Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604
  1. <!-- Copyright 2009, ARM Research Labs, LLC -->
  2. <html>
  3. <body>
  4. <font face="sans-serif">
  5. <h1>Message Sniffer SDK for Win* V3.4</h1>
  6. <h2>Contents</h2>
  7. </font><h3><ol>
  8. <p><font face="sans-serif">Introduction</font></p>
  9. <li><font face="sans-serif"><a href="#Begin">Before you begin!</a></font></li>
  10. <li><font face="sans-serif"><a href="#Contents">Contents of the SDK</a></font></li>
  11. <li><font face="sans-serif"><a href="#RunningSamples">Running the Sample Programs</a></font></li>
  12. <li><font face="sans-serif"><a href="#Description">SNFMulti DLL Description</a></font></li>
  13. <li><font face="sans-serif"><a href="ChangeLog.txt">Change Log</a></font></li>
  14. <p><font face="sans-serif">Setup notes and important instructions</font></p>
  15. <li><font face="sans-serif"><a href="SNFServer_readme.txt">SNFServer Setup Readme</a></font></li>
  16. <li><font face="sans-serif"><a href="SNFClient_readme.txt">SNFClient Setup Readme</a></font></li>
  17. <p><font face="sans-serif">Code Samples</font></p>
  18. <li><font face="sans-serif"><a href="include/snfmultidll.h">C Header File (snfmultidll.h></a></font></li>
  19. <li><font face="sans-serif"><a href="32bitDll/snfmulti.def">Module Definition File (libsnfmulti.def)</a></font></li>
  20. <li><font face="sans-serif"><a href="CPPSample/main.cpp">C++ Sample Code</a></font></li>
  21. <li><font face="sans-serif"><a href="VS2019VBSample/main.vb">VB.Net Sample Code</a></font></li>
  22. <p><font face="sans-serif">API Reference - Functions listed in the order they should be used</font></p>
  23. <li><font face="sans-serif"><a href="#startupSNF">startupSNF()</a> - Initializes the SNF engine and loads the rule base</font></li>
  24. <li><font face="sans-serif"><a href="#startupSNFAuthenticated">startupSNFAuthenticated()</a> - Initializes SNF with license info</font></li>
  25. <li><font face="sans-serif"><a href="#setThrottle">setThrottle()</a> - Sets a concurrent thread limit (if desired)</font></li>
  26. <li><font face="sans-serif"><a href="#testIP">testIP()</a> - Returns the GBUdb reputation range for an IP</font></li>
  27. <li><font face="sans-serif"><a href="#getIPReputation">getIPReputation()</a> - Returns IP Reputation Figure for an IP</font></li>
  28. <li><font face="sans-serif"><a href="#scanBuffer">scanBuffer()</a> - Scans a message buffer</font></li>
  29. <li><font face="sans-serif"><a href="#scanFile">scanFile()</a> - Scans a message file</font></li>
  30. <li><font face="sans-serif"><a href="#getScanXHeaders">getScanXHeaders()</a> - Returns the scan result and XHeaders</font></li>
  31. <li><font face="sans-serif"><a href="#getScanXMLLog">getScanXMLLog()</a> - Returns the scan result and XML Log data</font></li>
  32. <li><font face="sans-serif"><a href="#getScanClassicLog">getScanClassicLog()</a> - Returns the scan result and Classic Log Data</font></li>
  33. <li><font face="sans-serif"><a href="#getScanResult">getScanResult()</a> - Returns the scan result (nothing else)</font></li>
  34. <li><font face="sans-serif"><a href="#closeScan">closeScan()</a> - Closes the scan and releases resources</font></li>
  35. <li><font face="sans-serif"><a href="#shutdownSNF">shutdownSNF()</a> - Shuts down the SNF engine</font></li>
  36. <p><font face="sans-serif">Miscellaneous</font></p>
  37. <li><font face="sans-serif"><a href="#ResultCodes">Result Codes</a> - Error and Scan Result Mnemonics</font></li>
  38. </ol></h3><font face="sans-serif">
  39. <hr/>
  40. <a name="Begin"><h3>Before you begin!</h3></a>
  41. <p>This SDK contains a complete Message Sniffer engine. You MUST be familiar with that engine
  42. before you can effectively use this SDK. If you do not already have an OEM license or trial
  43. SNF rule base license then please <a href="http://www.armresearch.com/">visit our web site first
  44. and get one!</a> The engine won't run without it.</p>
  45. <p>We highly recommend that you have some experience with our SNFServer and SNFClient applications
  46. before you begin writing your own or begin integrating the SNF engine into your own software.</p>
  47. <p>We're not saying it's hard to do -- quite the opposite actually, BUT SNF is a sophisticated
  48. piece of software with a lot of capabilities and options. You will have much better results
  49. if you are familiar with these before you begin ;-)</p>
  50. <hr/>
  51. <a name="Contents"><h3>Contents of the SDK</h3></a>
  52. <p>This SDK contains the following:
  53. <ol>
  54. <li><font face="sans-serif">Documentation files, including
  55. this file.</font></li>
  56. <li><font face="sans-serif">DLLs (both 32 bit and 64 bit
  57. versions) and the required header files (in
  58. directory <b>include</b>).</font></li>
  59. <li><font face="sans-serif">Sample programs in C++ (in
  60. directory <b>CPPSample</b>), C# (<b>VS2019CSSample</b>), and Visual
  61. Basic (<b>VS2019VBSample</b>).</font></li>
  62. <li><font face="sans-serif">VS 2019 Solution files to build
  63. the sample program in C++ (in
  64. directory <b>VS2019CPPSample</b>), in C#
  65. (<b>VS2019CSSample</b>), and Visual Basic
  66. (<b>VS2019VBSample</b>).<br>
  67. The <b>VS2019CPPSample\README</b> contains instructions for
  68. creating the SNFMulti import libraries for use with VS 2019.
  69. </font></li>
  70. <li><font face="sans-serif">Other applications
  71. (<b>curl</b>, <b>SNFClient</b>, and <b>getRulebase</b>) and
  72. configuration files needed to support SNF
  73. operation.</font></li>
  74. </ol>
  75. There are also directions for building VS 2019 import and export
  76. libraries in <b>VS2019CPPSample\README</b>.
  77. </p>
  78. <hr/>
  79. <a name="SuggestedInstallation"><h3>Suggested Installation</h3></a>
  80. <p>
  81. To make the SDK available to other users, copy the the contents
  82. of <b>SNFMultiSDK_Windows</b> to <b>C:\SNF</b>.
  83. </p>
  84. <hr/>
  85. <a name="RunningSamples"><h3>Running the Sample Programs</h3></a>
  86. <p>
  87. Before running the sample programs, copy the following files
  88. to <b>C:\SNF</b> (if the contents of <b>SNFMultiSDK_Windows</b>
  89. haven't been copied to <b>C:\SNF</b>):
  90. <ol>
  91. <li><font face="sans-serif">
  92. <b>snf_engine.xml</b>
  93. </font></li>
  94. <li><font face="sans-serif">
  95. <b>identity.xml</b>
  96. </font></li>
  97. <li><font face="sans-serif">
  98. <b>testmode.snf</b>
  99. </font></li>
  100. </ol>
  101. To run the sample programs, follow the instructions in the README file
  102. in the sample program directory:
  103. <ol>
  104. <li><font face="sans-serif"><a href="VS2019CPPSample/README">VS2019CPPSample/README</a></font></li>
  105. <li><font face="sans-serif"><a href="VS2019CSSample/README">VS2019CSSample/README</a></font></li>
  106. <li><font face="sans-serif"><a href="VS2019VBSample/README">VS2019VBSample/README</a></font></li>
  107. </ol>
  108. </p>
  109. <hr/>
  110. <a name="Description"><h3>SNFMulti DLL Description</h3></a>
  111. <p>The SNF SDK for Win* is based on a DLL. The DLLs for both the 32 bit
  112. and 64 bit versions are included here.
  113. </p>
  114. <p>The DLL contains the entire SNFServer engine and provides a simple API for starting the
  115. engine, scanning messages, and retrieving the results. Since the entire SNFServer engine is
  116. included you also have the option of using the SNFClient utility once your application has
  117. started the SNF engine. You can also make calls to the engine using the XCI protocol (which
  118. is how SNFClient does it's work)</p>
  119. <p>Of course the best way to use the DLL is to perform scans directly through the API. The
  120. best performance can be achieved by scanning a message in memory via the scanBuffer() function
  121. since this can be done at the full speed of the processor without waiting for IO operations.</p>
  122. <p>The DLL is fully thread-safe so you can perform as many concurrent scans as you wish. Also,
  123. just in case it will make things easier for you, the DLL provides a throttling function which
  124. can limit the number of concurrent scans. (It won't unless you ask it to.)</p>
  125. <p>The general form of an application using the DLL will first start the engine, then
  126. optionally set the throttle, then perform scans (perform a scan, get results, close the scan, repeat),
  127. and finally it will shutdown the engine.</p>
  128. <p>Since the DLL contains the entire SNFServer engine, it can (and must) be configured in
  129. exactly the same way as SNFServer. <a href="http://www.armresearch.com/support/articles/software/snfServer/config/index.jsp">
  130. Documentation for configuring SNFServer can be found on our web site.</a></p>
  131. <p>New in snfmulti.dll V3.0!</p>
  132. <p>OEM developers can now protect their licenseID and Authentication string by providing it directly to the SNF engine at run-time. When combined with an internal mechanism for downloading rule base files this makes it practical to control SNF license information entirely within the OEM's application. <a href="#startupSNFAuthenticated">See startupSNFAuthenticated() for details.</a></p>
  133. <hr/>
  134. <a name="startupSNF"><h3>int startupSNF(char* path);</h3></a>
  135. <p>This function initializes the SNF scanning engine using the configuration file provided.
  136. The configuration file identifies all of the operational parameters for the SNF engine including
  137. the location of the working directories and rule base file, SNF license information, and
  138. much more. <a href="http://www.armresearch.com/support/articles/software/snfServer/config/index.jsp">
  139. See our web site for details on configuring the SNF engine.</a></p>
  140. <dl>
  141. <dd><b>path</b> = The full path to the snf_engine.xml file as a null terminated string.</dd>
  142. <dd><b>returns</b> snf_SUCCESS when successful, otherwise see <a href="#ResultCodes">Error Codes</a>.</dd>
  143. </dl>
  144. <hr/>
  145. <a name="startupSNFAuthenticated"><h3>int startupSNFAuthenticated(char* path, char* lic, char* auth);</h3></a>
  146. <p>This function initializes the SNF scanning engine using the configuration file and authentication
  147. information provided. When SNF is started with this function the identity.xml file can be omitted and
  148. the identity= attribute of the &lt;node/&gt; element in snf_engine.xml can be omitted. This allows OEM
  149. developers to protect their authentication string by retrieving it from an encrypted source at run-time
  150. and providing it directly to the SNF engine.</p>
  151. <p>In all other ways the SNF engine is configured in the same as when using <a href="#startupSNF">startupSNF() (see above)</a></p>
  152. <p>Note that if you intend to use this mechanism to protect your SNF license information you will also need to
  153. address the mechanism you use to download and verify rule base files. Either build a mechanism to download and
  154. authenticate your rule base file without exposing your authentication string or you might modify the existing
  155. getRulebase script to remove the snf2check operation and the associated authentication string. The SNF engine will
  156. check all rule base files before they are loaded for scanning and will refuse to load a rule base file that does
  157. not authenticate properly.</p>
  158. <dl>
  159. <dd><b>path</b> = The full path to the snf_engine.xml file as a null terminated string.</dd>
  160. <dd><b>lic</b> = The 8 character license id as a null terminated string.</dd>
  161. <dd><b>auth</b> = The 16 character authentication string as a null terminated string.</dd>
  162. <dd><b>returns</b> snf_SUCCESS when successful, otherwise see <a href="#ResultCodes">Error Codes</a>.</dd>
  163. </dl>
  164. <hr/>
  165. <a name="setThrottle"><h3>int setThrottle(int Threads);</h3></a>
  166. <p>This function establishes a limit on the number of concurrent scans that can run. Any additional
  167. threads will block until at least one of the active scans is completed.</p>
  168. <p>The default value for the throttle setting is zero. When the throttle is set to zero then no limits
  169. are placed on the number of concurrent scans. In this mode the application must limit the number of
  170. concurrent scans.</p>
  171. <dl>
  172. <dd><b>Threads</b> = The number of concurrent scans allowed.</dd>
  173. <dd><b>returns</b> the number of Threads if successful otherwise snf_ERROR_EXCEPTION.</dd>
  174. </dl>
  175. <hr/>
  176. <a name="testIP"><h3>int testIP(unsigned long int IPToCheck);</h3></a>
  177. <p>This function tests an IP against the GBUdb. This function returns very quickly and can be called
  178. as often as required without any follow-up actions as long as the SNF Engine is active (between startupSNF()
  179. and shutdownSNF()). This function is thread-safe and does not interfere with other scanning functions.</p>
  180. <p>GBUdb gathers it's statistics based on the message scans that are performed. Information about those
  181. scans is also shared with other SNF nodes approximately once every minute. No external queries are
  182. performed to gather GBUdb data. As a result GBUdb can only provide an IP reputation for IPs that sourced
  183. messages scanned by this SNF node.</p>
  184. <p>Put another way - GBUdb does not work like a conventional real-time black list. Message scans must
  185. be performed in order for GBUdb to provide IP reputation information.</p>
  186. <p>For more information on how GBUdb works visit the
  187. <a href="http://www.armresearch.com/support/articles/technology/GBUdb/index.jsp">
  188. GBUdb Technology section of our web site.</a></p>
  189. <dl>
  190. <dd><b>IPToCheck</b> = The IP to test.</dd>
  191. <dd><b>returns</b> an integer representing the GBUdb Range associated with the IP if successful
  192. otherwise snf_ERROR_EXCEPTION.</dd>
  193. </dl>
  194. <h4>GBUdb Range MNemonics from enum snfIPRange</h4>
  195. <dl>
  196. <dd>Unknown, snf_IP_Unknown = 0</dd>
  197. <dd>White, snf_IP_White = 1</dd>
  198. <dd>Normal, snf_IP_Normal = 2</dd>
  199. <dd>New, snf_IP_New = 3</dd>
  200. <dd>Caution, snf_IP_Caution = 4</dd>
  201. <dd>Black, snf_IP_Black = 5</dd>
  202. <dd>Truncate, snf_IP_Truncate = 6</dd>
  203. </dl>
  204. <hr/>
  205. <a name="getIPReputation"><h3>double getIPReputation(unsigned long int IPToCheck);</h3></a>
  206. <p>This function returns a number representing the overall reputation of the IP based on local GBUdb statistics.
  207. This number (Reputation Figure) can be easily manipulated to provide additional weight values in systems that combine
  208. multiple tests using a weight based scoring system. The Reputation Figure is calculated by combining the Probability figure and the Confidence figure using the formula:</p>
  209. <pre>R = sign(P) * sqrt(abs(P * C))</pre>
  210. <p>This function returns very quickly and can be called as often as required without any follow-up actions as long
  211. as the SNF Engine is active (between startupSNF...() and shutdownSNF()). This function is thread-safe and does not interfere with other scanning functions.</p>
  212. <dl>
  213. <dd><b>IPToCheck</b> = The IP to test.</dd>
  214. <dd><b>returns</b> a number between -1.0 and +1.0 representing the combined probability that the IP will produce spam.</dd>
  215. </dl>
  216. <h4>Converting IP Reputation Figures To Weights</h4>
  217. <p>There are a number of ways to convert a Reputation figure to a weight value. The simplest is to simply multiply
  218. the Reputation figure by the maximum weight you wish to give to this test.</p>
  219. <pre>SimpleWeight = R * MaxReputationWeight</pre>
  220. <p>Since many legitimate ISPs also produce a lot of spam it might be useful to apply a bias to this weight so that
  221. these systems appear closer to zero. For example if you applied a maximum weight of 10 and found that many ISPs
  222. regularly scored 5 or more then you might add a Bias of -5 to bring those systems toward zero.</p>
  223. <pre>BiasedWeight = (R * MaxReputationWeight) + Bias</pre>
  224. <p>A more sophisticated system might allow for different weights on the positive and negative going Reputation
  225. figures so that the amount of negative or positive weight that can be applied can be adjusted independently. Such
  226. a system might also wish to apply a bias directly to the reputation figure before doing that calculation so that
  227. the zero point can be adjusted to compensate for averages.</p>
  228. <p>In a system like this if legitimate ISPs tended to get a Reputation Figure of 0.5 then the bias might be -0.5
  229. so that this would become the zero point. Then the positive and negative weight factors could be adjusted so that
  230. the desired maximum and minimum weights can be achieved... Note that in this scenario the positive and negative
  231. weight settings are not maximum values.
  232. <pre>SplitWeight = (0 > (R + Bias)) ? ((R + Bias) * NegativeWeightFactor) : ((R + Bias) * PositiveWeightFactor)
  233. MaximumNegativeWeight is given by (-1.0 + Bias) * NegativeWeightFactor
  234. MaximumPositiveWeight is given by (+1.0 + Bias) * PositiveWeightFactor
  235. When R + Bias == 0.0, the weight will be 0.</pre>
  236. <p>The most sophisticated system might provide a graphic interface that maps the reputation figure directly
  237. to a desired weight. This would allow the user to shape the effect of the Reputation figure any way they wish in
  238. order to gain very tight control over their systems accuracy.</p>
  239. <hr/>
  240. <a name="scanBuffer"><h3>int scanBuffer(unsigned char* Bfr, int Length, char* Name, int Setup);</h3></a>
  241. <p>This function scans an SMTP message from a buffer. A scan result block is allocated for the scan
  242. and a handle representing the scan result block is returned. The application can then use this handle to retrieve
  243. the scan results using the get...() functions. When the application is finished it MUST release the
  244. scan result block with a call to closeScan().</p>
  245. <p>The message buffer is expected to contain the raw SMTP data for the message with the local Received:
  246. header at the top. The message should not be broken into MIME segments before it is scanned by SNFMulti.
  247. This is important because Message Sniffer examines the entire message as well as how the message was
  248. assembled by the originating system. Any additional processing is both unnecessary and may remove subtle
  249. defects and artifacts that will help Message Sniffer classify the message.</p>
  250. <p>If the message is particularly large it is acceptable to scan only the first 32K bytes of the message.
  251. This means that if the calling application wants to scan a large incoming message before it has received
  252. all of the DATA during the SMTP connection then it can scan the first 32K of the message and potentially
  253. reject the remainder based on the scan result.</p>
  254. <p>When the application is finished with the results from this scan it must release the scan result block
  255. with a call to closeScan(). Scan result blocks are allocated as needed and then recycled in order to improve
  256. performance. If the application fails to close the scan result blocks then the DLL will continue to
  257. allocate additional blocks until there is no more RAM.</p>
  258. <p>The entire scan is performed before this function returns. After that the scanning thread is no longer
  259. considered to be active. The resulting scan result buffer may be accessed as often as needed to gather
  260. results data from this scan without impacting any other scan operations.</p>
  261. <p>Any number of scan...() operations may be active concurrently up to the limits of the platform.</p>
  262. <p>The scanBuffer() function accepts two additional parameters that are passed on to the logging system
  263. to aid in debugging.</p>
  264. <p>The Name parameter is a null terminated string containing an identifier for the
  265. message being scanned. This can be any name that can be used later to identify this particular message
  266. in the log files such as a serial number, unique hash, or the message-id. For example, when the
  267. scanFile() function is called this parameter is filled in with the path to the file that was scanned.</p>
  268. <p>The Setup parameter is an integer representing the number of milliseconds spent so far setting up
  269. the message to be scanned. This can be any useful metric - but generally it should represent how much
  270. time the system has spent working on preparing and evaluating the message so far. For example, when the
  271. scanFile() function is called this value is automatically established with the amount of time spent
  272. opening and reading the message file.</p>
  273. <p><b>IMPORTANT:</b> SNF expects to identify the source IP for the message by searching Received: headers
  274. in the message. The application must ensure that the local Received: header is present as the first
  275. Received: header in the message in order for this search to be accurate. If necessary the calling application can
  276. simulate the local received header using the following minimal form:</p>
  277. <p><pre>Received: from connecting.mta.example.com [12.34.56.78] by this.scanning.system</pre></p>
  278. <p>where <b><i>connecting.mta.example.com</i></b> is the optional reverse DNS resolved for the connecting MTA;
  279. <b><i>12.34.56.78</i></b> is the IP of the connecting MTA; and <b><i>by this.scanning.system</i></b> is an optional
  280. reference to the calling application.</p>
  281. </font><dl>
  282. <dd><font face="sans-serif"><b>Bfr</b> = a pointer to the buffer that is to be scanned.</font></dd>
  283. <dd><font face="sans-serif"><b>Length</b> = the length of the message buffer in bytes.</font></dd>
  284. <dd><font face="sans-serif"><b>Name</b> = a message identifier as a null terminated string.</font></dd>
  285. <dd><font face="sans-serif"><b>Setup</b> = the time in milliseconds already spent setting up this message for scanning.</font></dd>
  286. <dd><font face="sans-serif"><b>returns</b> a handle to the scan result block upon success otherwise an error code:
  287. </font><dl>
  288. <dd><font face="sans-serif">snf_ERROR_NO_HANDLE - There was a problem allocating a scan result block.</font></dd>
  289. <dd><font face="sans-serif">snf_ERROR_SCAN_FAILED - There was a problem performing the scan.</font></dd>
  290. </dl>
  291. <p><font face="sans-serif">In general a result > 0 indicates a valid scan handle and a result <= 0 indicates an error.
  292. NOTE that the scan may have failed even if you get a valid handle. The scan result code you retrieve
  293. from get...() may indicate an error. <a href="#ResultCodes">See Result Codes</a> for details.</font></p>
  294. </dd>
  295. </dl><font face="sans-serif">
  296. <hr/>
  297. <a name="scanFile"><h3>int scanFile(char* FilePath, int Setup);</h3></a>
  298. <p>This function scans an SMTP message from a file. A scan result block is allocated for the scan
  299. and a handle representing the results is returned. The application can then use this handle to retrieve
  300. the scan results using the get...() functions. When the application is finished it MUST release the
  301. scan result block with a call to closeScan().</p>
  302. <p>The scanFile() function is nearly identical to the <a href="#scanBuffer">scanBuffer() function (see above)</a>
  303. except that this function accepts the path to a file (null terminated string) instead of a pointer to a message
  304. buffer.</p>
  305. <p>One other key difference with between scanBuffer() and scanFile() is that the SNF engine can be configured
  306. to inject it's X- headers when scanFile() is used. These same X- headers are available to the calling application
  307. when using scanBuffer(), however if the application wishes to pass the message file on to other additional
  308. scanners and external processes then scanFile() might be more convenient.</p>
  309. <p>NOTE: There are significant performance implications to scanning files and injecting headers. Each time
  310. headers are injected into a message the message file must be rewritten. For optimal performance it is best
  311. to collect headers from scanning tools before writing the message to disk so that the message only needs to
  312. be written once. Extra file IO is the cost of the convenience of passing a message file to external processes.</p>
  313. <p>The Setup time passed to scanFile() will be added to the time required to open and read the message file
  314. prior to scanning. This value will be passed on to the logging system. For example, the calling application
  315. might include the number of milliseconds required to perform any previous message testing and the time it
  316. has taken to create a temporary message file for scanning. The log will then reflect the complete setup time
  317. separately from the time required to perform the SNF message scan.</p>
  318. <p>The FilePath will be passed on to the logging system to identify this message scan in the logs.</p>
  319. </font><dl>
  320. <dd><font face="sans-serif"><b>FilePath</b> = The full path (a null terminated string) to the message file to be scanned.</font></dd>
  321. <dd><font face="sans-serif"><b>Setup</b> = The time in milliseconds spent so far preparing this message to be scanned.</font></dd>
  322. <dd><font face="sans-serif"><b>returns</b> a handle to the scan result block upon success otherwise an error code:
  323. </font><dl>
  324. <dd><font face="sans-serif">snf_ERROR_NO_HANDLE - There was a problem allocating a scan result block.</font></dd>
  325. <dd><font face="sans-serif">snf_ERROR_SCAN_FAILED - There was a problem performing the scan.</font></dd>
  326. </dl>
  327. <p><font face="sans-serif">In general a result > 0 indicates a valid scan handle and a result <= 0 indicates an error.
  328. NOTE that the scan may have failed even if you get a valid handle. The scan result code you retrieve
  329. from get...() may indicate an error. <a href="#ResultCodes">See Result Codes</a> for details.</font></p>
  330. </dd>
  331. </dl><font face="sans-serif">
  332. <hr/>
  333. <a name="getScanXHeaders"><h3>int getScanXHeaders(int ScanHandle, char** Bfr, int* Length);</h3></a>
  334. <p>This function returns the scan result code <a href="#ResultCodes">(see Result Codes)</a> and a pointer
  335. to a buffer containing any X- headers that were produced for the scan associated with the ScanHandle.</p>
  336. <p>The function is passed a valid ScanHandle which identifies the scan result block to query; the address of
  337. a char* which will be changed to point to a buffer containing any X- headers that
  338. were produced; and the address of an integer which will be changed to the length of the
  339. X- headers buffer.</p>
  340. <p>If no X- headers were produced for the scan then the pointer Bfr will point to a safe empty string
  341. and Length will be set to zero. Put another way, Bfr and Length will be consistent with an empty null terminated
  342. string.</p>
  343. <p>The char* Bfr and the int Length will remain valid until closeScan() is called for this ScanHandle.</p>
  344. <p>In order for X- headers to be produced the engine must be configured properly. For details visit the
  345. <a href="http://www.armresearch.com/support/articles/software/snfServer/config/node/logs/scan/xheaders/index.jsp">
  346. XHeader configuration documentation</a> on our web site.</p>
  347. <dl>
  348. <dd><b>ScanHandle</b> = a valid scan handle from scanBuffer() or scanFile().</dd>
  349. <dd><b>Bfr</b> = a pointer to a char* where the char* will be changed to point to the XHeaders.</dd>
  350. <dd><b>Length</b> = a pointer to an int where the int will be changed to the length of the XHeaders.</dd>
  351. <dd><b>returns</b> the scan result code upon success otherwise an error code:
  352. <dl>
  353. <dd>snf_ERROR_NO_HANDLE - The ScanHandle is not valid.</dd>
  354. <dd>snf_ERROR_EXCEPTION - There was a problem retrieving the data.</dd>
  355. <dd><a href="#ResultCodes">See Result Codes</a> for other possible return values.</dd>
  356. </dl>
  357. </dd>
  358. </dl>
  359. <hr/>
  360. <a name="getScanXMLLog"><h3>int getScanXMLLog(int ScanHandle, char** Bfr, int* Length);</h3></a>
  361. <p>This function returns the scan result code <a href="#ResultCodes">(see Result Codes)</a> and a pointer
  362. to a buffer containing any XML Log Data that was produced for the scan associated with the ScanHandle.</p>
  363. <p>The function is passed a valid ScanHandle which identifies the scan result block to query; the address of
  364. a char* which will be changed to point to a buffer containing any XML Log Data that
  365. was produced; and the address of an integer which will be changed to the length of the
  366. XML Log Data buffer.</p>
  367. <p>If no XML Log Data was produced for the scan then the pointer Bfr will point to a safe empty string
  368. and Length will be set to zero. Put another way, Bfr and Length will be consistent with an empty null terminated
  369. string.</p>
  370. <p>The char* Bfr and the int Length will remain valid until closeScan() is called for this ScanHandle.</p>
  371. <p>In order for XML Log Data to be produced the engine must be configured properly. For details visit the
  372. <a href="http://www.armresearch.com/support/articles/software/snfServer/config/node/logs/scan/xml.jsp">
  373. XML Log configuration documentation</a> on our web site.</p>
  374. <dl>
  375. <dd><b>ScanHandle</b> = a valid scan handle from scanBuffer() or scanFile().</dd>
  376. <dd><b>Bfr</b> = a pointer to a char* where the char* will be changed to point to the XML Log Data.</dd>
  377. <dd><b>Length</b> = a pointer to an int where the int will be changed to the length of the XML Log Data.</dd>
  378. <dd><b>returns</b> the scan result code upon success otherwise an error code:
  379. <dl>
  380. <dd>snf_ERROR_NO_HANDLE - The ScanHandle is not valid.</dd>
  381. <dd>snf_ERROR_EXCEPTION - There was a problem retrieving the data.</dd>
  382. <dd><a href="#ResultCodes">See Result Codes</a> for other possible return values.</dd>
  383. </dl>
  384. </dd>
  385. </dl>
  386. <hr/>
  387. <a name="getScanClassicLog"><h3>int getScanClassicLog(int ScanHandle, char** Bfr, int* Length);</h3></a>
  388. <p>This function returns the scan result code <a href="#ResultCodes">(see Result Codes)</a> and a pointer
  389. to a buffer containing any Classic Log Data that was produced for the scan associated with the ScanHandle.</p>
  390. <p>The function is passed a valid ScanHandle which identifies the scan result block to query; the address of
  391. a char* which will be changed to point to a buffer containing any Classic Log Data that
  392. was produced; and the address of an integer which will be changed to the length of the
  393. Classic Log Data buffer.</p>
  394. <p>If no Classic Log Data was produced for the scan then the pointer Bfr will point to a safe empty string
  395. and Length will be set to zero. Put another way, Bfr and Length will be consistent with an empty null terminated
  396. string.</p>
  397. <p>The char* Bfr and the int Length will remain valid until closeScan() is called for this ScanHandle.</p>
  398. <p>In order for XML Log Data to be produced the engine must be configured properly. For details visit the
  399. <a href="http://www.armresearch.com/support/articles/software/snfServer/config/node/logs/scan/classic.jsp">
  400. Classic Log configuration documentation</a> on our web site.</p>
  401. <dl>
  402. <dd><b>ScanHandle</b> = a valid scan handle from scanBuffer() or scanFile().</dd>
  403. <dd><b>Bfr</b> = a pointer to a char* where the char* will be changed to point to the Classic Log Data.</dd>
  404. <dd><b>Length</b> = a pointer to an int where the int will be changed to the length of the Classic Log Data.</dd>
  405. <dd><b>returns</b> the scan result code upon success otherwise an error code:
  406. <dl>
  407. <dd>snf_ERROR_NO_HANDLE - The ScanHandle is not valid.</dd>
  408. <dd>snf_ERROR_EXCEPTION - There was a problem retrieving the data.</dd>
  409. <dd><a href="#ResultCodes">See Result Codes</a> for other possible return values.</dd>
  410. </dl>
  411. </dd>
  412. </dl>
  413. <hr/>
  414. <a name="getScanResult"><h3>int getScanResult(int ScanHandle);</h3></a>
  415. <p>This function returns the scan result code <a href="#ResultCodes">(see Result Codes)</a>
  416. for the scan associated with the ScanHandle.</p>
  417. <dl>
  418. <dd><b>ScanHandle</b> = a valid scan handle from scanBuffer() or scanFile().</dd>
  419. <dd><b>returns</b> the scan result code upon success otherwise an error code:
  420. <dl>
  421. <dd>snf_ERROR_NO_HANDLE - The ScanHandle is not valid.</dd>
  422. <dd><a href="#ResultCodes">See Result Codes</a> for other possible return values.</dd>
  423. </dl>
  424. </dd>
  425. </dl>
  426. <hr/>
  427. <a name="closeScan"><h3>int closeScan(int ScanHandle);</h3></a>
  428. <p>This function closes a ScanHandle and releases the associated Scan Result Block to the pool. This
  429. function MUST be called once for each ScanHandle produced in a scan...() function. Once this function
  430. is called the ScanHandle is no longer valid and any pointers returned by previous
  431. calls to get...() functions should be discarded (forgotten, not freed!)</p>
  432. <dl>
  433. <dd><b>ScanHandle</b> = a valid scan handle from scanBuffer() or scanFile().</dd>
  434. <dd><b>returns:</b>
  435. <dl>
  436. <dd>snf_SUCCESS - The ScanHandle was closed successfully.</dd>
  437. <dd>snf_ERROR_NO_HANDLE - The ScanHandle is not valid.</dd>
  438. <dd>snf_ERROR_EXCEPTION - There was a problem closing the ScanHandle.</dd>
  439. </dl>
  440. </dd>
  441. </dl>
  442. <hr/>
  443. <a name="shutdownSNF"><h3>int shutdownSNF();</h3></a>
  444. <p>This function shuts down the SNFMulti engine. All previously allocated ScanHandles MUST be closed
  445. before this function is called. This should be the last function in the DLL that is called by your
  446. application (call no other SNFMultiDLL functions after this).</p>
  447. <dl>
  448. <dd><b>returns:</b>
  449. <dl>
  450. <dd>snf_SUCCESS - The shutdown was successful.</dd>
  451. <dd>snf_ERROR_EXCEPTION - An error occurred during shutdown.</dd>
  452. </dl>
  453. </dd>
  454. </dl>
  455. <hr/>
  456. <a name="ResultCodes"><h3>Result Codes</h3></a>
  457. <h4>Error Codes</h4>
  458. </font><dl>
  459. <dd><font face="sans-serif">snf_SUCCESS = 0</font></dd>
  460. <dd><font face="sans-serif">snf_ERROR_CMD_LINE = 65</font></dd>
  461. <dd><font face="sans-serif">snf_ERROR_LOG_FILE = 66</font></dd>
  462. <dd><font face="sans-serif">snf_ERROR_RULE_FILE = 67</font></dd>
  463. <dd><font face="sans-serif">snf_ERROR_RULE_DATA = 68</font></dd>
  464. <dd><font face="sans-serif">snf_ERROR_RULE_AUTH = 73</font></dd>
  465. <dd><font face="sans-serif">snf_ERROR_MSG_FILE = 69</font></dd>
  466. <dd><font face="sans-serif">snf_ERROR_ALLOCATION = 70</font></dd>
  467. <dd><font face="sans-serif">snf_ERROR_BAD_MATRIX = 71</font></dd>
  468. <dd><font face="sans-serif">snf_ERROR_MAX_EVALS = 72</font></dd>
  469. <dd><font face="sans-serif">snf_ERROR_UNKNOWN = 99</font></dd>
  470. <font face="sans-serif"><br/>
  471. <dd>snf_ERROR_NO_HANDLE = -1, Invalid scan handle used or created.</dd></font>
  472. <dd><font face="sans-serif">snf_ERROR_SCAN_FAILED = -2, An unexpected exception during a scan. </font></dd>
  473. <dd><font face="sans-serif">snf_ERROR_EXCEPTION = -3, An unexpected exception occurred.</font></dd>
  474. </dl><font face="sans-serif">
  475. <p>
  476. <a href="http://www.armresearch.com/support/articles/software/snfServer/errors.jsp">
  477. See our web site for more detailed descriptions of these error codes.</a></p>
  478. <h4>Scan Result Codes</h4>
  479. <p>Scan results codes 0 through 63 represent normal scan results. By convention a result of
  480. 0 indicates ham (not spam); a result of 1 indicates a white-ruled message; and other non-zero
  481. result values that are less than 64 indicate some kind of spam or malware was detected.
  482. <a href="http://www.armresearch.com/support/articles/software/snfServer/core.jsp">
  483. For more details on message scan result codes please see our web site.</a></p>
  484. <hr/>
  485. <div align="right"><font size="-3">Copyright (C) 2009 ARM Research Labs, LLC</font></div>
  486. </font>
  487. </body>
  488. </html>