| Author | Message | Time |
|---|---|---|
| iago | Snort is an attack detection program for Linux and Windows. It is designed for detecting network attacks and reporting them. It is nice to use, and I enjoy the comfort of having it running so that, if something happens, I have a record of how it went down. Anyway, since it's all signature based, I figured I'd write some signatures for Battle.net. That way, if one of my bots fails or something, when I check my logs I'll see that it's failed and ge it going again. I submitted the rules to Bleeding Snort and they're going to add them to their rule set. Here are the rules I wrote: http://www.javaop.com/~iago/battle.net.rules And here is a screenshot I took while testing it: http://www.javaop.com/~iago/snort-battle.net.png If anybody else has any suggestions for rules I should write, let me know. I was thinking of making a rule for if you get banned from the channel. But all I could think of was trigger on: "joining: the void". But that could happen if you were kicked or just joined for fun, so it would get some false positives. Any other ideas? | July 17, 2005, 6:22 PM |
| Arta | Sure, use the message in the EID_INFO you get to let you know you're banned. | July 17, 2005, 6:24 PM |
| iago | Oh wow, why didn't I think of that? "You have been banned by" in a EID_INFO packet :) | July 17, 2005, 6:30 PM |
| iago | Hmm, actually, that still doesn't solve it: [13:39:26.827] iagotest2 was banned by iagotest1. [13:39:26.851] iagotest1 kicked you out of the channel! [13:39:27.019] Joining channel: The Void [13:39:27.046] This channel does not have chat privileges. That'll still pick up on both kicks or bans. And there's no way of matching it to the logged-in username, so I guess i'm stuck making a rule for "kicked/banned from channel" :/ | July 17, 2005, 6:41 PM |
| hismajesty | [quote][13:39:26.827] iagotest2 was banned by iagotest1.[/quote] "[name] was banned by" | July 17, 2005, 10:11 PM |
| Kp | [quote author=hismajesty[yL] link=topic=12259.msg121101#msg121101 date=1121638260]"[name] was banned by"[/quote][quote author=iago link=topic=12259.msg121076#msg121076 date=1121625674]And there's no way of matching it to the logged-in username, so I guess i'm stuck making a rule for "kicked/banned from channel" :/[/quote] From iago's comment, there's no way to make the rule match specifically for his bot's current login name, and I doubt it'd be desirable to see a log record of every ban event which occurs. | July 17, 2005, 10:18 PM |
| iago | [quote author=Kp link=topic=12259.msg121102#msg121102 date=1121638730] [quote author=hismajesty[yL] link=topic=12259.msg121101#msg121101 date=1121638260]"[name] was banned by"[/quote][quote author=iago link=topic=12259.msg121076#msg121076 date=1121625674]And there's no way of matching it to the logged-in username, so I guess i'm stuck making a rule for "kicked/banned from channel" :/[/quote] From iago's comment, there's no way to make the rule match specifically for his bot's current login name, and I doubt it'd be desirable to see a log record of every ban event which occurs. [/quote] Thanks This has no serious session management, so if I had 3 bots logged on, even if I could read their name from SID_ENTERCHAT, it still wouldn't be able to tell them apart. | July 18, 2005, 9:24 PM |