[sniffer] Postfix
Hi We trying to setup snf with postfix. It seems to work - except it does not reject ant messages. The x.20080116.log.xml says: This I belive is because the msg file that is send to sniffer has a wrong format. - If true - how do we setup the right format for sniffer? # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Postfix
No its not the message format. A message the get ERROR_MSG_FILE work fine on our windows SNF installation. Hi We trying to setup snf with postfix. It seems to work - except it does not reject ant messages. The x.20080116.log.xml says: error='ERROR_MSG_FILE'/> This I belive is because the msg file that is send to sniffer has a wrong format. - If true - how do we setup the right format for sniffer? -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Postfix
Hello Pi-Web, ERROR_MSG_FILE means that SNF could not open the file to be scanned. Be sure the you pass the full path of the message file and that permissions are correct so that SNF can open the file. Hope this helps, _M Wednesday, January 16, 2008, 12:31:58 PM, you wrote: > No its not the message format. A message the get ERROR_MSG_FILE work fine on > our windows SNF > installation. >> >> Hi >> >> We trying to setup snf with postfix. >> It seems to work - except it does not reject ant messages. >> >> The x.20080116.log.xml says: >> > error='ERROR_MSG_FILE'/> >> >> This I belive is because the msg file that is send to sniffer has a >> wrong format. >> - If true - how do we setup the right format for sniffer? -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Postfix
It seems right - but no go: In /var/spool/snfilter/msg/ -rw--- 1 snfilter snfilter 2965 Jan 16 18:35 20080116183528_10882.msg (deleted after process finished) Result: sniffer setup: SNIFFER_EXE=/var/spool/snfilter/SNFClient.exe AUTHENTICATION= INSPECT_DIR=/var/spool/snfilter/msg/ SENDMAIL="/usr/sbin/sendmail -i" MSGFILE=`date +%Y%m%d%H%M%S`_$_$RANDOM.msg Hello Pi-Web, ERROR_MSG_FILE means that SNF could not open the file to be scanned. Be sure the you pass the full path of the message file and that permissions are correct so that SNF can open the file. Hope this helps, _M Wednesday, January 16, 2008, 12:31:58 PM, you wrote: No its not the message format. A message the get ERROR_MSG_FILE work fine on our windows SNF installation. Hi We trying to setup snf with postfix. It seems to work - except it does not reject ant messages. The x.20080116.log.xml says: error='ERROR_MSG_FILE'/> This I belive is because the msg file that is send to sniffer has a wrong format. - If true - how do we setup the right format for sniffer? -- Mvh. Frank Jensen [EMAIL PROTECTED] www.pi.dk Imponerende, fascinerende og kæmpe Plakater f.eks. 149 x 149 = 629 kr Vi kan også lave plakat fra dit digitale foto www.plakatkunst.dk # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Postfix
Adding $INSPECT_DIR to the "$SNIFFER_EXE $AUTHENTICATION $INSPECT_DIR$MSGFILE ||
{" command
Now it seems to work.
It seems right - but no go:
In /var/spool/snfilter/msg/
-rw--- 1 snfilter snfilter 2965 Jan 16 18:35 20080116183528_10882.msg
(deleted after process finished)
Result:
error='ERROR_MSG_FILE'/>
sniffer setup:
SNIFFER_EXE=/var/spool/snfilter/SNFClient.exe
AUTHENTICATION=
INSPECT_DIR=/var/spool/snfilter/msg/
SENDMAIL="/usr/sbin/sendmail -i"
MSGFILE=`date +%Y%m%d%H%M%S`_$_$RANDOM.msg
Hello Pi-Web,
ERROR_MSG_FILE means that SNF could not open the file to be scanned.
Be sure the you pass the full path of the message file and that
permissions are correct so that SNF can open the file.
Hope this helps,
_M
Wednesday, January 16, 2008, 12:31:58 PM, you wrote:
No its not the message format. A message the get ERROR_MSG_FILE work
fine on our windows SNF
installation.
Hi
We trying to setup snf with postfix.
It seems to work - except it does not reject ant messages.
The x.20080116.log.xml says:
error='ERROR_MSG_FILE'/>
This I belive is because the msg file that is send to sniffer has a
wrong format.
- If true - how do we setup the right format for sniffer?
--
Mvh. Frank Jensen
[EMAIL PROTECTED]
www.pi.dk
Imponerende, fascinerende og kæmpe
Plakater f.eks. 149 x 149 = 629 kr
Vi kan også lave plakat fra dit digitale foto
www.plakatkunst.dk
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Postfix
Hello Pi-Web,
Yep.
The clue was in the log:
m='20080116183528_10882.msg'
Note that the path was missing - only the file name was present.
Now your logs should look more like:
m='/var/spool/snfilter/msg/20080116183528_10882.msg'
Best,
_M
Wednesday, January 16, 2008, 1:23:14 PM, you wrote:
> Adding $INSPECT_DIR to the "$SNIFFER_EXE $AUTHENTICATION
> $INSPECT_DIR$MSGFILE || {" command
> Now it seems to work.
>>
>> It seems right - but no go:
>>
>> In /var/spool/snfilter/msg/
>> -rw--- 1 snfilter snfilter 2965 Jan 16 18:35 20080116183528_10882.msg
>> (deleted after process finished)
>>
>> Result:
>> > error='ERROR_MSG_FILE'/>
>>
>> sniffer setup:
>>
>> SNIFFER_EXE=/var/spool/snfilter/SNFClient.exe
>> AUTHENTICATION=
>> INSPECT_DIR=/var/spool/snfilter/msg/
>> SENDMAIL="/usr/sbin/sendmail -i"
>> MSGFILE=`date +%Y%m%d%H%M%S`_$_$RANDOM.msg
>>
>>
>>
>>
>>> Hello Pi-Web,
>>>
>>> ERROR_MSG_FILE means that SNF could not open the file to be scanned.
>>>
>>> Be sure the you pass the full path of the message file and that
>>> permissions are correct so that SNF can open the file.
>>>
>>> Hope this helps,
>>>
>>> _M
>>>
>>> Wednesday, January 16, 2008, 12:31:58 PM, you wrote:
>>>
>>>> No its not the message format. A message the get ERROR_MSG_FILE work
>>>> fine on our windows SNF
>>>> installation.
>>>
>>>
>>>>> Hi
>>>>>
>>>>> We trying to setup snf with postfix.
>>>>> It seems to work - except it does not reject ant messages.
>>>>>
>>>>> The x.20080116.log.xml says:
>>>>> >>>> error='ERROR_MSG_FILE'/>
>>>>>
>>>>> This I belive is because the msg file that is send to sniffer has a
>>>>> wrong format.
>>>>> - If true - how do we setup the right format for sniffer?
>>>
>>>
>>>
>>>
>>>
>>
>>
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#
This message is sent to you because you are subscribed to
the mailing list .
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Rule Database copy question
Hello, I am using the latest beta version of Message Sniffer. I am asking this question because I thought I read this somewhere but I can not find where I read it. If I copy my rule database file to the c:\snf directory while SNFServer.exeis running, does SNFServer automatically load the new updated rule database? If so, how long does it usually take before SNFServer realizes that there is a new rule database that was copied to that directory? Is there anyway to verify that SNFServer has loaded the latest rule database that was copied? I know I can run a SNF2check.exe on the rule database to check the file before I copy it, but it would be great to know if SNFServer.exe has loaded the latest copy that I have copied to the c:\snf directory. Thanks, Shawn
[sniffer] Re: Rule Database copy question
Hello Shawn, Wednesday, January 16, 2008, 2:26:14 PM, you wrote: > Hello, I am using the latest beta version of Message Sniffer. I am asking this question because I thought I read this somewhere but I can not find where I read it. If I copy my rule database file to the c:\snf directory while SNFServer.exe is running, does SNFServer automatically load the new updated rule database? Yes. > If so, how long does it usually take before SNFServer realizes that there is a new rule database that was copied to that directory? Within about a second of seeing the new file it will load and check the new rulebase. If there is something wrong with the rulebase file it will keep the current rulebase active until a better one shows up. > Is there anyway to verify that SNFServer has loaded the latest rule database that was copied? I know I can run a SNF2check.exe on the rule database to check the file before I copy it, but it would be great to know if SNFServer.exe has loaded the latest copy that I have copied to the c:\snf directory. SNFServer will indicate that the new rulebase was loaded in it's log file. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Rule Database copy question
It appears that both the "reload" and the "rotate" options in the sniffer executable are still accepted by SNFClient.exe but are deprecated, as neither parameter appears in the help or in the contextual help when SNFClient.exe is run without parameters. Andrew. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, January 16, 2008 11:41 AM To: Message Sniffer Community Subject: [sniffer] Re: Rule Database copy question Hello Shawn, Wednesday, January 16, 2008, 2:26:14 PM, you wrote: > Hello, I am using the latest beta version of Message Sniffer. I am asking this question because I thought I read this somewhere but I can not find where I read it. If I copy my rule database file to the c:\snf directory while SNFServer.exe is running, does SNFServer automatically load the new updated rule database? Yes. > If so, how long does it usually take before SNFServer realizes that there is a new rule database that was copied to that directory? Within about a second of seeing the new file it will load and check the new rulebase. If there is something wrong with the rulebase file it will keep the current rulebase active until a better one shows up. > Is there anyway to verify that SNFServer has loaded the latest rule database that was copied? I know I can run a SNF2check.exe on the rule database to check the file before I copy it, but it would be great to know if SNFServer.exe has loaded the latest copy that I have copied to the c:\snf directory. SNFServer will indicate that the new rulebase was loaded in it's log file. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] ERROR_SYNC_FAILED
Hello, I am using the latest beta of Message Sniffer. Occasionally in my log file I will see the following entry: What causes this and how do I correct it? Thanks, Shawn
[sniffer] Re: Rule Database copy question
Hello Andrew, Wednesday, January 16, 2008, 3:02:16 PM, you wrote: > It appears that both the "reload" and the "rotate" options in the sniffer executable are still accepted by SNFClient.exe but are deprecated, as neither parameter appears in the help or in the contextual help when SNFClient.exe is run without parameters. True -- if you called the SNFClient with rotate or reload then it would interpret those as the names of files to scan; would most likely not find them; and would produce a harmless error in the log file. SNFServer automatically reloads configuration files and rulebase files when they are altered or replaced. SNFServer can rotate log files on a per-day basis by including a date stamp in their name. If you move a log file manually or by a script then a new one will be created as needed. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: ERROR_SYNC_FAILED
Hello Shawn, Wednesday, January 16, 2008, 3:37:41 PM, you wrote: > Hello, I am using the latest beta of Message Sniffer. Occasionally in my log file I will see the following entry: What causes this and how do I correct it? Normally SNF will connect with our SYNC servers about once per minute. If there is network congestion or some other problem then the SYNC session might fail. It will be logged and a new session will be retried automatically. The only way to correct this (or at least minimize it) is to reduce network congestion. You may not be able to do that ;-) If this message appears only occasionally then there is no cause for concern. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: Rule Database copy question
Thanks for the response, Pete! I was using both parameters in my scheduled pattern download script, which would tell Sniffer that there was a new pattern, and would rotate the logs before uploading them back to you. With the new (beta) version, both extras have become redundant, so I've removed them from my script. Andrew. From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, January 16, 2008 12:43 PM To: Message Sniffer Community Subject: [sniffer] Re: Rule Database copy question Hello Andrew, Wednesday, January 16, 2008, 3:02:16 PM, you wrote: > It appears that both the "reload" and the "rotate" options in the sniffer executable are still accepted by SNFClient.exe but are deprecated, as neither parameter appears in the help or in the contextual help when SNFClient.exe is run without parameters. True -- if you called the SNFClient with rotate or reload then it would interpret those as the names of files to scan; would most likely not find them; and would produce a harmless error in the log file. SNFServer automatically reloads configuration files and rulebase files when they are altered or replaced. SNFServer can rotate log files on a per-day basis by including a date stamp in their name. If you move a log file manually or by a script then a new one will be created as needed. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
[sniffer] Re: ERROR_SYNC_FAILED
Thanks for the quick reply Pete. When SNF connects to your SYNC servers, what information/data is it exchanging? Thanks, Shawn On Jan 16, 2008 12:45 PM, Pete McNeil <[EMAIL PROTECTED]> wrote: > Hello Shawn, > > > Wednesday, January 16, 2008, 3:37:41 PM, you wrote: > > > > > > Hello, > > > I am using the latest beta of Message Sniffer. > > > > Occasionally in my log file I will see the following entry: > > > text='ERROR_SYNC_FAILED'/> > > > > What causes this and how do I correct it? > > > Normally SNF will connect with our SYNC servers about once per minute. If > there is network congestion or some other problem then the SYNC session > might fail. It will be logged and a new session will be retried > automatically. > > > The only way to correct this (or at least minimize it) is to reduce > network congestion. You may not be able to do that ;-) > > > If this message appears only occasionally then there is no cause for > concern. > > > _M > > > > -- > > Pete McNeil > > Chief Scientist, > > Arm Research Labs, LLC. > > # > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > > >
[sniffer] Re: ERROR_SYNC_FAILED
Hello Shawn, Wednesday, January 16, 2008, 4:53:29 PM, you wrote: > Thanks for the quick reply Pete. When SNF connects to your SYNC servers, what information/data is it exchanging? The telemetry we receive is roughly equivalent to what you see in your .status.minute. file. In addition your SNF node sends: * GBUdb alerts - These contain periodic updates on IP information in your GBUdb database so that the information can be shared with the cloud. An example might be: * Spam samples - Messages that would normally be truncated but do not fail pattern rules are randomly sampled by default and sent to our virtual spamtrap system. This feature can be disabled if you wish. Your node then recieves: * Rulebase status - Our system sends back information on the latest rulebase file. * GBUdb reflections - Our system sends back GBUdb reflections (same format as above) corresponding to any alerts that your system sends us. This allows your system to learn from the cloud. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
