Pete McNeil b5a1a55827 SNFMulti fixed windows.h before winsock2.h warning | 4 years ago | |
---|---|---|
CodeDweller @ ee37106bc3 | 4 years ago | |
SNFMulti @ 45c0711da8 | 4 years ago | |
SNFServer | 4 years ago | |
bin | 4 years ago | |
.gitignore | 4 years ago | |
.gitmodules | 4 years ago | |
install-newer-g++.sop | 4 years ago | |
makefile | 4 years ago | |
readme.md | 4 years ago | |
upgrade-c++-libs.sop | 4 years ago |
SNFServer is a basic Message Sniffer “service” that provides scanning via the XCI protocol. The most common way to use it is with SNFClient, but you can also build your own software to call the XCI endpoint directly. Generally, the client makes a tcp connection, tells SNFServer where the message file is, and gets back a scan result… all in simple XML.
The growing use of above-band rule groups like “Experimental Bulk/Noisy” and additional groups for machine learning feature extraction has changed the paradigm for heuristic competition in the SNF world. Where previously it was important to optimize scanning performance for low-powered hardware and heuristic competition could add pressure to select for more efficient rules; the new paradigm requires that any available patterns will match (at least once) and hardware constraints are no longer a serious concernt. For example, SNF is easily able to operate at scanning rates that are 3 orders of magnitude higher than most deployments require on modern equipment.
This isn’t to say that heuristic efficiency optimization will be going away -- but rather that the mechanisms for optimizing that efficiecncy can be moved more toward the back-end so that the front-end scanners can concentrate on making all available matches available for analysis and even more sophisticated learning algorithms.
Saccades was fun, and effective, but it’s time has passed.
Additional note: Using RESTsnf as a test jig measured throughput at 8064/minute. However, this was only a single data point so only gives us a ballpark, and most systems operate at least 2 orders of magnitude below this message rate.
Using the same test jig measured 7960/minute throughput with saccades off. Allowed the torture test to run so newer data would be in play and after 5 minutes measured 7806/minute. Here are a few more numbers:
2113 7279.7 2114 6084.89
Conclusion is that performance penalty for disabling saccades is not significant.