Message Sniffer.GettingStarted.Distributions

From ARM-KB

This page is no longer maintained and may contain information that is out of date. We have left this page in place to provide a historical reference and to provide assistance to folks who may have not yet upgraded from Version 2 to Version 3. EVERYONE should upgrade to the latest version if they have not done so already.

For the latest information covered on this page, please see the following pages on our web site: http://www.armresearch.com/products/index.jsp


Home->Message Sniffer->Getting Started->Distributions

Contents

[edit]

This Site Is Deprecated

This site serves as a reference to prior versions of SNF. For the latest software and information please visit our new Products Page

This site is no-longer updated! Watch out :-)

[edit]

Current Production Distributions

The best place to download Message Sniffer is from this page. You can also download the Message Sniffer technology demonstrator from C|Net. Click here to get it from CNET Download.com! Be sure to stop by there and add your review!

The Technology Demonstrator License ID is: snfrv2r3

The Technology Demonstrator Authentication Code is: xnk05x5vmipeaof7

The current distribution file contains a Win32 version of the snfrv2r3.exe command line scanner and the snf2check.exe validating utility, the c++ source code (for use on Linux and BSD systems or your own integration solution), a copy of the technology demonstrator rule base, and a number of example scripts.

Click here to download sniffer-2-3.5.tar.gz
Click here to download sniffer-2-3.5.zip
Click here to download the MDaemon Plugin

The technology demonstrator software can be used on your systems for as long as you like. There is no time restriction. You may use the technology demonstrator software and rulebase as long as you need to assure yourself it will work reliably in your environment. The software itself is identical to the fully licensed version. However, the technology demonstrator rulebase is *limited* and will not effectively filter spam!

When you have the technology demonstrator set up on your system and working correctly you should sign up for a free trial and you will be provided with a production ready rulebase for 30 days. The trial version of Message Sniffer is identical to the subscription version. In fact, when you purchase your subscription you will simply continue to use the same rulebase and software from your trial - no need to change anything that's already working :-).

[edit]

How can I tell which version of Sniffer I am running?

You can check the version by running SNF at the command line with no parameters. It will complain about being run that way, and at the bottom it will provide you with version and build information.

Back to Top


[edit]

How do I upgrade to the latest version of Sniffer?

You can download the latest Sniffer engine from this page (see the Current Distribution file at the top of this page).

Open the .zip file, and rename the executable to match your license ID and copy it over your current executable.

Back to Top

[edit]

The latest Beta or Interim releases

Message Sniffer is constantly under development. We have adopted a "continuously open" development strategy which allows all interested parties to participate and comment on the process. Each new interim release will be announced on the sniffer@ list and made available on the web site. Those who wish to participate privately may correspond with us through our support@armresearch.com. Others can participate through the standard sniffer@ list. Current project plans will be updated here as often as possible. Here is what we are working on next:

[edit]

NEW SNF V2-9 Wide Beta

After much testing and development the next version of Message Sniffer is now ready for wide beta testing. There will be several test packages released over the next few days. The first is the Client/Server command line version. This is a drop-in replacement for Winx based systems using a persistent instance and/or the command line scanner such as those running Declude or mxGuard.

Click here to download SNFv2-9rc2.25.7.StdTestPackage.zip
Click here to download SNFv2-9rc6.25.7.MDaemon.zip
Click here to download SNFv2-9rc2.25.7.source.zip

Here are some of the important new features:

  • More Accurate - Scanning engine improvements and new collaborative learning features combine to reduce both false negatives and false positives while using fewer system resources and simplifying administration.
  • More Powerful - Fully multi-threaded engine takes full advantage of multiple processors and hyper-threading.
  • More Efficient - Faster scanning engine achieves between 10% - 30% more throughput on most systems.
  • More Robust - Architectural changes have been made to enhance SNF's performance on systems where large numbers of SNF nodes must be configured and managed efficiently; system components must remain reliabile under adverse conditions; and system availability is at a premium.
    • True Client/Server Model - Socket based (TCP/Localhost) Client/Server model significantly reduces I/O loads and eliminates overload/cascade failures even when systems are "forced into the ground" by spam storms or unexpected shifts in message flow.
    • Redesigned for larger systems - Authentication and configuration files are separate so that deploying configuration changes to multiple systems is as easy as copying your new configuration file; or if you wish you can store your configuration file in a central location and have all of your nodes read it from there automatically.
    • High Availability - Changes to rulebase and configuration files are detected automatically and loaded without interrupting the scanning process. When a change is detected, any scans that are in process are completed using the old configuration. New scans that are started use the new configuration data without skipping a beat. The result is that configuration changes and rulebase updates have virtually no effect on system performance.
  • More Flexible - The new SNF engine has been completely redesigned:
    • No More Branding - It is no longer necessary to "brand" executables with your license ID. Your license ID and authentication can now reside in a special configuration file.
    • XML Based Configuration - All configuration files are based on XML.
    • XML Log Files - Log files can be produced in the old format or the new XML based format. XML logs can be configured to provide simple "one-liner" entries or highly detailed scan data.
    • Log Rotation and Location - Log files can now be stored wherever you want and can optionally be named for the current day to provide an automatic rotation mechanism.
    • Real-time Status - XML based status files an be created once per second, once per minute, or once per hour. These status reports can also be appended into a "log of status reports" to provide ready XML based data sets for trend and performance analysis.
  • More Intelligent - GBUdb (Good/Bad/Ugly/Ignore) collaborative IP reputation system allows SNF nodes to collectively learn IP statistics from each other while remaining specialized for each individual system.
    • Less Leakage - Messages from known bad IPs can be tagged with several adjustable result codes even when the message does not match any pattern rules.
    • Fewer False Positives - Messages from known good IPs can be automatically white-listed even when messages occasionally match pattern rules. Also - new rules that match messages from known good IPs can trigger a new "Auto-Panic" feature which immediately makes the rule inert and allerts us of the conflict. Messages get through and the problem gets fixed without any administrative overhead.
    • Zero-Minute Response Times - Information about known bad IPs is automatically available within 60 seconds (30 on average). New data on bad IP sources reaches the entire GBUdb network within 90 seconds (typ). The result is that spam storm leakage can be reduced by more than 50%.
    • Virtual Spam-Traps - Messages coming from known bad IPs (the worst of the worst) can be sampled and fed into our virutal spam trap system so new rules come out faster to reduce leakage. (This feature can be easily disabled if desired).
    • Message Truncation - When a message comes from one of the worst known IPs the scanning process can be truncated to save CPU resources. The result code for a truncated message is unique so that other stages in your filtering system can respond accordingly.

.

[edit]

Older Projects

[edit]
V2-4 Project: Status 20061023 - V2-3.5 Released.
Download VERSION 2-3.5 (zip) Here (sniffer-2-3.5.zip)
Download VERSION 2-3.5 (tar.gz) Here (sniffer-2-3.5.tar.gz)
Key Features / History:
20061023 V2-3.5
  • snf_engine.hpp, snf_engine.cpp
    • Optimized deep code in the scanning engine to re-use previously allocated evaluators. (2x speed!)
  • Package
    • V2-3.2i1 Rolled in.
    • Updated Readme.txt.
    • Updated UPDATE-YOUR-RULEBASE.txt.
    • Updated License-Info.txt.
    • Updated distribution layout.
    • Included WeightGate utility (win32 & source).
20060405 V2-3.2i1 Released
Download VERSION 2-3.2i1 EngineOnly Here (snfrv2r3i1-EngineOnly.zip)
Key Features / History:
20060405 V2-3.2i1
  • PeerServer.hpp
    • SECS_PER_MSEC mnemoic
    • Updated StartServerClock() and CheckServerClock() to use Timeout ServerDeathClock.
    • Updated StartClientClock() and CheckClientClock() to use Timout ClientDeathClock.
    • Adjusted timing parameters for improved peer-server and client-server performance.
    • Updated mnemonics for server poll timing ServerMinPollTime and ServerMaxPollTime.
  • PeerServer.cpp
    • Updated PeerRecord:WaitForFin() to use Sleeper InitialPollSleeper and PollTimer FINPollTimer.
    • Updated PeerRecord::ReadResults() to use Sleeper OpenRetrySleeper.
    • Updated PeerServer::StandardJob() to use PollTimer ServerPollTimer.
20060404 V2-3.2i1
  • all-files
    • Cleaned up copyright notices.
    • Removed abstractsleep.h & refernces.
  • sniffer.cpp
    • updated reload command handler.
    • updated rotate command handler.
    • updated stop command handler.
    • updated ProgramDeathClock.
    • updated CommandCheck function.
    • fixed mode bug in command semaphores using S_IRWXU.
  • logger.cpp
    • cleaned up lock functions to use S_IRWXU.
    • Logger::Lock() now uses a LoggerLockRetryTimer.sleep()
  • PeerServer.cpp
    • PeerServer::Lock() now uses ServerLockRetryTimer.sleep()
    • PeerRecord::Lock() now uses RecordLockRetryTimer.sleep()
[edit]
MDaemon Plugin Project: Status 20041117 - Version 0.53b released.
DOWNLOAD VERSION 0.53b HERE
Key Features / History:
  • v0.53 - Fixed a bug in the FilterChain.
  • v0.52 - Added UrlDecode module to the filter chain. This module scans and tags for URL encoded characters and if any are found the tag is repeated with those elements decoded. This will expand the effectiveness of URI & Numbered link rules when URL encoding is used to obfuscate links and image sources.
  • v0.51 - Fixed a bug in the Phantom Received Header. Received: was missing a ':' - so the Phantom Received Headers, while present, were not in a form that would actually match the rules. Sorry about that ;-)
  • v0.51 - Added Version & License information to the PlugIn headers that are produced when the rulebase and/or configuration is reloaded. This makes it easier to know which version is in place etc...
  • v0.5 - Upgraded SNF engine to 2-3.1i1. The newer engine includes a "Defunker" module in the filter chain. This module re-scans the message with HTML/XML tags removed and with some &..; encoded characters decoded, plus some other minor deobfuscation mechanisms. This version should improve the effectiveness of the current rulebase against a wide range of obfuscation mechanisms.
  • v0.4 - Added Phantom Received Header feature. This options, on by default, adds a phantom local received header to the scan stream inside Message Sniffer. This allows SNF to respond to local connection information that is not currently produced by MDaemon when the plugin is called. Leaving this feature turned on ensures that all of the SNF rules that depend on local received headers will work properly.
  • v0.4 - Added Control File Log debug feature. This is only useful in the short term for determining the contents of the .ctl file for different kinds of messages. Once the plugin has matured this feature will probably be removed.
  • v0.31 - Included sample SpamAssassin .cf file that can be placed in the SpamAssassin\rules folder to interpret the Final result headers produced by the Message Sniffer plugin.
  • v0.31 - Included snf2check utility.
  • v0.31 - Including full strength evaluation license: mdaemon1.
  • v0.31 - Corrected buffer clearing bug - caused false positives by holding over data from previous scans intermittently.
  • v0.3 - Added NoScan feature.
  • v0.3 - Added XHeaderMessage feature.
  • v0.2 - Corrected the XHeaderFinal code to always return a numerical result.
  • v0.2 - Added _MANY_ additional header options - read the .cfg file for details.
  • v0.2 - Added more logging code for reload events and errors.
  • v0.2 - Corrected configuration reader code so that defaults are consistently reset before reading the new configuration.
[edit]

Previous Versions

Beginning with version 2-2 we will be keeping some previous releases available. We highly recommend that you move to the latest release as soon as possible and we will assume you are using the most recent version unless you tell us otherwise. Support for prior releases will be limited.

Retrieved from "http://kb.armresearch.com/index.php?title=Message_Sniffer.GettingStarted.Distributions"