Snort (http://www.snort.org) is an attack detection program for Linux and Windows. It is designed for detecting network attacks and reporting them. It is nice to use, and I enjoy the comfort of having it running so that, if something happens, I have a record of how it went down.
Anyway, since it's all signature based, I figured I'd write some signatures for Battle.net. That way, if one of my bots fails or something, when I check my logs I'll see that it's failed and ge it going again. I submitted the rules to Bleeding Snort (http://www.bleedingsnort.org) and they're going to add them to their rule set.
Here are the rules I wrote:
http://www.javaop.com/~iago/battle.net.rules
And here is a screenshot I took while testing it:
http://www.javaop.com/~iago/snort-battle.net.png
If anybody else has any suggestions for rules I should write, let me know.
I was thinking of making a rule for if you get banned from the channel. But all I could think of was trigger on: "joining: the void". But that could happen if you were kicked or just joined for fun, so it would get some false positives. Any other ideas?
Sure, use the message in the EID_INFO you get to let you know you're banned.
Oh wow, why didn't I think of that? "You have been banned by" in a EID_INFO packet :)
Hmm, actually, that still doesn't solve it:
[13:39:26.827] iagotest2 was banned by iagotest1.
[13:39:26.851] iagotest1 kicked you out of the channel!
[13:39:27.019] Joining channel: The Void
[13:39:27.046] This channel does not have chat privileges.
That'll still pick up on both kicks or bans. And there's no way of matching it to the logged-in username, so I guess i'm stuck making a rule for "kicked/banned from channel" :/
Quote[13:39:26.827] iagotest2 was banned by iagotest1.
"[name] was banned by"
Quote from: hismajesty[yL] on July 17, 2005, 05:11 PM"[name] was banned by"
Quote from: iago on July 17, 2005, 01:41 PMAnd there's no way of matching it to the logged-in username, so I guess i'm stuck making a rule for "kicked/banned from channel" :/
From iago's comment, there's no way to make the rule match specifically for his bot's current login name, and I doubt it'd be desirable to see a log record of every ban event which occurs.
Quote from: Kp on July 17, 2005, 05:18 PM
Quote from: hismajesty[yL] on July 17, 2005, 05:11 PM"[name] was banned by"
Quote from: iago on July 17, 2005, 01:41 PMAnd there's no way of matching it to the logged-in username, so I guess i'm stuck making a rule for "kicked/banned from channel" :/
From iago's comment, there's no way to make the rule match specifically for his bot's current login name, and I doubt it'd be desirable to see a log record of every ban event which occurs.
Thanks
This has no serious session management, so if I had 3 bots logged on, even if I could read their name from SID_ENTERCHAT, it still wouldn't be able to tell them apart.