[Esd-l] Procmail Sanitizer local rule for SoBig .ZIP worm
John D. Hardin
jhardin at impsec.org
Thu Jun 26 06:23:26 PDT 2003
On Thu, 26 Jun 2003, Pierre Etchemaite wrote:
> Some rules quarantine, others discard; Somes rules notify, that one
> doesn't...
> Is there a logic behind those differences, or only historical reasons ?
>
> Just wondering...
Some of it does have a reason, some is sloppiness. :)
Where the identification is reliable, the default is to discard. Where
it's iffy (like with SoBig) you should quarantine.
The "NONOTIFY" was my failure to clean up a cut-and-paste from my
local rulesets: I'm discarding notifications on known attacks. I have
changed SoBig to NOTIFY in the sample ruleset file - thanks for
mentioning this.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The fetters imposed on liberty at home have ever been forged out
of the weapons provided for defense against real, pretended, or
imaginary dangers from abroad.
-- James Madison, 1799
-----------------------------------------------------------------------
495 days until the Presidential Election
More information about the esd-l
mailing list