Documentation Home

SNFClient Command Line: Update GBUdb Records

SNFClient.exe -set <IP4Address> ( good | bad | ugly | ignore ) <bad> <good>

This mode creates or updates the GBUdb record for the given IP.

GBUdb records consist of a flag that determines the mode of the record, a count of known bad encounters, and a count of known good encounters. If you wish to leave part of the GBUdb record with it's default (or current) value then use the dash ( - ) character in place of the corresponding command line parameter.

For example, to set the bad count to zero for a particular IP without changing any other parts of the GBUdb record you might do the following:

>SNFClient.exe -set 12.34.56.78 - 0 -
GBUdb Record for 12.34.56.78
  Type Flag: ugly
  Bad Count: 0
 Good Count: 0
Probability: 0
 Confidence: 0
      Range: new
       Code: 0

In the above example, the flag ( good | bad | ugly | ignore ) and good event count <good>command line parameters were left in their original state, but the bad count <bad> was changed to zero. The original state of the record can be seen above (see Perform IP Testing). By changing the bad count to zero the IP has moved out of the truncate range and now looks like a "new" record (both counts zero, default "ugly" flag).

There are 4 possible flags:

Good - The IP is administratively white-listed.

Bad - The IP is administratively black-listed.

Ignore - The IP is to be ignored (infrastructure, transparent).

Ugly - The IP is to be judged on it's behavior / statistics.

In this example, we will black-list the IP by setting it's flag to Bad:

>SNFClient.exe -set 12.34.56.78 bad - -
GBUdb Record for 12.34.56.78
  Type Flag: bad
  Bad Count: 0
 Good Count: 0
Probability: 0
 Confidence: 0
      Range: truncate
       Code: 20

Note that with the bad flag set the IP record will now return the truncate result code when tested without regard for the good and bad event counts.

In this example, we set the record for this IP back to it's original state. The important parts are that the flag was ugly, the bad count was 9, and the good count was 0:

>SNFClient.exe -set 12.34.56.78 ugly 9 0
GBUdb Record for 12.34.56.78
  Type Flag: ugly
  Bad Count: 9
 Good Count: 0
Probability: 1
 Confidence: 0.226425
      Range: truncate
       Code: 20

Note that the Probability and Confidence figures are now calculated to the same values as before and that the Range and associated result code are also correct (compare with the -test example for this IP above).

In this next example, we will change the good event counter so that the IP is no longer found in the truncate range:

>SNFClient.exe -set 12.34.56.78 - - 1
GBUdb Record for 12.34.56.78
  Type Flag: ugly
  Bad Count: 9
 Good Count: 1
Probability: 0.8
 Confidence: 0.237282
      Range: black
       Code: 63

Note that we only changed the good count. The other parts of the GBUdb record were left unchanged.

Note that with only 10 total encounters, only 1 out of 10 needs to be good in order to keep the IP out of the default truncate range. The IP doesn't get off the black-list completely however. Now with 9 out of 10 encounters counted as bad the IP is in the black range.

Related Topics

Copyright © 2007 - 2020 ARM Research Labs, LLC