Hello Message,
Rule 1940812 has already been removed from the core rulebase.
You can render the rule inert immediately by adding it to your rule
panics list.
Rule was coded at 13:03:17 EDT
The rule was coded for an obfuscated version of the word Tuesday and
was coded with a bad abstraction
Hello, --- following up.
Intended to make the original post with a high priority flag.
Also - the rule was removed at approximately 15:10:00 EDT
Hope this helps,
_M
Tuesday, June 17, 2008, 3:35:47 PM, you wrote:
Hello Message,
Rule 1940812 has already been removed from the core rulebase.
Pete, if we have a significant number of hits, they'll be from all kinds
of IP sources.
Should we dump the GBUdb? If so, how?
The documentation is perfectly clear on how to tweak an IP or dump an IP
in the GBUdb, but doesn't mention a wholesale clearing of it.
Andrew.
-Original
Thanks, Pete.
I had very few actual hits; I have lots of lines that indicate the rule
panic in place, but the number of actual hits is quite small.
How I found my hits:
cd /d C:\MessageSniffer
gawk ($6 == \Final\) ($7 == 1940812) *.20080617.log
Andrew.
-Original Message-
From
== 1940812) *.20080617.log
I haven't checked telemetry yet -- still very busy here battling the
stock-push spam other storms.
However, you were likely protected by the Auto-Panic feature in the
new SNF.
The first time the bad rule hit a message with an IP source in the
white range it would have been
Pete,
How soon should we expect to see a new gbx file after a dump?
Mike
If you do decide to dump your GBUdb then follow this procedure:
Stop SNFServer
Delete the .gbx file in the SNF working directory.
Restart SNFServer
That procedure will cause SNF to build a new GBUdb file from scratch
Hello Michael,
Tuesday, June 17, 2008, 4:48:54 PM, you wrote:
Pete,
How soon should we expect to see a new gbx file after a dump?
If you are using the default settings then it should appear after
about an hour. By default GBUdb creates a snapshot of it's database
every 3600 seconds.
gbudb
of actual hits is quite small.
How I found my hits:
cd /d C:\MessageSniffer
gawk ($6 == \Final\) ($7 == 1940812) *.20080617.log
I haven't checked telemetry yet -- still very busy here battling the
stock-push spam other storms.
However, you were likely protected by the Auto-Panic feature
Hello Andrew,
Tuesday, June 17, 2008, 5:03:25 PM, you wrote:
Thanks, Pete.
I had four actual false positives on one server, versus 324 unique hits
for the bad rule.
So yes, I'd say that the autopanic feature worked quite well.
It's a little odd to say this under the circumstances, but