diff options
| author |   Janik Kleinhoff <ilbelkyr@shalture.org> | 2016-09-05 01:09:49 +0000 |
|---|---|---|
| committer | Janik Kleinhoff <ilbelkyr@shalture.org> | 2016-10-07 22:42:33 +0000 |
| commit | e29b1456c06576b607fd255f5da34a3cc3e97ca2 (patch) | |
| tree | feeb5925dd9f0b6e9e692e34b7b8dca1ecbd8275 /config-default/rules.xml | |
| parent | e3e5402155786931fffd78e71bb2a7324a677ff0 (diff) | |
Extirpate traces of XML
Summary: Resolve T6 and use the opportunity to get rid of our dependency on `XML::Simple` once and for all.
Test Plan: Run the bot with JSON config files.
Reviewers: Unit193
Reviewed By: Unit193
Tags: #antispammeta
Maniphest Tasks: T6
Differential Revision: https://asm.shalture.org/D1
Diffstat (limited to 'config-default/rules.xml')
| -rw-r--r-- | config-default/rules.xml | 59 |
1 files changed, 0 insertions, 59 deletions
diff --git a/config-default/rules.xml b/config-default/rules.xml deleted file mode 100644 index a8bd48c..0000000 --- a/config-default/rules.xml +++ /dev/null @@ -1,59 +0,0 @@ -<events> -<!-- <event id="garbagemeter" class="garbagemeter" reason="garbage exceeding threshold" risk="debug" type="public">3:6:3:3</event> --> - <event id="cyclebotnet" class="cyclebotnet" reason="botnet cyclespam" risk="high" type="part">4:4:30</event> - <event id="joinmsgquit" class="joinmsgquit" reason="joined, said something, parted/quit" risk="info" type="quit,part">3</event> - <event id="advflood" class="advsplitflood" reason="advanced distributed flooding" risk="high" type="public,part,caction">5:3</event> - <event id="asciiflood" class="asciiflood" reason="ascii art algorithm" risk="medium" type="public">20:3:3</event> - <event id="autoremove" class="re" reason="on chanserv autoremove" risk="info" type="part">^requested by ChanServ</event> - <event id="blacklist2" class="strblnew" reason="blacklist $xresult" risk="medium" type="public,part,quit,caction">blah</event> - <event id="blacklistpcre" class="strblpcre" reason="pcre blacklist $xresult" risk="medium" type="public,part,quit,caction">blah</event> - <event id="cloning" class="cloning" reason="excessive clones detected ($xresult) !clonesdetected " risk="debug" type="join">3</event> - <event id="ctcp-dcc" class="re" reason="ctcp-dcc" risk="high" type="cdcc">.*</event> - <event id="ctcp-ping" class="re" reason="channel-wide CTCP PING" risk="medium" type="cping">.*</event> - <event id="ctcp-version" class="re" reason="channel-wide CTCP VERSION" risk="medium" type="cversion">.*</event> - <event id="dcc" class="re" override="dcc-medium" reason="using the DC.C SE.ND exploit" risk="high" type="public">^DCC (SEND|S?CHAT) |\bDCC (SEND|S?CHAT) "?[A-Za-z0-9]+"? \d+ \d+ \d+</event> - <event id="dcc-medium" class="re" reason="using the DC.C SE.ND exploit" risk="medium" type="public">\bDCC SEND </event> - <event id="dcc-part" class="re" reason="using the DC.C SE.ND exploit in a part message" risk="high" type="part">\bDCC SEND </event> - <event id="dcc-topic" class="re" reason="setting a bad topic" risk="medium" type="topic">\bDCC SEND </event> - <event id="debugme" class="re" reason="sending a string designed to trigger a debug test alert, disregard this" risk="debug" type="public">debugantispambotdebug</event> - <event id="appleexploit" class="re" reason="using the apple corefont exploit" risk="high" type="public,caction,part">سمَـ</event> - <!--<event id="dronebl" class="dnsbl" reason="host $evhost is in dnsbl.dronebl.org ( $xresult )" risk="info" type="join">dnsbl.dronebl.org.</event>--> - <!--<event id="efnetbl" class="dnsbl" reason="host $evhost is in rbl.efnetrbl.org ( $xresult )" risk="info" type="join">rbl.efnetrbl.org.</event>--> - <event id="fakechristel" class="nuhg" reason="christel's nick but not host" risk="medium" type="join">(?i)chr[i1]ste[l1]_?!.*</event> - <event id="fakeglobal" class="re" override="notice" reason="fake global notice" risk="high" type="notice">(?i)\[global notice\]</event> - <event id="floodqueue10-20" class="floodqueue" reason="flooding (10 msgs in 20 seconds)" risk="low" type="public,caction">10:20</event> - <event id="gnaa-topic" class="re" reason="setting a GNAA topic" risk="medium" type="topic">(?i)\bgnaa\b</event> - <event id="gnaaquit" class="re" reason="quitting with a GNAA message" risk="medium" type="quit">(?i)\bgnaa\b</event> - <event id="joinflood" class="floodqueue" reason="join flood (5 joins in 20 seconds)" risk="medium" type="join">5:20</event> - <event id="keylogger" class="re" override="keylogger-medium" reason="using the norton start-key-logger exploit" risk="high" type="public">^startkeylogger$|^stopkeylogger$</event> - <event id="keylogger-medium" class="re" reason="using the norton start-key-logger exploit" risk="medium" type="public">\bstartkeylogger\b|\bstopkeylogger\b</event> - <event id="last_measure_regex" class="re" reason="posting what appears to be a last measure link" risk="high" type="public">(?i)(http://(\S+\.)?on\.nimp\.org|http://(\S+\.)?feenode.net|http://wikipaste\.eu|http://(\S+\.)?bioghost\.com|http://(\S+\.)?on\.zoy\.org|http://(lastmeasure|dirtysanchez|doom3|freeipods|halflife2|halo2|lastmeasure4|lastmeasureunified|softmeasure|traceroute)\.zoy\.org)</event> - <event id="levenflood" class="levenflood" override="flood-5to3" reason="levenshtein flood match" risk="low" type="public">contentisuseless</event> - <event id="malspreader1" class="nuhg" reason="suspicious NUHG, rule 1" risk="low" type="join">.*!~NUMONE@.*!REAL_NAME</event> -<!-- <event id="genspammer1" class="nuhg" reason="suspicious NUHG, rule 2" risk="info" type="join">(?i)(.*!.*MURDERC@.*!.*|[A-Z]{2}MURDERCORP!.*|chrisbradley)</event> --> - <event id="genspammer2" class="nuhg" reason="suspicious NUHG, rule 3 (~hyd trolling 2012/12, 2013/03)" risk="info" type="join">.*!~hyd@.*!.*</event> - <event id="massflood" class="splitflood" reason="distributed flooding" risk="high" type="public,caction">4:4</event> - <event id="meepsheep1" class="nuhg" reason="common troll (meepsheep)" risk="info" type="join">(?i).*..psh..p.*</event> - <event id="nickspam" class="nickspam" reason="nickspamming" risk="high" type="public">60:10</event> - <event id="notice" class="re" reason="sending a notice to the channel" risk="medium" type="notice">.*</event> - <event id="phishing1" class="re" override="notice" reason="trying to steal passwords (v1)" risk="high" type="notice">identify.*/msg .* identify <password></event> - <event id="phishing2" class="re" override="notice" reason="trying to steal passwords (v2)" risk="high" type="notice">^This nickname is registered</event> - <event id="redarmyoflol" class="re" reason="parting with 'red army of lol'" risk="low" type="part">RED ARMY OF LOL</event> - <event id="sms_spam" class="re" reason="spam link / virus" risk="low" type="public">\.com/sms.exe</event> - <!--<event id="sorbsbl" class="dnsbl" reason="host $evhost is in dnsbl.sorbs.net ( $xresult )" risk="info" type="join">dnsbl.sorbs.net.</event>--> - <event id="suckmynick" class="re" reason="using a potentially offensive nick" risk="low" type="join">(suck.*dick)</event> - <event id="wikifags2" class="re" reason="saying 'sure are a lot of wikifag'..." risk="low" type="public">(?i)^sure are a ?lot of .*fags? in here</event> - <event id="xchatbroad" class="re" reason="using an x-chat for windows unicode exploit (broad detection version, may be error prone)" risk="low" type="public,part,quit,caction">THISHASBEENDISABLED[ð-÷][€-¿]{3}</event> - <event id="xchatexploit" class="re" override="xchatbroad" reason="using an x-chat for windows unicode exploit" risk="high" type="public,part,quit,caction">󠁟</event> - <event id="proxylist" class="proxy" reason="IP is blacklisted" risk="info" type="join">lolz</event> - <event id="nickbl" class="nickfuzzy" reason="fuzzy matching against nick blacklist (services set)" risk="low" type="join,nick">1:chanserv,nickserv,hostserv,operserv,memoserv</event> - <event id="nickbl2" class="nickfuzzy" reason="fuzzy matching against nick blacklist (set 2)" risk="debug" type="join,nick">1:incog,meepsheep,blackman,brthmthr,patroclus_rex</event> - <event id="nickbl_impersonate" class="nickfuzzy" reason="fuzzy matching against nick blacklist (impersonation set), see ;falsematch if in error" risk="medium" type="join,nick">2:botchlab,bremmyfag,ilbelkyr,bremsstrahlung,ishanyx</event> - <event id="botnickbl" class="nickbl" reason="matches against a possible bot nick" risk="info" type="join,nick">contentisuseless</event> - <event id="botpattern1" class="nuhg" reason="matches probable botnet pattern" risk="debug" type="join">DISABLED[A-Za-z]{4}\d+!~[A-Za-z]{4}@.*![A-Za-z]{4}</event> - <event id="banevade" class="banevade" reason="appears to be ban evading" risk="info" type="join">contentisuseless</event> - <event id="joinfloodquiet" class="floodqueue2" reason="join flood (3 joins in 90 seconds) by quieted user" risk="low" type="join">3:90</event> - <event id="invite" class="invite" reason="invited to a channel" risk="debug" type="invite">blah</event> - <event id="urlcrunch" class="urlcrunch" reason="URL that resolves to some place that is bad" risk="medium" type="public">^(https?:\/\/bitly.com\/a\/warning|https?://(?:i.)?imgur.com|https?://(?:www.)?hotxgirls.net)</event> - <!--<event id="incredibl" class="dnsbl" reason="host $evhost is in dnsbl.incredibl.org ( $xresult )" risk="info" type="join">dnsbl.incredibl.org.</event>--> -</events> |