SNFServer_readme.txt 7.8KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200
  1. SNF_Server V3.0 installation brief
  2. Copyright (c) 2010 ARM Research Laboratories
  3. This is a generalized guide. For specific platform guides see:
  4. http://www.armresearch.com/support/articles/installation/index.jsp
  5. Create a directory for SNF_Server. ( c:\SNF or /var/spool/snfilter )
  6. Copy all of the files to that directory.
  7. Make a copy of the SNFServer<version>.exe file and give it the name
  8. SNFServer.exe. Later on if newer versions are provided you will
  9. be able to keep track of them by name and swap newer versions into
  10. place by copying them over your SNFServer.exe file. If you decide
  11. you have to go back to a previous version then you will be able to
  12. do that easily by deleting your SNFServer.exe file and copying the
  13. version you wish to use into place.
  14. Modify the identity.xml file to match your SNF license ID and your
  15. authentication string.
  16. Download your .snf file and place that in the SNF_Server working
  17. directory.
  18. RULEBASE UPDATES (NEW!): The latest version of the SNFServer engine
  19. includes a mechanism that will run an a script when the rulebase file
  20. on our server is newer than the active file in SNF. By default this
  21. feature is configured to run the included getRulebase script. If
  22. the script is not successful it will be launched again every 3 minutes
  23. until the rulebase file is successfully updated.
  24. Be sure to modify the top of the getRulebase script to include
  25. your correct license ID, authentication string, and working directory.
  26. Be sure to verify that the <update-script/> section of your snf_engine
  27. file is correct (points to the correct location of getRulebase).
  28. getRulebase uses wget and gzip (included for your convenience in
  29. the Win* distribution. See About-Wget-and-Gzip.txt.). These are open
  30. source utilities for downloading files from web servers and unzipping
  31. those files -- in this case, SNF rulebase files.
  32. If you have any gateways or other internal systems that will relay
  33. mail to SNF then include their IPs in GBUdbIgnoreList.txt. The GBUdb
  34. component of SNF uses the IPs in this list to determine the actual
  35. source IP for a message by reviewing the Received headers. Each
  36. Received header is evaluated in turn. If the source (connect) IP is
  37. found in the Ignore list then that Received IP is considered to be
  38. part of your infrastructure and is ignored. The first Received IP
  39. found that is NOT in the Ignore list is selected as the source IP.
  40. The GBUdbIgnoreList is a "safety net" that ensures the listed IPs are
  41. present in your GBUdb with their Ignore flag set. It is loaded every
  42. time the configuration is changed, SNFServer is started, or a new
  43. rulebase is loaded. This way if your GBUdb database is lost then your
  44. critical infrastructure will be re-listed in the new .gbx file that
  45. is created.
  46. The ignore list allows only SINGLE IP ENTRIES. This can be a problem
  47. in some cases - such as when you want to ignore large blocks of network
  48. addresses.
  49. SNF can learn to Ignore large blocks of IPs using the <drilldown/>
  50. feature. For example if you want to ignore all of 12.34.56.0/24 then
  51. you can make an entry in the <drilldown/> training section like this:
  52. <training on-off='on'>
  53. ...
  54. <drilldown>
  55. <received ordinal='0' find='[12.34.56.'/>
  56. </drilldown>
  57. ...
  58. </training>
  59. GBUdb learns the behavior of source IPs so it is important that GBUdb
  60. knows any friendly sources that might send spammy messages to your
  61. server or else it will learn that those sources are not to be trusted.
  62. Since not all friendly spam sources can be identified by IP ahead of
  63. time, there are features in the <training/> section of snf_engine.xml
  64. that allow you to adjust the training scenarios to compensate. The
  65. most likely of these is that you may wish to bypass training for
  66. messages that are to your support addresses or spam submission
  67. addresses. For example:
  68. <training on-off='on'>
  69. ...
  70. <bypass>
  71. <header name='To:' find='support@example.com'/>
  72. <header name='To:' find='spam@example.com'/>
  73. </bypass>
  74. ...
  75. </training>
  76. Evaluate the snf_engine.xml file carefully. In most cases the
  77. default settings are appropriate, however you may want to alter
  78. some of the settings to match your system policies or particular
  79. installation.
  80. IMPORTANT: Be sure that any file paths / directories referenced in
  81. the configuration file exist on your system and that SNF has full
  82. access rights to these - especially the SNF working directory.
  83. ** If you selected a working directory for SNF other than c:\SNF\
  84. then be sure you have changed these paths in the top of your
  85. snf_engine.xml file. Pay close attentiont to these 5 elements:
  86. <node identity='c:/SNF/identity.xml'>
  87. <log path='c:/SNF/'/>
  88. <rulebase path='c:/SNF/'/>
  89. <workspace path='c:/SNF/'/>
  90. <update-script ... call='c:/SNF/getRulebase.cmd' ... />
  91. Once you are happy with your configuration and you have all of your
  92. files and directories in place (including your .snf file) then you
  93. can start SNF_Server.
  94. The command line (from inside the SNF workspace) is:
  95. SNFServer.exe snf_engine.xml
  96. That is: SNFServer <configuration>
  97. If you want to lauch SNFServer from some other location it would be
  98. best to use the entire path for both the SNFServer engine and the
  99. configuration file:
  100. c:\SNF\SNFServer.exe c:\SNF\snf_engine.xml
  101. You should begin by testing SNFServer by running it in a command line
  102. window where you can watch it's output.
  103. Once you are happy with it then you will probably want to run it as
  104. a service using a utility such as the srvany utility from the win2k
  105. toolkit, or detached as a daemon on *nix systems (snfctrl file example
  106. included).
  107. This section of our site might be helpful:
  108. http://www.armresearch.com/support/articles/installation/serviceSetup/index.jsp
  109. SNFServer is the server side of a client/server system. In order to
  110. scan messages you will need to use the client utility (SNFClient.exe
  111. or SNFIMailShim.exe) to scan messages.
  112. SNFClient.exe is a drop-in replacement for the production (2-3.x)
  113. SNF program when it is called from Declude or mxGuard or other similar
  114. software. There is no need to "brand" the SNFClient.exe
  115. program and it is not necessary to include the authentication string
  116. on the command line -- however, if you do it will be accepted and
  117. ignored without an error.
  118. SNFServer MUST be running for SNFClient to work. If SNFClient cannot
  119. reach SNFServer then it will wait for quite a while as it attempts to
  120. make contact.
  121. Here are a few ways to call SNFClient.exe:
  122. SNFClient.exe -shutdown
  123. Sends the Shutdown command to the SNF_Server.
  124. SNFClient.exe authenticationxx filetoscan
  125. Compatibility mode - ignores authenticationxx and scans filetoscan.
  126. SNFClient.exe filetoscan
  127. Normal scan mode - scans filetoscan.
  128. SNFClient.exe -xhdr filetoscan
  129. XHDR scan mode - scans filetoscan and returns X Headers.
  130. See the SNFClient_Readme.txt file for details.
  131. The SNF Client/Server pair communicate using short XML messages via a local
  132. TCP connection (typically to port 9001). Examples of SNF_XCI messages are
  133. included in snf_xci.xml (not a well formed xml file! - just some examples).
  134. It is possible to communicate directly with the SNF_Server engine via TCP
  135. from your software using the SNF_XCI (SNF XML Command Interface) protocol. The
  136. server expects to see one connection per request. The client sends an SNF_XCI
  137. request to the server. The server responds with an appropriate SNF_XCI
  138. formatted response and terminates the connection.
  139. Requests and responses are expected to terminate with a newline character.
  140. You can see the XCI protocol at work by running the SNFClient in debug mode
  141. (SNFdebugClient).
  142. If you run into trouble check out our web site: www.armresearch.com and/or
  143. contact us by email: support@armresearch.com
  144. ____________________
  145. For More Information
  146. See www.armresearch.com
  147. Copyright (C) 2007-2008 Arm Research Labs, LLC.