[Bro-Dev] SMTP Entities MD5 Hash Defaults

Vlad Grigorescu vladg at cmu.edu
Fri Jul 20 08:16:42 PDT 2012


Hi all,

Currently, SMTP entities will calculate MD5 hashes for the following
filetypes by default: application/x-dosexec, application/x-executable. I
was a little surprised that common e-mail attack vectors like zip and PDF
files don't have this hash calculated by default. I propose extending the
default to also include application/zip and application/pdf. I think this
is good default functionality, that won't cause a noticeable performance
hit.

Thoughts? Any other filetypes that would be useful to add there, while
we're at it?

  --Vlad




More information about the bro-dev mailing list