Search
 
 

Display results as :
 


Rechercher Advanced Search

Web Applications
install Joomla Wordpress Phpbb Drupal FluxBB PunBB osCommerce simple-machines MYBB moodle vBulletin Dolphin-v.7.1.1 PHPNUKE XOOPS
Services
install BorkNet Services X3 Services Anope Atheme Services Srvx IRC Srervices
IRCD
install Snircd IRCU INSPIRCD UNREAL Nefarious Bircd Bahamut Asuka Charybdis
TCL SCRIPT
TCL SCRIPT FOR EGGDROP Allprotection4.7 Antiproxy
Bots
Bots install FishBot bobot++ Eggdrop janus Omega Security Services Botnix Bopm SupyBot PyLink Hopm
Keywords

nefarious  

Latest topics
October 2017
MonTueWedThuFriSatSun
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

Calendar Calendar

Affiliates
free forum

Affiliates
free forum


Patternized Botnet Flood Detector

View previous topic View next topic Go down

Patternized Botnet Flood Detector

Post  Admin on Thu Sep 01, 2011 3:21 pm

Code:

/*
* -------------- ------ --- - - --- -------- --- - --
*  Project Focus
*  Patternized Botnet Flood Killer
*
*  by Tim Gunter / IcyLiquid
icyliquid@gmail.com
*  version 0.2
* -------------- ------ --- - - --- -------- --- - --
*/

; -------------- ------ --- - - --- -------- --- - --
; Menus
; -------------- ------ --- - - --- -------- --- - --

menu menubar,status,channel,query,nicklist {
  Focus
  .Pattern Botnet Detection
  .. $+ $iif($pbn.act,Disable,Enable) :pbn.tog
  ..Configure:pbn.config
}

; -------------- ------ --- - - --- -------- --- - --
; Events
; -------------- ------ --- - - --- -------- --- - --

on *:start:{ pbn.hash load }
on *:exit:{ pbn.hash save }
on !@*:join:#:{
  if ($pbn.act) {
    if (*.undernet.org !iswm $gettok($fulladdress,2,$asc(@)) && *~* iswm $gettok($fulladdress,1,$asc(@))) {
      var %hs = $pbn.hs($cid,$chan)

      var %nickpattern = $pbn.pattern($nick), %limit = $iif($hget(pbn.hash,limit),$ifmatch,3)
      if ($istok($pbn.get(%hs).bans,%nickpattern,32)) {
        ban -k $chan $nick 2 Pattern Botnet Flood - $nick
      }
      elseif ($pbn.count(%hs,%nickpattern).get >= %limit && !$pbn.isresync($cid,$chan,%nickpattern)) {
        echo -a 03* Flood detected in $+(03,$chan,) $+ , triggered by $+(03,$nick,) ( $+ $+(03,%nickpattern,) $+ )
        pbn.channelstatus $cid $chan %nickpattern
        mode $chan +r
        ban -k $chan $nick 2 Pattern Botnet Flood - $nick
        $pbn.set(%hs,$addtok($pbn.get(%hs).bans,%nickpattern,32)).bans
        .timer 1 300 pbn.remove %nickpattern $cid $chan
        .timer 1 10 pbn.clear %nickpattern $cid $chan
      }

      $pbn.count(%hs,%nickpattern).inc

    }
  }
}

; -------------- ------ --- - - --- -------- --- - --
; Aliases
; -------------- ------ --- - - --- -------- --- - --

alias -l pbn.isresync {
  if ($hget(pbn.hash,$+($pbn.hs($1,$2),-resync))) { return $true }
  var %match = $+($pbn.hs($1,$2),*-count)
  var %items = $hfind(pbn.hash,%match,0,w), %item = 1, %limit = $hget(pbn.hash,limit), %highthresh = $calc(%limit * (1 + (2/3)))
  var %highmatches = 0
  while (%item <= %items) {
    var %name = $hfind(pbn.hash,%match,%item,w)
    if ($gettok(%name,2,45) != $3) {
      if ($hget(pbn.hash,%name) > $calc(%limit * (2/3))) { inc %highmatches }
    }
    inc %item
  }
  if (%highmatches > 3 || %items > %highthresh) { hadd -u10 pbn.hash $+($pbn.hs($1,$2),-resync) 1 | echo -a 03* Mass join in $+(03,$2,) $+ , ignored due to $+(03,suspected resync,) }
  return $iif(%highmatches > 3 || %items > %highthresh,$true,$false)
}

alias pbn.channelstatus {
  var %match = $+($pbn.hs($1,$2),*-count)
  var %items = $hfind(pbn.hash,%match,0,w), %item = 1, %matches = 0, %limit = $hget(pbn.hash,limit)
  echo $2 02 $+ $2 $+ , %items 02 $+ $chr(123) $+ 
  while (%item <= %items) {
    var %name = $hfind(pbn.hash,%match,%item,w)
    var %count = $hget(pbn.hash,%name)
    if (%count > %limit) { var %show = $+(,$gettok(%name,2,45),) }
    else { var %show = $gettok(%name,2,45) }

    echo $2    03 $+ %show 07=>04 $hget(pbn.hash,%name)
    inc %item
  }
  echo $2 02 $+ $chr(125) $+ 
}

alias -l pbn.hash {
  if (!$hget(pbn.hash)) { hmake pbn.hash 100 }
  if ($1 == save) {
    var %active = $hget(pbn.hash,active)
    var %period = $hget(pbn.hash,period)
    var %limit = $hget(pbn.hash,limit)
    hfree pbn.hash | hmake pbn.hash 1
    hadd pbn.hash active %active
    hadd pbn.hash period %period
    hadd pbn.hash limit %limit
    hsave -bo pbn.hash $+(",$scriptdir,pbn.hash.bin,")
  }
  if ($1 == load) {
    if ($exists($+(",$scriptdir,pbn.hash.bin,"))) {
      hload -b pbn.hash $+(",$scriptdir,pbn.hash.bin,")
      .remove $+(",$scriptdir,pbn.hash.bin,")
    }
  }
}

alias -l pbn.hs {
  return $+($2,~,$1)
}

alias pbn.tog {
  pbn.hash
  if ($hget(pbn.hash,active)) { hadd pbn.hash active 0 }
  else { hadd pbn.hash active 1 }
  echo -a 03* Pattern Botnet Detection is $iif($hget(pbn.hash,active),03enabled,04disabled) $+ .
}

alias pbn.config {
  pbn.hash
  var %res = $input(Please configure the detector. The format is <joins>:<seconds> where <joins> matching patterns seen within <seconds> seconds of each other result in a lock. $crlf,eoq,Configure,$+($hget(pbn.hash,limit),:,$hget(pbn.hash,period)))
  if ($numtok(%res,$asc(:)) == 2) {
    var %limit = $gettok(%res,1,$asc(:))
    var %period = $gettok(%res,2,$asc(:))
    if (%limit isnum && %period isnum) {
      hadd pbn.hash period %period
      hadd pbn.hash limit %limit
      echo -a 03* Set flood threshold at $+(03,%limit,) matching joins within $+(03,%period,) seconds.
    }
    else {
      echo -a 04* Invalid flood config. Format is <joins>:<seconds> where both arguments are numerical.
    }
  }
}

alias pbn.act { pbn.hash | return $hget(pbn.hash,active) }

alias -l pbn.get {
  if ($isid && $0 && $prop) {
    pbn.hash
    return $hget(pbn.hash,$+($1,-,$prop))
  }
}

alias -l pbn.count {
  if ($isid) {
    pbn.hash
    if ($prop == get) {
      var %pri = $replace($1-,$chr(32),-)
      return $pbn.get(%pri).count
    }
    elseif ($prop == inc) {
      var %pri = $replace($1-,$chr(32),-)
      hinc pbn.hash $+(%pri,-,count) 1
      .timer 1 $iif($hget(pbn.hash,period),$ifmatch,5) pbn.count dec $1-
    }
    elseif ($prop == set) {
      var %pri = $replace($1- [ $+ [ $calc($0 - 1) ] ],$chr(32),-)
      $pbn.set(%pri,$ [ $+ [ $0 ] ]).count
    }
  }
  else {
    if ($1 == dec) {
      var %pri = $+($replace($2-,$chr(32),-),-count)
      hdec pbn.hash %pri 1
      if ($hget(pbn.hash,%pri) <= 0) { hdel pbn.hash %pri }
    }
  }
}

alias -l pbn.set {
  if ($isid && $0 && $prop) {
    pbn.hash
    if ($0 > 1 && $2 != $null) {
      if ($3 != inc && $3 != dec) {
        hadd pbn.hash $+($1,-,$prop) $2
      }
      else {
        var %cmd = $+(h,$3)
        %cmd pbn.hash $+($1,-,$prop) $2
      }
    }
    else {
      hdel pbn.hash $+($1,-,$prop)
    }
  }
}

alias -l pbn.pattern {
  if ($isid && $0) {
    var %result, %j = $len($1), %i = 1
    while (%i <= %j) {
      var %char = $mid($1,%i,1)
      if (%char isnum) { var %result = $+(%result,n) }
      elseif (%char isalpha) {
        if (%char isupper) { var %result = $+(%result,u) }
        if (%char islower) { var %result = $+(%result,l) }
      }
      else { var %result = $+(%result,e) }
      inc %i
    }
    return %result
  }
}

alias pbn.remove {
  var %hs = $pbn.hs($2,$3)
  if ($istok($pbn.get(%hs).bans,$1,32)) {
    var %newbans = $remtok($pbn.get(%hs).bans,$1,1,32)
    $pbn.set(%hs,%newbans).bans
    if (%newbans == $null) { mode $3 -r }
    echo -a 03* No longer banning pattern $+(03,$1,) on $+(03,$3,)
  }
}

alias -l pbn.clear {
  scid $2
  var %nicks = $nick($3,0,a,oh), %i = 1
  while (%i <= %nicks) {
    var %nick = $nick($3,%i,a,oh)
    if ($pbn.pattern(%nick) == $1) { ban -k $3 %nick 2 Pattern Botnet Flood - %nick }
    inc %i
  }
  echo -a 03* Finished clearing $+(03,$3,)
  scid -r
}
avatar
Admin
Admin

מספר הודעות : 268
Join date : 2009-09-12
Age : 37
מיקום : mIRCX IRC Network

View user profile http://mircx.forumotion.net

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum