[Snort-sigs] FormMail scanners

Chris Green cmg at ...26...
Tue Jan 22 17:15:14 EST 2002


Erik Fichtner <emf at ...4...> writes:

> Hey.  
>
> Here are some signatures that peg currently in-use versions of the formmail
> scanner applications that our pink meat byproduct foes like to use these
> days.    Great to have around if you have local hosts with a spam-proofed
> version of formmail that sees legitimate traffic, and especially if you're 
> using Hogwash.  

I've seen so many different versions of this that I wouldn't trust
this to block too much.  Doing the recipient= block would probably be
better

The more sigs we have to run through on a port, the more processing it
takes to process a single packet.  Port 80 already has a bit to do
right now.  Variants are nice to catch in post processing but not in
"active detect" on busy networks.

Its good work to have them, just not be enabled by default
-- 
Chris Green <cmg at ...26...>
You now have 14 minutes to reach minimum safe distance.




More information about the Snort-sigs mailing list