[sniffer] Re: rule panic not working
On 12/29/2016 08:55 AM, Daniel Ivey wrote: Thanks, but it appears that my server is failing multiple 54- rules. For example from Google, it is failing 54-8064853-304-318-m and 54-8064853-0-2423-f while from Yahoo it is failing 54-8064853-2063-2077-m and 54-8064853-0-3703-f. That is in fact a single rule hitting in multiple places. http://www.armresearch.com/Documentation/QA/ltmatchesgt-1193870513.jsp The rule ID is 8064853. The rule has been removed. _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller # This message is sent to you because you are subscribed to the mailing list . This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to To switch to the INDEX mode, E-mail to Send administrative queries to
[sniffer] Re: rule panic not working
Daniel, the "54" rules are probably related in some form or fashion. The only thing you can really do is follow the procedure of adding the panics for each rule and then reporting the urgent FPs to Arm so they can diagnose and resolve. You may want to use Baregrep on your SNF logs to find the list of the rules that are triggering incorrectly. On Thu, Dec 29, 2016 at 8:22 AM, Daniel Ivey wrote: > Yes, I am positive. If I turn off my SNIFFER test then everything works > properly. > > > > > > > > -Original Message- > *From:* Linda Pagillo [mailto:lpad...@gmail.com] > *Sent:* Thursday, December 29, 2016 9:16 AM > *To:* Message Sniffer Community > *Subject:* [sniffer] Re: rule panic not working > > > > I don't think there is a way to block an entire set of rules with one > entry. Someone from Arm may need to chime in here and answer that question. > Are you positive that every single message coming in and leaving your > server is triggering Sniffer? > > > > On Thu, Dec 29, 2016 at 7:55 AM, Daniel Ivey wrote: > > Thanks, but it appears that my server is failing multiple 54- rules. For > example from Google, it is failing 54-8064853-304-318-m and > 54-8064853-0-2423-f while from Yahoo it is failing 54-8064853-2063-2077-m > and 54-8064853-0-3703-f. > > > > Is there a way block all 54- rules temporary? > > > > Also, do you have any suggestions on what would cause this all of a sudden? > > > > Daniel > > > > -Original Message- > *From:* Linda Pagillo [mailto:lpad...@gmail.com] > *Sent:* Thursday, December 29, 2016 8:51 AM > *To:* Message Sniffer Community > *Subject:* [sniffer] Re: rule panic not working > > > > Hi Daniel. The rule number is not 54. Sniffer rule numbers look like this > for example... 54-8064853-304-318-m > > > > On Thu, Dec 29, 2016 at 7:48 AM, Daniel Ivey wrote: > > It appears that the server is failing SNIFFER Rule 54 for some reason, > causing issues. I have added the following line in my snf_engine.xml file > for a rule panic but it doesn't appear to be working. > > > > > > Can someone help me with what I have wrong? > > Daniel > > > # > This message is sent to you because you are subscribed to > the mailing list . > This list is for discussing Message Sniffer, > Anti-spam, Anti-Malware, and related email topics. > For More information see http://www.armresearch.com > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > To switch to the INDEX mode, E-mail to > Send administrative queries to > > > > >
[sniffer] Re: rule panic not working
Yes, I am positive. If I turn off my SNIFFER test then everything works properly. -Original Message- From: Linda Pagillo [mailto:lpad...@gmail.com] Sent: Thursday, December 29, 2016 9:16 AM To: Message Sniffer Community Subject: [sniffer] Re: rule panic not working I don't think there is a way to block an entire set of rules with one entry. Someone from Arm may need to chime in here and answer that question. Are you positive that every single message coming in and leaving your server is triggering Sniffer? On Thu, Dec 29, 2016 at 7:55 AM, Daniel Ivey < d...@gcrcompany.com <mailto:d...@gcrcompany.com> > wrote: Thanks, but it appears that my server is failing multiple 54- rules. For example from Google, it is failing 54-8064853-304-318-m and 54-8064853-0-2423-f while from Yahoo it is failing 54-8064853-2063-2077-m and 54-8064853-0-3703-f. Is there a way block all 54- rules temporary? Also, do you have any suggestions on what would cause this all of a sudden? Daniel -Original Message- From: Linda Pagillo [mailto: lpad...@gmail.com <mailto:lpad...@gmail.com> ] Sent: Thursday, December 29, 2016 8:51 AM To: Message Sniffer Community Subject: [sniffer] Re: rule panic not working Hi Daniel. The rule number is not 54. Sniffer rule numbers look like this for example... 54-8064853-304-318-m On Thu, Dec 29, 2016 at 7:48 AM, Daniel Ivey < d...@gcrcompany.com <mailto:d...@gcrcompany.com> > wrote: It appears that the server is failing SNIFFER Rule 54 for some reason, causing issues. I have added the following line in my snf_engine.xml file for a rule panic but it doesn't appear to be working. Can someone help me with what I have wrong? Daniel # This message is sent to you because you are subscribed to the mailing list < sniffer@sortmonster.com <mailto:sniffer@sortmonster.com> >. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com <http://www.armresearch.com> To unsubscribe, E-mail to: < sniffer-...@sortmonster.com <mailto:sniffer-...@sortmonster.com> > To switch to the DIGEST mode, E-mail to < sniffer-dig...@sortmonster.co <mailto:sniffer-dig...@sortmonster.com> m> To switch to the INDEX mode, E-mail to < sniffer-in...@sortmonster.com <mailto:sniffer-in...@sortmonster.com> > Send administrative queries to < sniffer-request@sortmonster.c <mailto:sniffer-requ...@sortmonster.com> om>
[sniffer] Re: rule panic not working
I don't think there is a way to block an entire set of rules with one entry. Someone from Arm may need to chime in here and answer that question. Are you positive that every single message coming in and leaving your server is triggering Sniffer? On Thu, Dec 29, 2016 at 7:55 AM, Daniel Ivey wrote: > Thanks, but it appears that my server is failing multiple 54- rules. For > example from Google, it is failing 54-8064853-304-318-m and > 54-8064853-0-2423-f while from Yahoo it is failing 54-8064853-2063-2077-m > and 54-8064853-0-3703-f. > > > > Is there a way block all 54- rules temporary? > > > > Also, do you have any suggestions on what would cause this all of a sudden? > > > > Daniel > > > > -Original Message- > *From:* Linda Pagillo [mailto:lpad...@gmail.com] > *Sent:* Thursday, December 29, 2016 8:51 AM > *To:* Message Sniffer Community > *Subject:* [sniffer] Re: rule panic not working > > > > Hi Daniel. The rule number is not 54. Sniffer rule numbers look like this > for example... 54-8064853-304-318-m > > > > On Thu, Dec 29, 2016 at 7:48 AM, Daniel Ivey wrote: > > It appears that the server is failing SNIFFER Rule 54 for some reason, > causing issues. I have added the following line in my snf_engine.xml file > for a rule panic but it doesn't appear to be working. > > > > > > Can someone help me with what I have wrong? > > Daniel > > > # > This message is sent to you because you are subscribed to > the mailing list . > This list is for discussing Message Sniffer, > Anti-spam, Anti-Malware, and related email topics. > For More information see http://www.armresearch.com > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > To switch to the INDEX mode, E-mail to > Send administrative queries to > > >
[sniffer] Re: rule panic not working
Thanks, but it appears that my server is failing multiple 54- rules. For example from Google, it is failing 54-8064853-304-318-m and 54-8064853-0-2423-f while from Yahoo it is failing 54-8064853-2063-2077-m and 54-8064853-0-3703-f. Is there a way block all 54- rules temporary? Also, do you have any suggestions on what would cause this all of a sudden? Daniel -Original Message- From: Linda Pagillo [mailto:lpad...@gmail.com] Sent: Thursday, December 29, 2016 8:51 AM To: Message Sniffer Community Subject: [sniffer] Re: rule panic not working Hi Daniel. The rule number is not 54. Sniffer rule numbers look like this for example... 54-8064853-304-318-m On Thu, Dec 29, 2016 at 7:48 AM, Daniel Ivey < d...@gcrcompany.com <mailto:d...@gcrcompany.com> > wrote: It appears that the server is failing SNIFFER Rule 54 for some reason, causing issues. I have added the following line in my snf_engine.xml file for a rule panic but it doesn't appear to be working. Can someone help me with what I have wrong? Daniel # This message is sent to you because you are subscribed to the mailing list < sniffer@sortmonster.com <mailto:sniffer@sortmonster.com> >. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com <http://www.armresearch.com> To unsubscribe, E-mail to: < sniffer-...@sortmonster.com <mailto:sniffer-...@sortmonster.com> > To switch to the DIGEST mode, E-mail to < sniffer-digest@sortmonster. <mailto:sniffer-dig...@sortmonster.com> com> To switch to the INDEX mode, E-mail to < sniffer-in...@sortmonster.com <mailto:sniffer-in...@sortmonster.com> > Send administrative queries to < sniffer-request@sortmonster. <mailto:sniffer-requ...@sortmonster.com> com>
[sniffer] Re: rule panic not working
Hi Daniel. The rule number is not 54. Sniffer rule numbers look like this for example... 54-8064853-304-318-m On Thu, Dec 29, 2016 at 7:48 AM, Daniel Ivey wrote: > It appears that the server is failing SNIFFER Rule 54 for some reason, > causing issues. I have added the following line in my snf_engine.xml file > for a rule panic but it doesn't appear to be working. > > > > > > Can someone help me with what I have wrong? > > Daniel > > > # > This message is sent to you because you are subscribed to > the mailing list . > This list is for discussing Message Sniffer, > Anti-spam, Anti-Malware, and related email topics. > For More information see http://www.armresearch.com > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > To switch to the INDEX mode, E-mail to > Send administrative queries to > >