Thanks for the info, Pete. Appreciate your proactiveness on this. Hope you had a good Thanksgiving!
Darin. From: Pete McNeil Sent: Tuesday, December 01, 2015 5:57 PM To: Message Sniffer Community Subject: [sniffer] Short Match FPs. Hi Folks, I'm sorry to report there is a problem. For the past few days we have been seeing some intermittent corruption in some rulebase updates. Since we made no changes to precipitate this and since it's only been reported by a few systems intermittently it's a bit of a challenge to nail down. However, it is out top priority at the moment. Here is what we do know about it: a.. The problem appears to have started around Nov 29. b.. It is highly intermittent and random. c.. It causes some false positives. d.. You can identify a short-match event by looking at the index and endex of a rule match. If the difference is less than 5 then you have a short rule match. e.. You can mitigate the problem by temporarily putting the associated rule ID in your rule-panic list in your SNF configuration. f.. Normally the problem goes away on the next rulebase update. g.. Sometimes it doesn't go away but changes the associated rule ID. For now the best thing to do is add a rule-panic entry when you spot one of these. That will solve the problem for that update. Be sure to remove your rule panic entries occasionally since they won't help you after a day. We will continue to work on this until we understand it and it is resolved. Best, _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 twitter/codedweller ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: <[email protected]> To switch to the DIGEST mode, E-mail to <[email protected]> To switch to the INDEX mode, E-mail to <[email protected]> Send administrative queries to <[email protected]>
