|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: clever .exe match?
From: Dean Gibson (Mail Administrator) (postfix2
ultimeth.com)
Date: Wed Oct 01 2003 - 11:45:18 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ralf Hildebrandt wrote on 2003-09-30 23:47:
>* Peter H. Coffin <hellsopninehells.com>:
> > Does the significance change if the order is reversed?
>
>These regexp and pcre checks are searched / matched in a linear fashion.
>So the answer is yes.
To clarify, yes the order of checks in a body_check file is in general
significant. However, in this particular case, the order does not matter,
unless:
1. The virus-writer included two executables in the eMail, one encoded
BASE64, and one uuencoded.
2. The sysadmin implementing the subject rule cares (eg, different error
message, or does statistical analysis of the log files) which test is
applied first.
3. Or, there are other rules in the body_checks file which do something
other than REJECT.
-- Dean
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]