Paul Houlbrooke wrote: > What is the difference between ValidHelo and InvalidHelo in the log > below? They appear to be contradicting themselves to me, both raise the > PB score.
"ValidHelo" is a combination of a couple of functions, but is mainly the internal:validFormatHeloRe, which is a negative check - if there is positive match against the regex then it passes the check. "InvalidHelo" (internal: invalidFormatHeloRe) is a positive check - if there is a positive match against the regex, then it fails the check. It may sound redundant, but a properly configured ValidHelo and InvalidHelo can catch things that either could not do alone without false-positive issues. ValidHelo also checks for local host information as well as for a positive match against internal:myServerRe - if there is a positive match against the list (not a regex), then it fails the check. I hope got that right. Its confusing at first, so take it slow and maybe even draw it out. I'm the one that requested that these two functions be used together in ASSP, and I have a hard time explaining it sometimes. But the logic is there, and can be extremely powerful/useful at catching bogus connections from exploited residential systems. Use the defaults. Don't tweak until you have a strong understanding of what you are effecting. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
