rule has been pulled or corrected yet. It was corrected nearly as soon as it was created. It did escape into some rulebases - we saw that on our conflict instrument. Most systems auto-panicked the rule right away. It no longer appears on our conflict instruments - so there is no reason you should see any hits from it. I'm chasing things down to see what I can see -- based on your message. Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: FPs on Sniffer-Schemes
My two cents: I saw zero hits for this rule. I count myself lucky, because we see a lot of purchase order emails and of course, the fake P.O. scams too. Andrew. From: Message Sniffer Community [mailto:sniffer@sortmonster.com] On Behalf Of Pete McNeil Sent: Monday, March 12, 2012 3:08 PM To: Message Sniffer Community Subject: [sniffer] Re: FPs on Sniffer-Schemes On 3/12/2012 5:17 PM, Darin Cox wrote: Hi Pete, We're seeing a ton of FPs on a Sniffer-Schemes rule # 4764784. That rule was detected as an error and removed almost immediately after it was created. You should not be seeing any additional hits on that rule. Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: FPs on Sniffer-Schemes
On 3/12/2012 5:17 PM, Darin Cox wrote: Hi Pete, We're seeing a ton of FPs on a Sniffer-Schemes rule # 4764784. That rule was detected as an error and removed almost immediately after it was created. You should not be seeing any additional hits on that rule. Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: FPs on Sniffer-Schemes
More info... Started getting hits at 4:30pm EST up to 15 minutes ago (5:25pm EST). Not sure if the rule has been pulled or corrected yet. Had 383 hits, and a very high percentage of those were FPs. Don't have an exact number, due to having to release the messages quickly for delivery, but I expect at least 30% were FPs for us. Most were referencing PO #s or orders for various customers. Darin. - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Monday, March 12, 2012 5:17 PM Subject: [sniffer] FPs on Sniffer-Schemes Hi Pete, We're seeing a ton of FPs on a Sniffer-Schemes rule # 4764784. Darin.