Snort + Battle.net

iago · July 17, 2005, 01:22 PM

Snort is an attack detection program for Linux and Windows. It is designed for detecting network attacks and reporting them. It is nice to use, and I enjoy the comfort of having it running so that, if something happens, I have a record of how it went down.

Anyway, since it's all signature based, I figured I'd write some signatures for Battle.net. That way, if one of my bots fails or something, when I check my logs I'll see that it's failed and ge it going again. I submitted the rules to Bleeding Snort and they're going to add them to their rule set.

Here are the rules I wrote:
http://www.javaop.com/~iago/battle.net.rules

And here is a screenshot I took while testing it:
http://www.javaop.com/~iago/snort-battle.net.png

If anybody else has any suggestions for rules I should write, let me know.

I was thinking of making a rule for if you get banned from the channel. But all I could think of was trigger on: "joining: the void". But that could happen if you were kicked or just joined for fun, so it would get some false positives. Any other ideas?

Arta · July 17, 2005, 01:24 PM

Sure, use the message in the EID_INFO you get to let you know you're banned.

iago · July 17, 2005, 01:30 PM

Oh wow, why didn't I think of that? "You have been banned by" in a EID_INFO packet

iago · July 17, 2005, 01:41 PM

Hmm, actually, that still doesn't solve it:

[13:39:26.827] iagotest2 was banned by iagotest1.
[13:39:26.851] iagotest1 kicked you out of the channel!
[13:39:27.019] Joining channel: The Void
[13:39:27.046] This channel does not have chat privileges.

That'll still pick up on both kicks or bans. And there's no way of matching it to the logged-in username, so I guess i'm stuck making a rule for "kicked/banned from channel" :/

hismajesty · July 17, 2005, 05:11 PM

Quote[13:39:26.827] iagotest2 was banned by iagotest1.

"[name] was banned by"

Kp · July 17, 2005, 05:18 PM

Quote from: hismajesty[yL] on July 17, 2005, 05:11 PM"[name] was banned by"

Quote from: iago on July 17, 2005, 01:41 PMAnd there's no way of matching it to the logged-in username, so I guess i'm stuck making a rule for "kicked/banned from channel" :/

From iago's comment, there's no way to make the rule match specifically for his bot's current login name, and I doubt it'd be desirable to see a log record of every ban event which occurs.

iago · July 18, 2005, 04:24 PM

Quote from: Kp on July 17, 2005, 05:18 PM
Quote from: hismajesty[yL] on July 17, 2005, 05:11 PM"[name] was banned by"
Quote from: iago on July 17, 2005, 01:41 PMAnd there's no way of matching it to the logged-in username, so I guess i'm stuck making a rule for "kicked/banned from channel" :/

From iago's comment, there's no way to make the rule match specifically for his bot's current login name, and I doubt it'd be desirable to see a log record of every ban event which occurs.

Thanks

This has no serious session management, so if I had 3 bots logged on, even if I could read their name from SID_ENTERCHAT, it still wouldn't be able to tell them apart.

Valhalla Legends Archive

Snort + Battle.net

iago

Arta

iago

iago

hismajesty

Kp

iago