The SNFMulti engine can produce SNF version 2 log files for backward compatibility with existing log processing utilities. In fact, the engine can produce both types of log files simultaneously to provide an easier migration path to the new XML based log format.

A Classic (SNF 2) log file contains important statistics about the performance of the sniffer utility and its rulebase. Each line records a single match or clean response from the pattern matching engine. The fields on each line are separated by a tab. The fields meanings are as follows:

1 - License ID.

2 - Timestamp YYYYMMDDhhmmss (UTC).

3 - Scanned message file.

4 - Setup time in milliseconds (time required to load the rule set).

5 - Scan time in milliseconds (time required to load and scan the message).

6 - Clean / Match / White / Final result or error message.

7 - Matching Rule ID.

8 - Reported Group / Symbol ID.

9 - Index of the pattern match (approximate start position).

10 - Endex of the pattern match (approximate end position).

11 - Depth (Maximum number of evaluators alive during the scan).

Below is a segment of a typical log file for SNF 2.

snf2beta 20021204081147 Db8c1112.SMD 581 140 Match 13392 63 4212 4238  36
snf2beta 20021204081147 Db8c1112.SMD 581 140 Match 13392 63 4483 4509  36
snf2beta 20021204081147 Db8c1112.SMD 581 140 Match 13392 63 4930 4956  36
snf2beta 20021204081147 Db8c1112.SMD 581 140 Match 16995 63 5029 5044  36
snf2beta 20021204081147 Db8c1112.SMD 581 140 Match 13392 63 5287 5313  36
snf2beta 20021204081147 Db8c1112.SMD 581 140 Match 16995 63 5386 5401  36
snf2beta 20021204081147 Db8c1112.SMD 581 140 Match 15144 63 7458 7481  36
snf2beta 20021204081147 Db8c1112.SMD 581 140 Match 15144 63 7557 7580  36
snf2beta 20021204081147 Db8c1112.SMD 581 140 Final 13392 63 960  986   36
snf2beta 20021204081149 Db8c0118.SMD 250 871 Clean 0     0  0    31986 74
snf2beta 20021204081200 Db8cf02a.SMD 291 70  Match 17054 63 3417 3443  38
snf2beta 20021204081200 Db8cf02a.SMD 291 70  Match 17054 63 3842 3868  38
snf2beta 20021204081200 Db8cf02a.SMD 291 70  Final 17054 63 3417 3443  38
snf2beta 20021204081202 Db8cf112.SMD 251 40  Clean 0     0  0    3145  28
snf2beta 20021204081222 Db8e402a.SMD 240 110 Match 16688 63 2516 2527  39
snf2beta 20021204081222 Db8e402a.SMD 240 110 Match 16688 63 2516 2615  39
snf2beta 20021204081222 Db8e402a.SMD 240 110 Match 16688 63 2516 3998  39
snf2beta 20021204081222 Db8e402a.SMD 240 110 Match 16688 63 2516 4086  39
snf2beta 20021204081222 Db8e402a.SMD 240 110 Final 16688 63 2516 2527  39

Classic log files produced by SNF 3 and above may also include other activity entries and errors. Those entries are formatted in such a way that they maintain compatibility with existing SNF 2 logging utilities by re-using the message name field to indicate the context of an error or information message and the Clean / Match / Final field to indicate the message itself. This is similar to the way error messages would be produced in the original SNF V2 logs.

An information example might be:

snf2beta 20070521012345 -RELOADING- 0 0 Success 0 0 0 0 0  

In this case, the context of the informational message was --Reloading-- indicating that the rulebase file and / or configuration was being reloaded, and the resulting message was Success.

An error example might be:

snf2beta 20070521012345 -RELOADING- 0 0 ERROR_RULE_FILE 0 67 0 0 0

Here again the context is --Reloading-- but the result indicates that there was a problem reading the rulebase file ( ERROR_RULE_FILE ). Note also that the error code associated with this condition is also reported as 67.

Please email support@armresearch.com with any questions.