files it will scan.
When SNF is running correctly it will create status logs in it's working directory. The second status log file will change about once per second.
Hope this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm
this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGES
possible that some sessions will fail from time to time when congestion is high, but it should not be a problem overall. The system is designed to survive outages without causing trouble.
_M
--
Pete McNeil
Chief Scientist,
Arm Research L
to switch back if desired, and existing update mechanisms can remain unchanged until you are ready to make a permanent switch.
Hope this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to
lso appropriate adjustments for any existing beta users who have not otherwise resolved any GBUdb based false positives due to oversensitivity.
Thanks,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
##
ile out ?
Currently the GBX file is in the workspace directory.
There is no facility (yet) to store it in a different location.
I will add that option to the list of features to consider.
Thanks,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs,
ystem is remembering about 94K IPs.
Spam is about 95% of your traffic -- a little on the high side, but still nominal.
From what I can see everything is running normally.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
###
The result code 63 still carries roughly the same meaning-- the IP is black, so the message is spam. There is no need for special treatment with this result code.
Hope this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
Hello Robert,
Thursday, November 15, 2007, 4:42:25 PM, you wrote:
> Timing on release to production?
We are continuously improving our back-end systems. There is no
specific timing for any of the many projects.
The current hardware upgrade process will be completed this week.
_M
--
P
back-end systems online to take advantage of our new
hardware.
Thanks for your patience and support!
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing
ng holding back the beta is documentation -- that takes
time, and we are working on it.
Hope this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
ti-threaded and more efficient you are
likely to run a different number of concurrent messages than before.
This will effect how the resources on the machine are used.
You might try adjusting the number of threads you allow. See previous
discussions on this error for guidelines and fixes.
Hope
the next version of SNF is out of beta we hope to
discontinue FTP access for uploading rulebase files. The new version
of SNF provides real-time telemetry so that uploaded log files are
no-longer necessary.
Sorry for any confusion about this.
Thanks for your patience and support!
_M
--
Pete
gz -then you upload the compressed version.
Hope this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EM
ode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message i
because you are subscribed to
> the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to <[EMAIL P
y in a positive
direction.
Please help us keep this forum active, positive, and informative.
Thanks,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
* One of the biggest problems with technology is that as people come
up the learning curve they tend to forget what it was like when they
Hello Christopher,
Wednesday, December 12, 2007, 12:47:53 PM, you wrote:
> I'm seeing timeouts and very slow downloads from sniffer today.
> Is this just me?
We are having some router issues. They should be resolved today.
_M
--
Pete McNeil
Chief Scientist,
Arm Researc
instead you are using a scheduled task / cron then you will want to check for a new rulebase at least once per hour.
Hope this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you becaus
een identified will be blocked even before new content rules can be generated (if needed).
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing l
ease will wait for a few extra features we want to add
to make it easier to administer and extend. That release will happen
Q1.
Thanks,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you
tection against
dumb-bot attacks. (Note that the newer bot softwares out there easily
defy gray listing so it's effectiveness is dropping quickly)
Hope this helps,
Best,
_M
-- Pete McNeil Chief Scientist, Arm Research Labs, LLC.
#
>> Send administrative queries to <[EMAIL PROTECTED]>
>>
> #
> This message is sent to you because you are subscribed to
> the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To
e first few hundred
>> bytes), and then most-likely deleted (depending on how you tune your
>> system; also I'm not sure what options are available from mxGuard w/
>> regard to preempting additional tests and/or test ordering).
>>
>> Given yo
ed
on the available documentation the theory is sound.
> I will try to write a CDM to solve my queue problems
Please keep us posted.
Thanks,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you bec
am to do it for you.
Hope this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]&g
Hello Shawn,
Following up a bit...
Most likely you're using a Process object to call the SNFClient.
If I've read the MS docs correctly you will want to get the "exit code" once SNFClient finishes.
http://msdn2.microsoft.com/en-us/library/system.diagnostics.process.exitcode(VS.71).aspx
Hope
ly include
elements for scanner peformance, gbudb information, pattern matches...
The configuration file contains comments that describe how the log
files can be interpreted along with the configuration switches that
select the logging configuration.
Hope thi
> Body: Treadmill Shop Hammer Mouth
>>
>>
>>
>>
>> #
>> This message is sent to you because you are subscribed to
>> the mailing list .
>> To unsubscribe, E-mail to: <[EMAIL PROTECTE
other
> than the intended recipient(s) is strictly prohibited. No representation is
> made that this email or any attachments are free of viruses. Virus scanning
> is recommended and is the responsibility of the recipient.
> --------
y Vanderzand
> Intown Internet
> 11 Belmont Ave. W.
> Kitchener, ON, N2M 1L2
> 519-741-1222
> -Original Message-
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
> Of Pete McNeil
> Sent: Saturday, January 12, 2008 12:09 PM
> To: Message Sn
or a high degree
of flexibility in message processing pathways - provided you can
identify the IPs involved (which is usually the case).
Hope this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is se
l says:
>> > error='ERROR_MSG_FILE'/>
>>
>> This I belive is because the msg file that is send to sniffer has a
>> wrong format.
>> - If true - how do we setup the right format for sniffer?
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
1:58 PM, you wrote:
>>>
>>>> No its not the message format. A message the get ERROR_MSG_FILE work
>>>> fine on our windows SNF
>>>> installation.
>>>
>>>
>>>>> Hi
>>>>>
>>>>> We trying to setup
can run a SNF2check.exe on the rule database to check the file before I copy it, but it would be great to know if SNFServer.exe has loaded the latest copy that I have copied to the c:\snf directory.
SNFServer will indicate that the new rulebase was loaded in it's log file.
Hope this helps,
_M
-
configuration files and rulebase files when they are altered or replaced.
SNFServer can rotate log files on a per-day basis by including a date stamp in their name. If you move a log file manually or by a script then a new one will be created as needed.
_M
--
Pete McNeil
Chief Scientist,
hat ;-)
If this message appears only occasionally then there is no cause for concern.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
ove) corresponding to any alerts that your system sends us. This allows your system to learn from the cloud.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
The settings shown above are likely to become the default settings for
the production release, however we will continue to refine these
settings through our research prior to (and following) the production
release (planned in Q1).
Best,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs
als that are useful to individual
nodes - especially when a new IP source is detected. The first time a
node sees a new IP it is more likely to be influenced by the opinion
of other nodes that have already seen the IP. Once a node has a
sufficient number of it's own experiences it tends to tru
instantaneously - without bothering to look at most of the message.
Hope this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsub
ail gateways or an email address where you
legitimately receive spam (such as an abuse reporting address) then
you will want to tell GBUdb about those so that it doesn't get the
wrong idea about them.
If you have more questions then please let us know.
Hope this helps,
_M
--
Pete McNeil
Chief S
a
truncation event.
Sad but true - many major ISPs generate just shy of that amount of
spam through various vectors (forwarded mailboxes, being one of them).
You may find that the new reference settings produce something very
close to your desired result -- especially if you also provide the
ad
Hello Mike,
Tuesday, January 22, 2008, 8:35:45 PM, you wrote:
>
Is there a list archive available similar to the one Declude and others have?
http://kb.armresearch.com/index.php?title=Help:Contents
http://www.mail-archive.com/sniffer@sortmonster.com/
_M
--
Pete McNeil
Ch
indow -- start up a new dos window with it.
Please look for any errors in your logs that might indicate why the
SNFServer stopped.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you ar
on various platforms -- almost without exception it only stops
when I tell it to stop (including earlier test versions).
If you come across any new info please let me know.
If there is a bug I want it gone ;-)
Thanks!
_M
--
Pete McNeil
the scan will be processed normally. If it is not successful then it will return a 0 result so that the message can go through (this is a fail-safe result).
Hope this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
###
s an efficient
process on ext3 and most other modern *nix file systems since it only
requires the adjustment of a node and that operation will itself be
journalized first.
Thanks for keeping us posted.
Hope this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
a reasonably accurate RBL score.
I have updated the wiki:
http://kb.armresearch.com/index.php?title=Message_Sniffer.TechnicalDetails.ResultCodes#Core_Rule_Group_.26_GBUdb_Result_Codes
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
ing for you in case there are any questions or any confusion.
Hope this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscr
o common for
each layer to use it's own hardware and software platforms - each best
suited to the specific task.
Hope this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you ar
nation of SA & SNF is superior to either on it's
own if you have the technical resources.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing lis
destroyed
moments ago (2008-02-06 16:10:00).
Our sincere apologies,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to
upon your needs.
Hope this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To
7;s source.
>
S:
Samples / min - Virtual spamtrap activity. Messages that came from known spam sources but did not match pattern rules are sampled at random and sent to our virtual spam trap facility. (This feature can be turned off if desired).
_M
--
Pete Mc
ume, and cost is a consideration.
Thanks,
David
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL P
we can post XWall as an additional integration option.
Thanks for the tip!
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe
link: http://www.mxuptime.com/screenshots/3b.jpg
If you try this out please post a note to let us all know how it works
for you.
Thanks!
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are
ALS from 1024 to 2048.
Adjusted defult range envelopes in snf_engine.xml to be more conservative.
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
iruses. Virus scanning is recommended and is the responsibility of the recipient.
-
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message i
uld clarify any questions you have along the way. Please
let us know how this goes for you -- we are working on documentation
and our new web site right now and your input will make it into our
work.
Thanks!
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
##
in the
SNF2Check directory.
NO OTHER MODIFICATIONS WERE MADE ;-)
Best,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail
and include
your configuration log and config files.
Thanks,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <
after 3 attempts the injector throws.
Added 2 retries w/ 300ms delay to rename temp file to msg in XHDR inject code.
If rename fails after 3 attempts the injector throws.
Added IPTest logging.
--
Best,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC
particular wheel right now -- not that it's hard, just that it's
not necessary and we'd rather do other important stuff.
Thanks!
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you b
stall for somebody... but we want something that we can
deliver with the installer so it can be a (more or less) one click
process.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are s
lem reports I can find.
BTW: If we were to develop one in-house it would require at least the same level of testing.
>
All IMO of course.
And well appreciated! :-)
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
ok moving forward we will probably keep
the SNFServer executable as it is and then keep any service stub
separate. There are a lot of advantages to this approach.
I understand your point though.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
##
ugin and Command
Line versions of the new SNF. Stay tuned!
Best,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <
am
filtering.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST
r than invent a new way a quick easy choice is to coopt
CAPTCHA and let somebody else do the work.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing li
character.
We sincerely apologize for the inconvenience.
Best,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to
e inconvenience.
> Best,
> _M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To
That procedure will cause SNF to build a new GBUdb file from scratch
based on what it is learning from that point on.
Best,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscri
e hit a message with an IP source in the
white range it would have been automatically added to your node's
internal panic list rendering it inert.
That probably explains why you have very few hits.
Best,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
600 seconds.
...
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to t
the circumstances, but
congratulations on the success of the first live test of auto-panic.
(all previous tests were in the lab)
:-)
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because
r to help. Now, onward to the next upgrade...
always work to do ;-)
Cheers!
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-m
we'll be plenty busy
and we'll keep you posted.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAI
th snf2check. You would first have
to unzip the file and then check the unzipped file with snf2check.
Hope that makes sense.
Please straighten me out if it doesn't.
Thanks,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
try to fix it?
I responded to this last night on list.
I'm guessing you didn't get that response so I'm responding to this
new one directly (off list).
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This me
rver -- If this turns out to be the case please
to a tracert and let me know what you see.
Hope this helps,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the
og files.
Check your configuration file -- they may be turned off by default in that configuration.
Here's some documentation on configuring SNF log files:
http://www.armresearch.com/support/articles/software/snfServer/config/node/logs/index.jsp
Hope this helps,
_M
--
Pete McNeil
Chief S
Steve Guluk
SGDesign
(949) 661-9333
ICQ: 7230769
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mai
ou can also use your own script if you wish.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTEC
Hello Sniffer Folks,
We have published an update to the SNF Client/Server *nix distribution
with the following features:
* New V3-Fresh-Install-Readme.txt
* Fixed minor error in SNFServer main.cpp when compiling on 64 bit.
* Updates & Tweaks to sample scripts.
Best,
_M
--
Pete McNeil
C
and theory rulebases should be delivered more
quickly and more frequently.
I will continue to monitor the system closely for any aberrations.
Thanks,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent
ther gzip is accepted.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to th
complain that the file did not exist.
I have tested non-compressed downloads and they appear to be working
correctly again.
Sorry for the trouble.
I will keep you posted on our progress.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC
problems.
Please let us know if you have any trouble.
Thanks,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
PS: If you are still using the old version of SNF, or the old way of
downloading rulebase files please upgrade as soon as you can. Thanks
he raw message file through a
hex editor and see how it is encoded. Each line should end with
and the first blank line should be . If you
find something else in there then that's likely where the trouble is.
Hope this helps,
Best,
Hello Darin,
Friday, July 18, 2008, 9:37:18 AM, you wrote:
>
Pete,
There appears to be a problem with rule 1984485 this morning. I'm getting a number of FP hits on it from AOL users.
The rule has been pulled already.
_M
--
Pete McNeil
Chief Scientist,
Arm Resea
be inert.
Please check your snf_engine_cfg.log to see if the rule panic was picked up in your configuration.
Best,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subsc
ght away ;-)
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST m
The rule bots would have queried the database for rules 20-40 minutes before you you received it. The rule may have still been in place at that time.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sen
e a new release for the other (non source) distributions. When the next general revision is produced this change will be rolled in.
Best,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you
message is sent to you because you are subscribed to
> the mailing list .
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrati
our solution please let us know. SDKs are in the works - pre-release
versions and support are available. Plus the new XCI protocol makes
access to SNF services as easy as a local TCP connection!
Thanks!
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
ng similar clients on the same node(s) based on where they get
their messages. Even if you don't adjust your envelopes this
clustering will have the effect of "increasing the signal to noise
ratio" for GBUdb as it learns which IPs to trust and which ones to
suspect.
tion of GBUdb nodes and the cloud... When records are condensed
they are more likely to be bounced off the cloud and get new data so
what you might loose in fewer records you will gain in more frequent
reflections.
Hope this helps,
_M
--
Pete McNeil
Chief
301 - 400 of 1329 matches
Mail list logo