[sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade

[Serge]

Hello
what files need to go in the workplace directory ?
TIA
  - Original Message - 
  From: Pete McNeil 
  To: Message Sniffer Community 
  Sent: Saturday, November 03, 2007 9:07 PM
  Subject: [sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade


  Hello Serge,




  Saturday, November 3, 2007, 4:04:32 PM, you wrote:




>
   pete



Now that i'm sure it is running, I will configure declude in the next 
few minutes

Long sessions time is normal in our cas as we have to go thru 2 
satellite conexions

would that be a problem ?
   







  It is possible that some sessions will fail from time to time when congestion 
is high, but it should not be a problem overall. The system is designed to 
survive outages without causing trouble.




  _M




  -- 

  Pete McNeil

  Chief Scientist,

  Arm Research Labs, LLC.


#

This message is sent to you because you are subscribed to

  the mailing list .

To unsubscribe, E-mail to: <[EMAIL PROTECTED]>

To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>

To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>

Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade

[Pete McNeil]

Hello Serge,

Tuesday, November 6, 2007, 9:56:26 PM, you wrote:




>


Hello
what files need to go in the workplace directory ?
TIA





Normally, all of the distribution files plus your rulebase (.snf) file.

Also, it is common to have your update script and utilities in the workspace or a sub directory from there.

It is possible with the new version to put some of these files in different locations - but that is more complex. You can see the directory options in the top few lines of the snf_engine.xml file where you can set paths for logs, rulebase files, workspace, and identity. Be sure to include the full path (on winx boxes this includes the drive letter).

One common option when setting up the new beta on a system that already has the old version running is to configure the snf_engine.xml so that the rulebase file is located in the old SNF workspace. This way it is easy to switch back if desired, and existing update mechanisms can remain unchanged until you are ready to make a permanent switch.

Hope this helps,

_M




-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

[sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade

[David Moore]

When do you think the beta version will go to non beta i.e. live.

 

Regards David Moore
[EMAIL PROTECTED]

J.P. MCP, MCSE, MCSE + INTERNET, CNE.
www.adsldirect.com.au   for ADSL and Internet
www.romtech.com.au   for PC sales

Office Phone: (+612) 9453 1990
Fax Phone: (+612) 9453 1880
Mobile Phone: +614 18 282 648

POSTAL ADDRESS:
PO BOX 190
BELROSE NSW 2085
AUSTRALIA.

-

This email message is only intended for the addressee(s) and contains
information that may be confidential, legally privileged and/or copyright.
If you are not the intended recipient please notify the sender by reply
email and immediately delete this email. Use, disclosure or reproduction of
this email, or taking any action in reliance on its contents by anyone other
than the intended recipient(s) is strictly prohibited. No representation is
made that this email or any attachments are free of viruses. Virus scanning
is recommended and is the responsibility of the recipient.

-

From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Pete McNeil
Sent: Wednesday, 7 November 2007 2:32 PM
To: Message Sniffer Community
Subject: [sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade

 

Hello Serge,

 

Tuesday, November 6, 2007, 9:56:26 PM, you wrote:

 


> 

Hello

what files need to go in the workplace directory ?

TIA

 

Normally, all of the distribution files plus your rulebase (.snf) file.

 

Also, it is common to have your update script and utilities in the workspace
or a sub directory from there.

 

It is possible with the new version to put some of these files in different
locations - but that is more complex. You can see the directory options in
the top few lines of the snf_engine.xml file where you can set paths for
logs, rulebase files, workspace, and identity. Be sure to include the full
path (on winx boxes this includes the drive letter).

 

One common option when setting up the new beta on a system that already has
the old version running is to configure the snf_engine.xml so that the
rulebase file is located in the old SNF workspace. This way it is easy to
switch back if desired, and existing update mechanisms can remain unchanged
until you are ready to make a permanent switch.

 

Hope this helps,

 

_M

 

 

 

 

-- 

Pete McNeil

Chief Scientist,

Arm Research Labs, LLC.

#
 
This message is sent to you because you are subscribed to
 
  the mailing list .
 
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
 
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
 
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
 
Send administrative queries to  <[EMAIL PROTECTED]>
 
 
 

[sniffer] Re: SNF V2-9b1.5 Released - Please Upgrade

[Pete McNeil]

Hello David,

Tuesday, November 6, 2007, 10:39:46 PM, you wrote:




>


When do you think the beta version will go to non beta i.e. live.





The short answer is 6-8 weeks. The more comprehensive answer -- read on...

We are slowly building a set of features that we think should be in the production version. All but two of these are minor adjustments. 

One that isn't minor is a  training directive that will be able you to automatically add IPs to your ignore list for mixed sources based on matching text patterns in headers. 

So, for example, if you'd like to drill down to sources coming through yahoo or aol servers without having to identify the IPs for their outbound servers, then  will (in theory) do it for you by matching the reverse DNS portion of your trusted (top) received headers and adding the IP to your ignore list. The effect is to allow a system to see down to the actual source of the message before training GBUdb while using only a few entries to train the engine. Theoretically this will provide a more fine grained approach to dealing with forwarded mailboxes ("the other kind of open relay") and large ISPs that don't control the outbound flow from 0wn3d machines very well. There is much study, trial, and error to be done with this feature but it does look promising so we're going to put it in.

Another nontrivial feature will allow the SNF engine to run properly on big-endian systems (such as G5's) by detecting the big-endian processor at compile time and converting the format of the SNF rulebase each time it is loaded. There is some work to do to verify that the GBUdb code will work in a big-endian environment, but code review so far has not spotted any trouble in that part of the code. Snapshots of the GBUdb data will not be portable to other systems, but they are not intended to be portable anyway - so that is not considered an issue.

The less invasive features include things like:

* Extending the MAX_EVALs limit.
* Log rotation file names may use local (not UTC) time.
* Adjusted default settings for GBUdb (see below).
* Additional telemetry for error and special event tracking.
* Improved persistence for life-time statistics (run time, last save, last condense, etc).
* Others TBD.

I expect the list of "must have features" to grow a tiny bit over the next couple of weeks.

We are not seeing any fault reports on the current beta so I doubt there will be bug fixes at this point.

After we implement the new "must have" features list we will continue in beta for another week or two to ensure that we have not introduced any bugs.

During that time we will build additional documentation.

I think based on this back-of-the-envelope analysis that we are 6-8 weeks from a "production" release.

That said, the current version does appear to be stable in all supported production environments.

We are working on refining the default tuning for the GBUdb section. The current thinking uses the following, extremely conservative tuning that will be included in the next minor release (probably this weekend).

We recommend that all new Beta installations adjust their configuration files to use the following settings for GBUdb Caution and Black ranges. These are also appropriate adjustments for any existing beta users who have not otherwise resolved any GBUdb based false positives due to oversensitivity.


    
    
    
    



    
    


Thanks,

_M


-- 
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.



#
This message is sent to you because you are subscribed to
  the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>