GBUdb

Is it possible to tell Sniffer to NOT allow the possibility of "truncating" on a message-by-message basis?

You can create a header directive to cause GBUdb training to ignore a message with a specific header (or specifically, if it finds a specific string in a specific header).

It is not possible to turn off truncate on a message by message basis. It is possible to turn off truncate for all messages but not on a message by message basis.

If you turn off truncate then you will see the following results by default in a conventional command-line implementation:

• For messages that match pattern rules you will see the pattern rule result.
• If a message fails to match a pattern rule but would have been truncated then it will be treated as black and you will get result code 40.
• If a message fails to match a pattern rule but the IP falls in the black range then you will get the black result code 40.
• If the message fails to match a pattern rule and the IP falls in the caution range then you will get an bad IP result code 63. This is the same result code you get from SNF when an IP pattern rule has matched. IP pattern rules are deprecated and will be phased out over time - GBUdb replaces them.

If you call SNF directly via XCI, or use the command line utility with the -xhdr and capture the output then you also have the ability to configure SNF to provide detailed information about the scan including the GBUdb data and all available pattern matches. You could also mine this data from the log files if you wish.

Note that you can set the x-header option to "api" and it will be available to the XCI and command line interfaces without being injected into the message.