|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604 |
- <!-- Copyright 2009, ARM Research Labs, LLC -->
-
- <html>
- <body>
- <font face="sans-serif">
-
- <h1>Message Sniffer SDK for Win* V3.4</h1>
- <h2>Contents</h2>
- </font><h3><ol>
- <p><font face="sans-serif">Introduction</font></p>
- <li><font face="sans-serif"><a href="#Begin">Before you begin!</a></font></li>
- <li><font face="sans-serif"><a href="#Contents">Contents of the SDK</a></font></li>
- <li><font face="sans-serif"><a href="#RunningSamples">Running the Sample Programs</a></font></li>
- <li><font face="sans-serif"><a href="#Description">SNFMulti DLL Description</a></font></li>
- <li><font face="sans-serif"><a href="ChangeLog.txt">Change Log</a></font></li>
- <p><font face="sans-serif">Setup notes and important instructions</font></p>
- <li><font face="sans-serif"><a href="SNFServer_readme.txt">SNFServer Setup Readme</a></font></li>
- <li><font face="sans-serif"><a href="SNFClient_readme.txt">SNFClient Setup Readme</a></font></li>
- <p><font face="sans-serif">Code Samples</font></p>
- <li><font face="sans-serif"><a href="include/snfmultidll.h">C Header File (snfmultidll.h></a></font></li>
- <li><font face="sans-serif"><a href="32bitDll/snfmulti.def">Module Definition File (libsnfmulti.def)</a></font></li>
- <li><font face="sans-serif"><a href="CPPSample/main.cpp">C++ Sample Code</a></font></li>
- <li><font face="sans-serif"><a href="VS2019VBSample/main.vb">VB.Net Sample Code</a></font></li>
- <p><font face="sans-serif">API Reference - Functions listed in the order they should be used</font></p>
- <li><font face="sans-serif"><a href="#startupSNF">startupSNF()</a> - Initializes the SNF engine and loads the rule base</font></li>
- <li><font face="sans-serif"><a href="#startupSNFAuthenticated">startupSNFAuthenticated()</a> - Initializes SNF with license info</font></li>
- <li><font face="sans-serif"><a href="#setThrottle">setThrottle()</a> - Sets a concurrent thread limit (if desired)</font></li>
- <li><font face="sans-serif"><a href="#testIP">testIP()</a> - Returns the GBUdb reputation range for an IP</font></li>
- <li><font face="sans-serif"><a href="#getIPReputation">getIPReputation()</a> - Returns IP Reputation Figure for an IP</font></li>
- <li><font face="sans-serif"><a href="#scanBuffer">scanBuffer()</a> - Scans a message buffer</font></li>
- <li><font face="sans-serif"><a href="#scanFile">scanFile()</a> - Scans a message file</font></li>
- <li><font face="sans-serif"><a href="#getScanXHeaders">getScanXHeaders()</a> - Returns the scan result and XHeaders</font></li>
- <li><font face="sans-serif"><a href="#getScanXMLLog">getScanXMLLog()</a> - Returns the scan result and XML Log data</font></li>
- <li><font face="sans-serif"><a href="#getScanClassicLog">getScanClassicLog()</a> - Returns the scan result and Classic Log Data</font></li>
- <li><font face="sans-serif"><a href="#getScanResult">getScanResult()</a> - Returns the scan result (nothing else)</font></li>
- <li><font face="sans-serif"><a href="#closeScan">closeScan()</a> - Closes the scan and releases resources</font></li>
- <li><font face="sans-serif"><a href="#shutdownSNF">shutdownSNF()</a> - Shuts down the SNF engine</font></li>
- <p><font face="sans-serif">Miscellaneous</font></p>
- <li><font face="sans-serif"><a href="#ResultCodes">Result Codes</a> - Error and Scan Result Mnemonics</font></li>
- </ol></h3><font face="sans-serif">
-
- <hr/>
- <a name="Begin"><h3>Before you begin!</h3></a>
-
- <p>This SDK contains a complete Message Sniffer engine. You MUST be familiar with that engine
- before you can effectively use this SDK. If you do not already have an OEM license or trial
- SNF rule base license then please <a href="http://www.armresearch.com/">visit our web site first
- and get one!</a> The engine won't run without it.</p>
-
- <p>We highly recommend that you have some experience with our SNFServer and SNFClient applications
- before you begin writing your own or begin integrating the SNF engine into your own software.</p>
-
- <p>We're not saying it's hard to do -- quite the opposite actually, BUT SNF is a sophisticated
- piece of software with a lot of capabilities and options. You will have much better results
- if you are familiar with these before you begin ;-)</p>
-
- <hr/>
- <a name="Contents"><h3>Contents of the SDK</h3></a>
-
- <p>This SDK contains the following:
- <ol>
- <li><font face="sans-serif">Documentation files, including
- this file.</font></li>
- <li><font face="sans-serif">DLLs (both 32 bit and 64 bit
- versions) and the required header files (in
- directory <b>include</b>).</font></li>
- <li><font face="sans-serif">Sample programs in C++ (in
- directory <b>CPPSample</b>), C# (<b>VS2019CSSample</b>), and Visual
- Basic (<b>VS2019VBSample</b>).</font></li>
- <li><font face="sans-serif">VS 2019 Solution files to build
- the sample program in C++ (in
- directory <b>VS2019CPPSample</b>), in C#
- (<b>VS2019CSSample</b>), and Visual Basic
- (<b>VS2019VBSample</b>).<br>
- The <b>VS2019CPPSample\README</b> contains instructions for
- creating the SNFMulti import libraries for use with VS 2019.
- </font></li>
- <li><font face="sans-serif">Other applications
- (<b>curl</b>, <b>SNFClient</b>, and <b>getRulebase</b>) and
- configuration files needed to support SNF
- operation.</font></li>
- </ol>
- There are also directions for building VS 2019 import and export
- libraries in <b>VS2019CPPSample\README</b>.
- </p>
-
- <hr/>
- <a name="SuggestedInstallation"><h3>Suggested Installation</h3></a>
-
- <p>
- To make the SDK available to other users, copy the the contents
- of <b>SNFMultiSDK_Windows</b> to <b>C:\SNF</b>.
-
- </p>
-
- <hr/>
- <a name="RunningSamples"><h3>Running the Sample Programs</h3></a>
-
- <p>
- Before running the sample programs, copy the following files
- to <b>C:\SNF</b> (if the contents of <b>SNFMultiSDK_Windows</b>
- haven't been copied to <b>C:\SNF</b>):
-
- <ol>
- <li><font face="sans-serif">
- <b>snf_engine.xml</b>
- </font></li>
- <li><font face="sans-serif">
- <b>identity.xml</b>
- </font></li>
- <li><font face="sans-serif">
- <b>testmode.snf</b>
- </font></li>
- </ol>
-
- To run the sample programs, follow the instructions in the README file
- in the sample program directory:
-
- <ol>
- <li><font face="sans-serif"><a href="VS2019CPPSample/README">VS2019CPPSample/README</a></font></li>
- <li><font face="sans-serif"><a href="VS2019CSSample/README">VS2019CSSample/README</a></font></li>
- <li><font face="sans-serif"><a href="VS2019VBSample/README">VS2019VBSample/README</a></font></li>
- </ol>
-
- </p>
-
- <hr/>
- <a name="Description"><h3>SNFMulti DLL Description</h3></a>
-
- <p>The SNF SDK for Win* is based on a DLL. The DLLs for both the 32 bit
- and 64 bit versions are included here.
- </p>
-
- <p>The DLL contains the entire SNFServer engine and provides a simple API for starting the
- engine, scanning messages, and retrieving the results. Since the entire SNFServer engine is
- included you also have the option of using the SNFClient utility once your application has
- started the SNF engine. You can also make calls to the engine using the XCI protocol (which
- is how SNFClient does it's work)</p>
-
- <p>Of course the best way to use the DLL is to perform scans directly through the API. The
- best performance can be achieved by scanning a message in memory via the scanBuffer() function
- since this can be done at the full speed of the processor without waiting for IO operations.</p>
-
- <p>The DLL is fully thread-safe so you can perform as many concurrent scans as you wish. Also,
- just in case it will make things easier for you, the DLL provides a throttling function which
- can limit the number of concurrent scans. (It won't unless you ask it to.)</p>
-
- <p>The general form of an application using the DLL will first start the engine, then
- optionally set the throttle, then perform scans (perform a scan, get results, close the scan, repeat),
- and finally it will shutdown the engine.</p>
-
- <p>Since the DLL contains the entire SNFServer engine, it can (and must) be configured in
- exactly the same way as SNFServer. <a href="http://www.armresearch.com/support/articles/software/snfServer/config/index.jsp">
- Documentation for configuring SNFServer can be found on our web site.</a></p>
- <p>New in snfmulti.dll V3.0!</p>
- <p>OEM developers can now protect their licenseID and Authentication string by providing it directly to the SNF engine at run-time. When combined with an internal mechanism for downloading rule base files this makes it practical to control SNF license information entirely within the OEM's application. <a href="#startupSNFAuthenticated">See startupSNFAuthenticated() for details.</a></p>
-
- <hr/>
- <a name="startupSNF"><h3>int startupSNF(char* path);</h3></a>
-
- <p>This function initializes the SNF scanning engine using the configuration file provided.
- The configuration file identifies all of the operational parameters for the SNF engine including
- the location of the working directories and rule base file, SNF license information, and
- much more. <a href="http://www.armresearch.com/support/articles/software/snfServer/config/index.jsp">
- See our web site for details on configuring the SNF engine.</a></p>
-
- <dl>
- <dd><b>path</b> = The full path to the snf_engine.xml file as a null terminated string.</dd>
- <dd><b>returns</b> snf_SUCCESS when successful, otherwise see <a href="#ResultCodes">Error Codes</a>.</dd>
- </dl>
-
- <hr/>
- <a name="startupSNFAuthenticated"><h3>int startupSNFAuthenticated(char* path, char* lic, char* auth);</h3></a>
-
- <p>This function initializes the SNF scanning engine using the configuration file and authentication
- information provided. When SNF is started with this function the identity.xml file can be omitted and
- the identity= attribute of the <node/> element in snf_engine.xml can be omitted. This allows OEM
- developers to protect their authentication string by retrieving it from an encrypted source at run-time
- and providing it directly to the SNF engine.</p>
-
- <p>In all other ways the SNF engine is configured in the same as when using <a href="#startupSNF">startupSNF() (see above)</a></p>
-
- <p>Note that if you intend to use this mechanism to protect your SNF license information you will also need to
- address the mechanism you use to download and verify rule base files. Either build a mechanism to download and
- authenticate your rule base file without exposing your authentication string or you might modify the existing
- getRulebase script to remove the snf2check operation and the associated authentication string. The SNF engine will
- check all rule base files before they are loaded for scanning and will refuse to load a rule base file that does
- not authenticate properly.</p>
-
- <dl>
- <dd><b>path</b> = The full path to the snf_engine.xml file as a null terminated string.</dd>
- <dd><b>lic</b> = The 8 character license id as a null terminated string.</dd>
- <dd><b>auth</b> = The 16 character authentication string as a null terminated string.</dd>
- <dd><b>returns</b> snf_SUCCESS when successful, otherwise see <a href="#ResultCodes">Error Codes</a>.</dd>
- </dl>
-
- <hr/>
- <a name="setThrottle"><h3>int setThrottle(int Threads);</h3></a>
-
- <p>This function establishes a limit on the number of concurrent scans that can run. Any additional
- threads will block until at least one of the active scans is completed.</p>
-
- <p>The default value for the throttle setting is zero. When the throttle is set to zero then no limits
- are placed on the number of concurrent scans. In this mode the application must limit the number of
- concurrent scans.</p>
-
- <dl>
- <dd><b>Threads</b> = The number of concurrent scans allowed.</dd>
- <dd><b>returns</b> the number of Threads if successful otherwise snf_ERROR_EXCEPTION.</dd>
- </dl>
-
- <hr/>
- <a name="testIP"><h3>int testIP(unsigned long int IPToCheck);</h3></a>
-
- <p>This function tests an IP against the GBUdb. This function returns very quickly and can be called
- as often as required without any follow-up actions as long as the SNF Engine is active (between startupSNF()
- and shutdownSNF()). This function is thread-safe and does not interfere with other scanning functions.</p>
-
- <p>GBUdb gathers it's statistics based on the message scans that are performed. Information about those
- scans is also shared with other SNF nodes approximately once every minute. No external queries are
- performed to gather GBUdb data. As a result GBUdb can only provide an IP reputation for IPs that sourced
- messages scanned by this SNF node.</p>
-
- <p>Put another way - GBUdb does not work like a conventional real-time black list. Message scans must
- be performed in order for GBUdb to provide IP reputation information.</p>
-
- <p>For more information on how GBUdb works visit the
- <a href="http://www.armresearch.com/support/articles/technology/GBUdb/index.jsp">
- GBUdb Technology section of our web site.</a></p>
-
- <dl>
- <dd><b>IPToCheck</b> = The IP to test.</dd>
- <dd><b>returns</b> an integer representing the GBUdb Range associated with the IP if successful
- otherwise snf_ERROR_EXCEPTION.</dd>
- </dl>
-
- <h4>GBUdb Range MNemonics from enum snfIPRange</h4>
- <dl>
- <dd>Unknown, snf_IP_Unknown = 0</dd>
- <dd>White, snf_IP_White = 1</dd>
- <dd>Normal, snf_IP_Normal = 2</dd>
- <dd>New, snf_IP_New = 3</dd>
- <dd>Caution, snf_IP_Caution = 4</dd>
- <dd>Black, snf_IP_Black = 5</dd>
- <dd>Truncate, snf_IP_Truncate = 6</dd>
- </dl>
-
- <hr/>
- <a name="getIPReputation"><h3>double getIPReputation(unsigned long int IPToCheck);</h3></a>
-
- <p>This function returns a number representing the overall reputation of the IP based on local GBUdb statistics.
- This number (Reputation Figure) can be easily manipulated to provide additional weight values in systems that combine
- multiple tests using a weight based scoring system. The Reputation Figure is calculated by combining the Probability figure and the Confidence figure using the formula:</p>
-
- <pre>R = sign(P) * sqrt(abs(P * C))</pre>
-
- <p>This function returns very quickly and can be called as often as required without any follow-up actions as long
- as the SNF Engine is active (between startupSNF...() and shutdownSNF()). This function is thread-safe and does not interfere with other scanning functions.</p>
-
- <dl>
- <dd><b>IPToCheck</b> = The IP to test.</dd>
- <dd><b>returns</b> a number between -1.0 and +1.0 representing the combined probability that the IP will produce spam.</dd>
- </dl>
-
- <h4>Converting IP Reputation Figures To Weights</h4>
-
- <p>There are a number of ways to convert a Reputation figure to a weight value. The simplest is to simply multiply
- the Reputation figure by the maximum weight you wish to give to this test.</p>
-
- <pre>SimpleWeight = R * MaxReputationWeight</pre>
-
- <p>Since many legitimate ISPs also produce a lot of spam it might be useful to apply a bias to this weight so that
- these systems appear closer to zero. For example if you applied a maximum weight of 10 and found that many ISPs
- regularly scored 5 or more then you might add a Bias of -5 to bring those systems toward zero.</p>
-
-
- <pre>BiasedWeight = (R * MaxReputationWeight) + Bias</pre>
-
- <p>A more sophisticated system might allow for different weights on the positive and negative going Reputation
- figures so that the amount of negative or positive weight that can be applied can be adjusted independently. Such
- a system might also wish to apply a bias directly to the reputation figure before doing that calculation so that
- the zero point can be adjusted to compensate for averages.</p>
-
- <p>In a system like this if legitimate ISPs tended to get a Reputation Figure of 0.5 then the bias might be -0.5
- so that this would become the zero point. Then the positive and negative weight factors could be adjusted so that
- the desired maximum and minimum weights can be achieved... Note that in this scenario the positive and negative
- weight settings are not maximum values.
-
- <pre>SplitWeight = (0 > (R + Bias)) ? ((R + Bias) * NegativeWeightFactor) : ((R + Bias) * PositiveWeightFactor)
-
- MaximumNegativeWeight is given by (-1.0 + Bias) * NegativeWeightFactor
- MaximumPositiveWeight is given by (+1.0 + Bias) * PositiveWeightFactor
-
- When R + Bias == 0.0, the weight will be 0.</pre>
-
- <p>The most sophisticated system might provide a graphic interface that maps the reputation figure directly
- to a desired weight. This would allow the user to shape the effect of the Reputation figure any way they wish in
- order to gain very tight control over their systems accuracy.</p>
-
- <hr/>
- <a name="scanBuffer"><h3>int scanBuffer(unsigned char* Bfr, int Length, char* Name, int Setup);</h3></a>
-
- <p>This function scans an SMTP message from a buffer. A scan result block is allocated for the scan
- and a handle representing the scan result block is returned. The application can then use this handle to retrieve
- the scan results using the get...() functions. When the application is finished it MUST release the
- scan result block with a call to closeScan().</p>
-
- <p>The message buffer is expected to contain the raw SMTP data for the message with the local Received:
- header at the top. The message should not be broken into MIME segments before it is scanned by SNFMulti.
- This is important because Message Sniffer examines the entire message as well as how the message was
- assembled by the originating system. Any additional processing is both unnecessary and may remove subtle
- defects and artifacts that will help Message Sniffer classify the message.</p>
-
- <p>If the message is particularly large it is acceptable to scan only the first 32K bytes of the message.
- This means that if the calling application wants to scan a large incoming message before it has received
- all of the DATA during the SMTP connection then it can scan the first 32K of the message and potentially
- reject the remainder based on the scan result.</p>
-
- <p>When the application is finished with the results from this scan it must release the scan result block
- with a call to closeScan(). Scan result blocks are allocated as needed and then recycled in order to improve
- performance. If the application fails to close the scan result blocks then the DLL will continue to
- allocate additional blocks until there is no more RAM.</p>
-
- <p>The entire scan is performed before this function returns. After that the scanning thread is no longer
- considered to be active. The resulting scan result buffer may be accessed as often as needed to gather
- results data from this scan without impacting any other scan operations.</p>
-
- <p>Any number of scan...() operations may be active concurrently up to the limits of the platform.</p>
-
- <p>The scanBuffer() function accepts two additional parameters that are passed on to the logging system
- to aid in debugging.</p>
-
- <p>The Name parameter is a null terminated string containing an identifier for the
- message being scanned. This can be any name that can be used later to identify this particular message
- in the log files such as a serial number, unique hash, or the message-id. For example, when the
- scanFile() function is called this parameter is filled in with the path to the file that was scanned.</p>
-
- <p>The Setup parameter is an integer representing the number of milliseconds spent so far setting up
- the message to be scanned. This can be any useful metric - but generally it should represent how much
- time the system has spent working on preparing and evaluating the message so far. For example, when the
- scanFile() function is called this value is automatically established with the amount of time spent
- opening and reading the message file.</p>
-
- <p><b>IMPORTANT:</b> SNF expects to identify the source IP for the message by searching Received: headers
- in the message. The application must ensure that the local Received: header is present as the first
- Received: header in the message in order for this search to be accurate. If necessary the calling application can
- simulate the local received header using the following minimal form:</p>
-
- <p><pre>Received: from connecting.mta.example.com [12.34.56.78] by this.scanning.system</pre></p>
-
- <p>where <b><i>connecting.mta.example.com</i></b> is the optional reverse DNS resolved for the connecting MTA;
- <b><i>12.34.56.78</i></b> is the IP of the connecting MTA; and <b><i>by this.scanning.system</i></b> is an optional
- reference to the calling application.</p>
-
- </font><dl>
- <dd><font face="sans-serif"><b>Bfr</b> = a pointer to the buffer that is to be scanned.</font></dd>
- <dd><font face="sans-serif"><b>Length</b> = the length of the message buffer in bytes.</font></dd>
- <dd><font face="sans-serif"><b>Name</b> = a message identifier as a null terminated string.</font></dd>
- <dd><font face="sans-serif"><b>Setup</b> = the time in milliseconds already spent setting up this message for scanning.</font></dd>
- <dd><font face="sans-serif"><b>returns</b> a handle to the scan result block upon success otherwise an error code:
- </font><dl>
- <dd><font face="sans-serif">snf_ERROR_NO_HANDLE - There was a problem allocating a scan result block.</font></dd>
- <dd><font face="sans-serif">snf_ERROR_SCAN_FAILED - There was a problem performing the scan.</font></dd>
- </dl>
- <p><font face="sans-serif">In general a result > 0 indicates a valid scan handle and a result <= 0 indicates an error.
- NOTE that the scan may have failed even if you get a valid handle. The scan result code you retrieve
- from get...() may indicate an error. <a href="#ResultCodes">See Result Codes</a> for details.</font></p>
- </dd>
- </dl><font face="sans-serif">
-
- <hr/>
- <a name="scanFile"><h3>int scanFile(char* FilePath, int Setup);</h3></a>
-
- <p>This function scans an SMTP message from a file. A scan result block is allocated for the scan
- and a handle representing the results is returned. The application can then use this handle to retrieve
- the scan results using the get...() functions. When the application is finished it MUST release the
- scan result block with a call to closeScan().</p>
-
- <p>The scanFile() function is nearly identical to the <a href="#scanBuffer">scanBuffer() function (see above)</a>
- except that this function accepts the path to a file (null terminated string) instead of a pointer to a message
- buffer.</p>
-
- <p>One other key difference with between scanBuffer() and scanFile() is that the SNF engine can be configured
- to inject it's X- headers when scanFile() is used. These same X- headers are available to the calling application
- when using scanBuffer(), however if the application wishes to pass the message file on to other additional
- scanners and external processes then scanFile() might be more convenient.</p>
-
- <p>NOTE: There are significant performance implications to scanning files and injecting headers. Each time
- headers are injected into a message the message file must be rewritten. For optimal performance it is best
- to collect headers from scanning tools before writing the message to disk so that the message only needs to
- be written once. Extra file IO is the cost of the convenience of passing a message file to external processes.</p>
-
- <p>The Setup time passed to scanFile() will be added to the time required to open and read the message file
- prior to scanning. This value will be passed on to the logging system. For example, the calling application
- might include the number of milliseconds required to perform any previous message testing and the time it
- has taken to create a temporary message file for scanning. The log will then reflect the complete setup time
- separately from the time required to perform the SNF message scan.</p>
-
- <p>The FilePath will be passed on to the logging system to identify this message scan in the logs.</p>
-
- </font><dl>
- <dd><font face="sans-serif"><b>FilePath</b> = The full path (a null terminated string) to the message file to be scanned.</font></dd>
- <dd><font face="sans-serif"><b>Setup</b> = The time in milliseconds spent so far preparing this message to be scanned.</font></dd>
- <dd><font face="sans-serif"><b>returns</b> a handle to the scan result block upon success otherwise an error code:
- </font><dl>
- <dd><font face="sans-serif">snf_ERROR_NO_HANDLE - There was a problem allocating a scan result block.</font></dd>
- <dd><font face="sans-serif">snf_ERROR_SCAN_FAILED - There was a problem performing the scan.</font></dd>
- </dl>
- <p><font face="sans-serif">In general a result > 0 indicates a valid scan handle and a result <= 0 indicates an error.
- NOTE that the scan may have failed even if you get a valid handle. The scan result code you retrieve
- from get...() may indicate an error. <a href="#ResultCodes">See Result Codes</a> for details.</font></p>
- </dd>
- </dl><font face="sans-serif">
-
- <hr/>
- <a name="getScanXHeaders"><h3>int getScanXHeaders(int ScanHandle, char** Bfr, int* Length);</h3></a>
-
- <p>This function returns the scan result code <a href="#ResultCodes">(see Result Codes)</a> and a pointer
- to a buffer containing any X- headers that were produced for the scan associated with the ScanHandle.</p>
-
- <p>The function is passed a valid ScanHandle which identifies the scan result block to query; the address of
- a char* which will be changed to point to a buffer containing any X- headers that
- were produced; and the address of an integer which will be changed to the length of the
- X- headers buffer.</p>
-
- <p>If no X- headers were produced for the scan then the pointer Bfr will point to a safe empty string
- and Length will be set to zero. Put another way, Bfr and Length will be consistent with an empty null terminated
- string.</p>
-
- <p>The char* Bfr and the int Length will remain valid until closeScan() is called for this ScanHandle.</p>
-
- <p>In order for X- headers to be produced the engine must be configured properly. For details visit the
- <a href="http://www.armresearch.com/support/articles/software/snfServer/config/node/logs/scan/xheaders/index.jsp">
- XHeader configuration documentation</a> on our web site.</p>
-
- <dl>
- <dd><b>ScanHandle</b> = a valid scan handle from scanBuffer() or scanFile().</dd>
- <dd><b>Bfr</b> = a pointer to a char* where the char* will be changed to point to the XHeaders.</dd>
- <dd><b>Length</b> = a pointer to an int where the int will be changed to the length of the XHeaders.</dd>
- <dd><b>returns</b> the scan result code upon success otherwise an error code:
- <dl>
- <dd>snf_ERROR_NO_HANDLE - The ScanHandle is not valid.</dd>
- <dd>snf_ERROR_EXCEPTION - There was a problem retrieving the data.</dd>
- <dd><a href="#ResultCodes">See Result Codes</a> for other possible return values.</dd>
- </dl>
- </dd>
- </dl>
-
- <hr/>
- <a name="getScanXMLLog"><h3>int getScanXMLLog(int ScanHandle, char** Bfr, int* Length);</h3></a>
-
- <p>This function returns the scan result code <a href="#ResultCodes">(see Result Codes)</a> and a pointer
- to a buffer containing any XML Log Data that was produced for the scan associated with the ScanHandle.</p>
-
- <p>The function is passed a valid ScanHandle which identifies the scan result block to query; the address of
- a char* which will be changed to point to a buffer containing any XML Log Data that
- was produced; and the address of an integer which will be changed to the length of the
- XML Log Data buffer.</p>
-
- <p>If no XML Log Data was produced for the scan then the pointer Bfr will point to a safe empty string
- and Length will be set to zero. Put another way, Bfr and Length will be consistent with an empty null terminated
- string.</p>
-
- <p>The char* Bfr and the int Length will remain valid until closeScan() is called for this ScanHandle.</p>
-
- <p>In order for XML Log Data to be produced the engine must be configured properly. For details visit the
- <a href="http://www.armresearch.com/support/articles/software/snfServer/config/node/logs/scan/xml.jsp">
- XML Log configuration documentation</a> on our web site.</p>
-
- <dl>
- <dd><b>ScanHandle</b> = a valid scan handle from scanBuffer() or scanFile().</dd>
- <dd><b>Bfr</b> = a pointer to a char* where the char* will be changed to point to the XML Log Data.</dd>
- <dd><b>Length</b> = a pointer to an int where the int will be changed to the length of the XML Log Data.</dd>
- <dd><b>returns</b> the scan result code upon success otherwise an error code:
- <dl>
- <dd>snf_ERROR_NO_HANDLE - The ScanHandle is not valid.</dd>
- <dd>snf_ERROR_EXCEPTION - There was a problem retrieving the data.</dd>
- <dd><a href="#ResultCodes">See Result Codes</a> for other possible return values.</dd>
- </dl>
- </dd>
- </dl>
-
- <hr/>
- <a name="getScanClassicLog"><h3>int getScanClassicLog(int ScanHandle, char** Bfr, int* Length);</h3></a>
-
- <p>This function returns the scan result code <a href="#ResultCodes">(see Result Codes)</a> and a pointer
- to a buffer containing any Classic Log Data that was produced for the scan associated with the ScanHandle.</p>
-
- <p>The function is passed a valid ScanHandle which identifies the scan result block to query; the address of
- a char* which will be changed to point to a buffer containing any Classic Log Data that
- was produced; and the address of an integer which will be changed to the length of the
- Classic Log Data buffer.</p>
-
- <p>If no Classic Log Data was produced for the scan then the pointer Bfr will point to a safe empty string
- and Length will be set to zero. Put another way, Bfr and Length will be consistent with an empty null terminated
- string.</p>
-
- <p>The char* Bfr and the int Length will remain valid until closeScan() is called for this ScanHandle.</p>
-
- <p>In order for XML Log Data to be produced the engine must be configured properly. For details visit the
- <a href="http://www.armresearch.com/support/articles/software/snfServer/config/node/logs/scan/classic.jsp">
- Classic Log configuration documentation</a> on our web site.</p>
-
- <dl>
- <dd><b>ScanHandle</b> = a valid scan handle from scanBuffer() or scanFile().</dd>
- <dd><b>Bfr</b> = a pointer to a char* where the char* will be changed to point to the Classic Log Data.</dd>
- <dd><b>Length</b> = a pointer to an int where the int will be changed to the length of the Classic Log Data.</dd>
- <dd><b>returns</b> the scan result code upon success otherwise an error code:
- <dl>
- <dd>snf_ERROR_NO_HANDLE - The ScanHandle is not valid.</dd>
- <dd>snf_ERROR_EXCEPTION - There was a problem retrieving the data.</dd>
- <dd><a href="#ResultCodes">See Result Codes</a> for other possible return values.</dd>
- </dl>
- </dd>
- </dl>
-
- <hr/>
- <a name="getScanResult"><h3>int getScanResult(int ScanHandle);</h3></a>
-
- <p>This function returns the scan result code <a href="#ResultCodes">(see Result Codes)</a>
- for the scan associated with the ScanHandle.</p>
-
- <dl>
- <dd><b>ScanHandle</b> = a valid scan handle from scanBuffer() or scanFile().</dd>
- <dd><b>returns</b> the scan result code upon success otherwise an error code:
- <dl>
- <dd>snf_ERROR_NO_HANDLE - The ScanHandle is not valid.</dd>
- <dd><a href="#ResultCodes">See Result Codes</a> for other possible return values.</dd>
- </dl>
- </dd>
- </dl>
-
- <hr/>
- <a name="closeScan"><h3>int closeScan(int ScanHandle);</h3></a>
-
- <p>This function closes a ScanHandle and releases the associated Scan Result Block to the pool. This
- function MUST be called once for each ScanHandle produced in a scan...() function. Once this function
- is called the ScanHandle is no longer valid and any pointers returned by previous
- calls to get...() functions should be discarded (forgotten, not freed!)</p>
-
- <dl>
- <dd><b>ScanHandle</b> = a valid scan handle from scanBuffer() or scanFile().</dd>
- <dd><b>returns:</b>
- <dl>
- <dd>snf_SUCCESS - The ScanHandle was closed successfully.</dd>
- <dd>snf_ERROR_NO_HANDLE - The ScanHandle is not valid.</dd>
- <dd>snf_ERROR_EXCEPTION - There was a problem closing the ScanHandle.</dd>
- </dl>
- </dd>
- </dl>
-
- <hr/>
- <a name="shutdownSNF"><h3>int shutdownSNF();</h3></a>
-
- <p>This function shuts down the SNFMulti engine. All previously allocated ScanHandles MUST be closed
- before this function is called. This should be the last function in the DLL that is called by your
- application (call no other SNFMultiDLL functions after this).</p>
-
- <dl>
- <dd><b>returns:</b>
- <dl>
- <dd>snf_SUCCESS - The shutdown was successful.</dd>
- <dd>snf_ERROR_EXCEPTION - An error occurred during shutdown.</dd>
- </dl>
- </dd>
- </dl>
-
- <hr/>
- <a name="ResultCodes"><h3>Result Codes</h3></a>
- <h4>Error Codes</h4>
- </font><dl>
- <dd><font face="sans-serif">snf_SUCCESS = 0</font></dd>
- <dd><font face="sans-serif">snf_ERROR_CMD_LINE = 65</font></dd>
- <dd><font face="sans-serif">snf_ERROR_LOG_FILE = 66</font></dd>
- <dd><font face="sans-serif">snf_ERROR_RULE_FILE = 67</font></dd>
- <dd><font face="sans-serif">snf_ERROR_RULE_DATA = 68</font></dd>
- <dd><font face="sans-serif">snf_ERROR_RULE_AUTH = 73</font></dd>
- <dd><font face="sans-serif">snf_ERROR_MSG_FILE = 69</font></dd>
- <dd><font face="sans-serif">snf_ERROR_ALLOCATION = 70</font></dd>
- <dd><font face="sans-serif">snf_ERROR_BAD_MATRIX = 71</font></dd>
- <dd><font face="sans-serif">snf_ERROR_MAX_EVALS = 72</font></dd>
- <dd><font face="sans-serif">snf_ERROR_UNKNOWN = 99</font></dd>
- <font face="sans-serif"><br/>
- <dd>snf_ERROR_NO_HANDLE = -1, Invalid scan handle used or created.</dd></font>
- <dd><font face="sans-serif">snf_ERROR_SCAN_FAILED = -2, An unexpected exception during a scan. </font></dd>
- <dd><font face="sans-serif">snf_ERROR_EXCEPTION = -3, An unexpected exception occurred.</font></dd>
- </dl><font face="sans-serif">
-
- <p>
- <a href="http://www.armresearch.com/support/articles/software/snfServer/errors.jsp">
- See our web site for more detailed descriptions of these error codes.</a></p>
-
- <h4>Scan Result Codes</h4>
- <p>Scan results codes 0 through 63 represent normal scan results. By convention a result of
- 0 indicates ham (not spam); a result of 1 indicates a white-ruled message; and other non-zero
- result values that are less than 64 indicate some kind of spam or malware was detected.
- <a href="http://www.armresearch.com/support/articles/software/snfServer/core.jsp">
- For more details on message scan result codes please see our web site.</a></p>
-
- <hr/>
- <div align="right"><font size="-3">Copyright (C) 2009 ARM Research Labs, LLC</font></div>
- </font>
- </body>
- </html>
|