diff options
| author |   Janik Kleinhoff <ilbelkyr@shalture.org> | 2016-09-05 01:09:49 +0000 |
|---|---|---|
| committer | Janik Kleinhoff <ilbelkyr@shalture.org> | 2016-10-07 22:42:33 +0000 |
| commit | e29b1456c06576b607fd255f5da34a3cc3e97ca2 (patch) | |
| tree | feeb5925dd9f0b6e9e692e34b7b8dca1ecbd8275 /config-default | |
| parent | e3e5402155786931fffd78e71bb2a7324a677ff0 (diff) | |
Extirpate traces of XML
Summary: Resolve T6 and use the opportunity to get rid of our dependency on `XML::Simple` once and for all.
Test Plan: Run the bot with JSON config files.
Reviewers: Unit193
Reviewed By: Unit193
Tags: #antispammeta
Maniphest Tasks: T6
Differential Revision: https://asm.shalture.org/D1
Diffstat (limited to 'config-default')
| -rw-r--r-- | config-default/blacklist.json | 1 | ||||
| -rw-r--r-- | config-default/blacklist.xml | 2 | ||||
| -rw-r--r-- | config-default/channels.json | 19 | ||||
| -rw-r--r-- | config-default/channels.xml | 16 | ||||
| -rw-r--r-- | config-default/dnsbl.json | 95 | ||||
| -rw-r--r-- | config-default/dnsbl.xml | 37 | ||||
| -rw-r--r-- | config-default/mysql.json | 16 | ||||
| -rw-r--r-- | config-default/mysql.xml | 16 | ||||
| -rw-r--r-- | config-default/restrictions.json | 5 | ||||
| -rw-r--r-- | config-default/restrictions.xml | 8 | ||||
| -rw-r--r-- | config-default/rules.json | 368 | ||||
| -rw-r--r-- | config-default/rules.xml | 59 | ||||
| -rw-r--r-- | config-default/settings.json | 35 | ||||
| -rw-r--r-- | config-default/settings.xml | 37 | ||||
| -rw-r--r-- | config-default/users.json | 7 | ||||
| -rw-r--r-- | config-default/users.xml | 3 |
16 files changed, 546 insertions, 178 deletions
diff --git a/config-default/blacklist.json b/config-default/blacklist.json new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/config-default/blacklist.json @@ -0,0 +1 @@ +{} diff --git a/config-default/blacklist.xml b/config-default/blacklist.xml deleted file mode 100644 index d2e12dc..0000000 --- a/config-default/blacklist.xml +++ /dev/null @@ -1,2 +0,0 @@ -<blacklist> -</blacklist> diff --git a/config-default/channels.json b/config-default/channels.json new file mode 100644 index 0000000..8f911ce --- /dev/null +++ b/config-default/channels.json @@ -0,0 +1,19 @@ +{ + "channel" : { + "#antispammeta" : { + "hilights" : {}, + "msgs" : {} + }, + "default" : { + "hilights" : {} + }, + "master" : { + "hilights" : {}, + "msgs" : { + "debug" : [ + "#antispammeta" + ] + } + } + } +} diff --git a/config-default/channels.xml b/config-default/channels.xml deleted file mode 100644 index 5bdb9e7..0000000 --- a/config-default/channels.xml +++ /dev/null @@ -1,16 +0,0 @@ -<channels> - <channel id="#antispammeta"> - <hilights></hilights> - <msgs></msgs> - </channel> - <channel id="default"> - <hilights></hilights> - </channel> - <channel id="master"> - <hilights> - </hilights> - <msgs> - <debug>#antispammeta</debug> - </msgs> - </channel> -</channels> diff --git a/config-default/dnsbl.json b/config-default/dnsbl.json new file mode 100644 index 0000000..b217ebe --- /dev/null +++ b/config-default/dnsbl.json @@ -0,0 +1,95 @@ +{ + "query" : { + "dnsbl.dronebl.org." : { + "response" : { + "127.0.0.1" : { + "content" : "Testing data" + }, + "127.0.0.10" : { + "content" : "ProxyChain" + }, + "127.0.0.14" : { + "content" : "Open Wingate Proxy" + }, + "127.0.0.15" : { + "content" : "Compromised router / gateway" + }, + "127.0.0.2" : { + "content" : "Sample" + }, + "127.0.0.255" : { + "content" : "Unknown" + }, + "127.0.0.3" : { + "content" : "IRC Drone" + }, + "127.0.0.5" : { + "content" : "Bottler" + }, + "127.0.0.6" : { + "content" : "Unknown spambot or drone" + }, + "127.0.0.7" : { + "content" : "DDOS drone" + }, + "127.0.0.8" : { + "content" : "SOCKS proxy" + }, + "127.0.0.9" : { + "content" : "HTTP proxy" + } + } + }, + "dnsbl.incredibl.org." : { + "response" : { + "127.0.0.2" : { + "content" : "SOCKS Proxy" + }, + "127.0.0.3" : { + "content" : "IRC Proxy" + }, + "127.0.0.4" : { + "content" : "HTTP Proxy" + }, + "127.0.0.5" : { + "content" : "IRC Drone" + }, + "127.0.0.6" : { + "content" : "TOR" + } + } + }, + "dnsbl.sorbs.net." : { + "response" : { + "127.0.0.2" : { + "content" : "HTTP Proxy" + }, + "127.0.0.3" : { + "content" : "SOCKS Proxy" + }, + "127.0.0.4" : { + "content" : "Misc. proxy" + } + } + }, + "rbl.efnetrbl.org." : { + "response" : { + "127.0.0.1" : { + "content" : "Open proxy" + }, + "127.0.0.2" : { + "content" : "Trojan spreader" + }, + "127.0.0.3" : { + "content" : "Trojan infected client" + }, + "127.0.0.4" : { + "content" : "TOR exit server" + }, + "127.0.0.5" : { + "content" : "Drones / Flooding" + } + } + } + } +} diff --git a/config-default/dnsbl.xml b/config-default/dnsbl.xml deleted file mode 100644 index 01f72b4..0000000 --- a/config-default/dnsbl.xml +++ /dev/null @@ -1,37 +0,0 @@ -<dnsbl> - <query id="rbl.efnetrbl.org."> - <response id="127.0.0.1">Open proxy</response> - <response id="127.0.0.2">Trojan spreader</response> - <response id="127.0.0.3">Trojan infected client</response> - <response id="127.0.0.4">TOR exit server</response> - <response id="127.0.0.5">Drones / Flooding</response> - </query> - <query id="dnsbl.dronebl.org."> - <response id="127.0.0.1">Testing data</response> - <response id="127.0.0.2">Sample</response> - <response id="127.0.0.3">IRC Drone</response> - <response id="127.0.0.5">Bottler</response> - <response id="127.0.0.6">Unknown spambot or drone</response> - <response id="127.0.0.7">DDOS drone</response> - <response id="127.0.0.8">SOCKS proxy</response> - <response id="127.0.0.9">HTTP proxy</response> - <response id="127.0.0.10">ProxyChain</response> -<!-- <response id="127.0.0.13">Brute force attackers</response> --> - <response id="127.0.0.14">Open Wingate Proxy</response> - <response id="127.0.0.15">Compromised router / gateway</response> -<!-- <response id="127.0.0.17">Automatically determined botnet IPs (experimental)</response> --> - <response id="127.0.0.255">Unknown</response> - </query> - <query id="dnsbl.sorbs.net."> - <response id="127.0.0.2">HTTP Proxy</response> - <response id="127.0.0.3">SOCKS Proxy</response> - <response id="127.0.0.4">Misc. proxy</response> - </query> - <query id="dnsbl.incredibl.org."> - <response id="127.0.0.2">SOCKS Proxy</response> - <response id="127.0.0.3">IRC Proxy</response> - <response id="127.0.0.4">HTTP Proxy</response> - <response id="127.0.0.5">IRC Drone</response> - <response id="127.0.0.6">TOR</response> - </query> -</dnsbl> diff --git a/config-default/mysql.json b/config-default/mysql.json new file mode 100644 index 0000000..ca97b86 --- /dev/null +++ b/config-default/mysql.json @@ -0,0 +1,16 @@ +{ + "actiontable" : "actionlog", + "db" : "asm_main", + "dblog" : "asm_log", + "host" : "localhost", + "ignoredgecos" : [ + "new now know how" + ], + "ignoredidents" : [ + "~chatzilla" + ], + "pass" : "PASS", + "port" : "3307", + "table" : "alertlog", + "user" : "USER" +} diff --git a/config-default/mysql.xml b/config-default/mysql.xml deleted file mode 100644 index 299c167..0000000 --- a/config-default/mysql.xml +++ /dev/null @@ -1,16 +0,0 @@ -<mysql> - <user>USER</user> - <pass>PASS</pass> - <db>asm_main</db> - <dblog>asm_log</dblog> - <table>alertlog</table> - <actiontable>actionlog</actiontable> - <host>localhost</host> - <port>3307</port> - <ignoredidents> - <ident>~chatzilla</ident> - </ignoredidents> - <ignoredgecos> - <geco>new now know how</geco> - </ignoredgecos> -</mysql> diff --git a/config-default/restrictions.json b/config-default/restrictions.json new file mode 100644 index 0000000..136061b --- /dev/null +++ b/config-default/restrictions.json @@ -0,0 +1,5 @@ +{ + "accounts" : {}, + "hosts" : {}, + "nicks" : {} +} diff --git a/config-default/restrictions.xml b/config-default/restrictions.xml deleted file mode 100644 index d32963f..0000000 --- a/config-default/restrictions.xml +++ /dev/null @@ -1,8 +0,0 @@ -<restrictions> - <accounts> - </accounts> - <hosts> - </hosts> - <nicks> - </nicks> -</restrictions> diff --git a/config-default/rules.json b/config-default/rules.json new file mode 100644 index 0000000..fab019f --- /dev/null +++ b/config-default/rules.json @@ -0,0 +1,368 @@ +{ + "event" : { + "advflood" : { + "class" : "advsplitflood", + "content" : "5:3", + "reason" : "advanced distributed flooding", + "risk" : "high", + "type" : "public,part,caction" + }, + "appleexploit" : { + "class" : "re", + "content" : "سÙ
ÙÙ", + "reason" : "using the apple corefont exploit", + "risk" : "high", + "type" : "public,caction,part" + }, + "asciiflood" : { + "class" : "asciiflood", + "content" : "20:3:3", + "reason" : "ascii art algorithm", + "risk" : "medium", + "type" : "public" + }, + "autoremove" : { + "class" : "re", + "content" : "^requested by ChanServ", + "reason" : "on chanserv autoremove", + "risk" : "info", + "type" : "part" + }, + "banevade" : { + "class" : "banevade", + "content" : "contentisuseless", + "reason" : "appears to be ban evading", + "risk" : "info", + "type" : "join" + }, + "blacklist2" : { + "class" : "strblnew", + "content" : "blah", + "reason" : "blacklist $xresult", + "risk" : "medium", + "type" : "public,part,quit,caction" + }, + "blacklistpcre" : { + "class" : "strblpcre", + "content" : "blah", + "reason" : "pcre blacklist $xresult", + "risk" : "medium", + "type" : "public,part,quit,caction" + }, + "botnickbl" : { + "class" : "nickbl", + "content" : "contentisuseless", + "reason" : "matches against a possible bot nick", + "risk" : "info", + "type" : "join,nick" + }, + "botpattern1" : { + "class" : "nuhg", + "content" : "DISABLED[A-Za-z]{4}\\d+!~[A-Za-z]{4}@.*![A-Za-z]{4}", + "reason" : "matches probable botnet pattern", + "risk" : "debug", + "type" : "join" + }, + "cloning" : { + "class" : "cloning", + "content" : "3", + "reason" : "excessive clones detected ($xresult) !clonesdetected ", + "risk" : "debug", + "type" : "join" + }, + "ctcp-dcc" : { + "class" : "re", + "content" : ".*", + "reason" : "ctcp-dcc", + "risk" : "high", + "type" : "cdcc" + }, + "ctcp-ping" : { + "class" : "re", + "content" : ".*", + "reason" : "channel-wide CTCP PING", + "risk" : "medium", + "type" : "cping" + }, + "ctcp-version" : { + "class" : "re", + "content" : ".*", + "reason" : "channel-wide CTCP VERSION", + "risk" : "medium", + "type" : "cversion" + }, + "cyclebotnet" : { + "class" : "cyclebotnet", + "content" : "4:4:30", + "reason" : "botnet cyclespam", + "risk" : "high", + "type" : "part" + }, + "dcc" : { + "class" : "re", + "content" : "^DCC (SEND|S?CHAT) |\\bDCC (SEND|S?CHAT) \"?[A-Za-z0-9]+\"? \\d+ \\d+ \\d+", + "override" : "dcc-medium", + "reason" : "using the DC.C SE.ND exploit", + "risk" : "high", + "type" : "public" + }, + "dcc-medium" : { + "class" : "re", + "content" : "\\bDCC SEND ", + "reason" : "using the DC.C SE.ND exploit", + "risk" : "medium", + "type" : "public" + }, + "dcc-part" : { + "class" : "re", + "content" : "\\bDCC SEND ", + "reason" : "using the DC.C SE.ND exploit in a part message", + "risk" : "high", + "type" : "part" + }, + "dcc-topic" : { + "class" : "re", + "content" : "\\bDCC SEND ", + "reason" : "setting a bad topic", + "risk" : "medium", + "type" : "topic" + }, + "debugme" : { + "class" : "re", + "content" : "debugantispambotdebug", + "reason" : "sending a string designed to trigger a debug test alert, disregard this", + "risk" : "debug", + "type" : "public" + }, + "fakechristel" : { + "class" : "nuhg", + "content" : "(?i)chr[i1]ste[l1]_?!.*", + "reason" : "christel's nick but not host", + "risk" : "medium", + "type" : "join" + }, + "fakeglobal" : { + "class" : "re", + "content" : "(?i)\\[global notice\\]", + "override" : "notice", + "reason" : "fake global notice", + "risk" : "high", + "type" : "notice" + }, + "floodqueue10-20" : { + "class" : "floodqueue", + "content" : "10:20", + "reason" : "flooding (10 msgs in 20 seconds)", + "risk" : "low", + "type" : "public,caction" + }, + "genspammer2" : { + "class" : "nuhg", + "content" : ".*!~hyd@.*!.*", + "reason" : "suspicious NUHG, rule 3 (~hyd trolling 2012/12, 2013/03)", + "risk" : "info", + "type" : "join" + }, + "gnaa-topic" : { + "class" : "re", + "content" : "(?i)\\bgnaa\\b", + "reason" : "setting a GNAA topic", + "risk" : "medium", + "type" : "topic" + }, + "gnaaquit" : { + "class" : "re", + "content" : "(?i)\\bgnaa\\b", + "reason" : "quitting with a GNAA message", + "risk" : "medium", + "type" : "quit" + }, + "invite" : { + "class" : "invite", + "content" : "blah", + "reason" : "invited to a channel", + "risk" : "debug", + "type" : "invite" + }, + "joinflood" : { + "class" : "floodqueue", + "content" : "5:20", + "reason" : "join flood (5 joins in 20 seconds)", + "risk" : "medium", + "type" : "join" + }, + "joinfloodquiet" : { + "class" : "floodqueue2", + "content" : "3:90", + "reason" : "join flood (3 joins in 90 seconds) by quieted user", + "risk" : "low", + "type" : "join" + }, + "joinmsgquit" : { + "class" : "joinmsgquit", + "content" : "3", + "reason" : "joined, said something, parted/quit", + "risk" : "info", + "type" : "quit,part" + }, + "keylogger" : { + "class" : "re", + "content" : "^startkeylogger$|^stopkeylogger$", + "override" : "keylogger-medium", + "reason" : "using the norton start-key-logger exploit", + "risk" : "high", + "type" : "public" + }, + "keylogger-medium" : { + "class" : "re", + "content" : "\\bstartkeylogger\\b|\\bstopkeylogger\\b", + "reason" : "using the norton start-key-logger exploit", + "risk" : "medium", + "type" : "public" + }, + "last_measure_regex" : { + "class" : "re", + "content" : "(?i)(http://(\\S+\\.)?on\\.nimp\\.org|http://(\\S+\\.)?feenode.net|http://wikipaste\\.eu|http://(\\S+\\.)?bioghost\\.com|http://(\\S+\\.)?on\\.zoy\\.org|http://(lastmeasure|dirtysanchez|doom3|freeipods|halflife2|halo2|lastmeasure4|lastmeasureunified|softmeasure|traceroute)\\.zoy\\.org)", + "reason" : "posting what appears to be a last measure link", + "risk" : "high", + "type" : "public" + }, + "levenflood" : { + "class" : "levenflood", + "content" : "contentisuseless", + "override" : "flood-5to3", + "reason" : "levenshtein flood match", + "risk" : "low", + "type" : "public" + }, + "malspreader1" : { + "class" : "nuhg", + "content" : ".*!~NUMONE@.*!REAL_NAME", + "reason" : "suspicious NUHG, rule 1", + "risk" : "low", + "type" : "join" + }, + "massflood" : { + "class" : "splitflood", + "content" : "4:4", + "reason" : "distributed flooding", + "risk" : "high", + "type" : "public,caction" + }, + "meepsheep1" : { + "class" : "nuhg", + "content" : "(?i).*..psh..p.*", + "reason" : "common troll (meepsheep)", + "risk" : "info", + "type" : "join" + }, + "nickbl" : { + "class" : "nickfuzzy", + "content" : "1:chanserv,nickserv,hostserv,operserv,memoserv", + "reason" : "fuzzy matching against nick blacklist (services set)", + "risk" : "low", + "type" : "join,nick" + }, + "nickbl2" : { + "class" : "nickfuzzy", + "content" : "1:incog,meepsheep,blackman,brthmthr,patroclus_rex", + "reason" : "fuzzy matching against nick blacklist (set 2)", + "risk" : "debug", + "type" : "join,nick" + }, + "nickbl_impersonate" : { + "class" : "nickfuzzy", + "content" : "2:botchlab,bremmyfag,ilbelkyr,bremsstrahlung,ishanyx", + "reason" : "fuzzy matching against nick blacklist (impersonation set), see ;falsematch if in error", + "risk" : "medium", + "type" : "join,nick" + }, + "nickspam" : { + "class" : "nickspam", + "content" : "60:10", + "reason" : "nickspamming", + "risk" : "high", + "type" : "public" + }, + "notice" : { + "class" : "re", + "content" : ".*", + "reason" : "sending a notice to the channel", + "risk" : "medium", + "type" : "notice" + }, + "phishing1" : { + "class" : "re", + "content" : "identify.*/msg .* identify <password>", + "override" : "notice", + "reason" : "trying to steal passwords (v1)", + "risk" : "high", + "type" : "notice" + }, + "phishing2" : { + "class" : "re", + "content" : "^This nickname is registered", + "override" : "notice", + "reason" : "trying to steal passwords (v2)", + "risk" : "high", + "type" : "notice" + }, + "proxylist" : { + "class" : "proxy", + "content" : "lolz", + "reason" : "IP is blacklisted", + "risk" : "info", + "type" : "join" + }, + "redarmyoflol" : { + "class" : "re", + "content" : "RED ARMY OF LOL", + "reason" : "parting with 'red army of lol'", + "risk" : "low", + "type" : "part" + }, + "sms_spam" : { + "class" : "re", + "content" : "\\.com/sms.exe", + "reason" : "spam link / virus", + "risk" : "low", + "type" : "public" + }, + "suckmynick" : { + "class" : "re", + "content" : "(suck.*dick)", + "reason" : "using a potentially offensive nick", + "risk" : "low", + "type" : "join" + }, + "urlcrunch" : { + "class" : "urlcrunch", + "content" : "^(https?:\\/\\/bitly.com\\/a\\/warning|https?://(?:i.)?imgur.com|https?://(?:www.)?hotxgirls.net)", + "reason" : "URL that resolves to some place that is bad", + "risk" : "medium", + "type" : "public" + }, + "wikifags2" : { + "class" : "re", + "content" : "(?i)^sure are a ?lot of .*fags? in here", + "reason" : "saying 'sure are a lot of wikifag'...", + "risk" : "low", + "type" : "public" + }, + "xchatbroad" : { + "class" : "re", + "content" : "THISHASBEENDISABLED[ð-÷][-¿]{3}", + "reason" : "using an x-chat for windows unicode exploit (broad detection version, may be error prone)", + "risk" : "low", + "type" : "public,part,quit,caction" + }, + "xchatexploit" : { + "class" : "re", + "content" : "ó ", + "override" : "xchatbroad", + "reason" : "using an x-chat for windows unicode exploit", + "risk" : "high", + "type" : "public,part,quit,caction" + } + } +} diff --git a/config-default/rules.xml b/config-default/rules.xml deleted file mode 100644 index a8bd48c..0000000 --- a/config-default/rules.xml +++ /dev/null @@ -1,59 +0,0 @@ -<events> -<!-- <event id="garbagemeter" class="garbagemeter" reason="garbage exceeding threshold" risk="debug" type="public">3:6:3:3</event> --> - <event id="cyclebotnet" class="cyclebotnet" reason="botnet cyclespam" risk="high" type="part">4:4:30</event> - <event id="joinmsgquit" class="joinmsgquit" reason="joined, said something, parted/quit" risk="info" type="quit,part">3</event> - <event id="advflood" class="advsplitflood" reason="advanced distributed flooding" risk="high" type="public,part,caction">5:3</event> - <event id="asciiflood" class="asciiflood" reason="ascii art algorithm" risk="medium" type="public">20:3:3</event> - <event id="autoremove" class="re" reason="on chanserv autoremove" risk="info" type="part">^requested by ChanServ</event> - <event id="blacklist2" class="strblnew" reason="blacklist $xresult" risk="medium" type="public,part,quit,caction">blah</event> - <event id="blacklistpcre" class="strblpcre" reason="pcre blacklist $xresult" risk="medium" type="public,part,quit,caction">blah</event> - <event id="cloning" class="cloning" reason="excessive clones detected ($xresult) !clonesdetected " risk="debug" type="join">3</event> - <event id="ctcp-dcc" class="re" reason="ctcp-dcc" risk="high" type="cdcc">.*</event> - <event id="ctcp-ping" class="re" reason="channel-wide CTCP PING" risk="medium" type="cping">.*</event> - <event id="ctcp-version" class="re" reason="channel-wide CTCP VERSION" risk="medium" type="cversion">.*</event> - <event id="dcc" class="re" override="dcc-medium" reason="using the DC.C SE.ND exploit" risk="high" type="public">^DCC (SEND|S?CHAT) |\bDCC (SEND|S?CHAT) "?[A-Za-z0-9]+"? \d+ \d+ \d+</event> - <event id="dcc-medium" class="re" reason="using the DC.C SE.ND exploit" risk="medium" type="public">\bDCC SEND </event> - <event id="dcc-part" class="re" reason="using the DC.C SE.ND exploit in a part message" risk="high" type="part">\bDCC SEND </event> - <event id="dcc-topic" class="re" reason="setting a bad topic" risk="medium" type="topic">\bDCC SEND </event> - <event id="debugme" class="re" reason="sending a string designed to trigger a debug test alert, disregard this" risk="debug" type="public">debugantispambotdebug</event> - <event id="appleexploit" class="re" reason="using the apple corefont exploit" risk="high" type="public,caction,part">سمَـ</event> - <!--<event id="dronebl" class="dnsbl" reason="host $evhost is in dnsbl.dronebl.org ( $xresult )" risk="info" type="join">dnsbl.dronebl.org.</event>--> - <!--<event id="efnetbl" class="dnsbl" reason="host $evhost is in rbl.efnetrbl.org ( $xresult )" risk="info" type="join">rbl.efnetrbl.org.</event>--> - <event id="fakechristel" class="nuhg" reason="christel's nick but not host" risk="medium" type="join">(?i)chr[i1]ste[l1]_?!.*</event> - <event id="fakeglobal" class="re" override="notice" reason="fake global notice" risk="high" type="notice">(?i)\[global notice\]</event> - <event id="floodqueue10-20" class="floodqueue" reason="flooding (10 msgs in 20 seconds)" risk="low" type="public,caction">10:20</event> - <event id="gnaa-topic" class="re" reason="setting a GNAA topic" risk="medium" type="topic">(?i)\bgnaa\b</event> - <event id="gnaaquit" class="re" reason="quitting with a GNAA message" risk="medium" type="quit">(?i)\bgnaa\b</event> - <event id="joinflood" class="floodqueue" reason="join flood (5 joins in 20 seconds)" risk="medium" type="join">5:20</event> - <event id="keylogger" class="re" override="keylogger-medium" reason="using the norton start-key-logger exploit" risk="high" type="public">^startkeylogger$|^stopkeylogger$</event> - <event id="keylogger-medium" class="re" reason="using the norton start-key-logger exploit" risk="medium" type="public">\bstartkeylogger\b|\bstopkeylogger\b</event> - <event id="last_measure_regex" class="re" reason="posting what appears to be a last measure link" risk="high" type="public">(?i)(http://(\S+\.)?on\.nimp\.org|http://(\S+\.)?feenode.net|http://wikipaste\.eu|http://(\S+\.)?bioghost\.com|http://(\S+\.)?on\.zoy\.org|http://(lastmeasure|dirtysanchez|doom3|freeipods|halflife2|halo2|lastmeasure4|lastmeasureunified|softmeasure|traceroute)\.zoy\.org)</event> - <event id="levenflood" class="levenflood" override="flood-5to3" reason="levenshtein flood match" risk="low" type="public">contentisuseless</event> - <event id="malspreader1" class="nuhg" reason="suspicious NUHG, rule 1" risk="low" type="join">.*!~NUMONE@.*!REAL_NAME</event> -<!-- <event id="genspammer1" class="nuhg" reason="suspicious NUHG, rule 2" risk="info" type="join">(?i)(.*!.*MURDERC@.*!.*|[A-Z]{2}MURDERCORP!.*|chrisbradley)</event> --> - <event id="genspammer2" class="nuhg" reason="suspicious NUHG, rule 3 (~hyd trolling 2012/12, 2013/03)" risk="info" type="join">.*!~hyd@.*!.*</event> - <event id="massflood" class="splitflood" reason="distributed flooding" risk="high" type="public,caction">4:4</event> - <event id="meepsheep1" class="nuhg" reason="common troll (meepsheep)" risk="info" type="join">(?i).*..psh..p.*</event> - <event id="nickspam" class="nickspam" reason="nickspamming" risk="high" type="public">60:10</event> - <event id="notice" class="re" reason="sending a notice to the channel" risk="medium" type="notice">.*</event> - <event id="phishing1" class="re" override="notice" reason="trying to steal passwords (v1)" risk="high" type="notice">identify.*/msg .* identify <password></event> - <event id="phishing2" class="re" override="notice" reason="trying to steal passwords (v2)" risk="high" type="notice">^This nickname is registered</event> - <event id="redarmyoflol" class="re" reason="parting with 'red army of lol'" risk="low" type="part">RED ARMY OF LOL</event> - <event id="sms_spam" class="re" reason="spam link / virus" risk="low" type="public">\.com/sms.exe</event> - <!--<event id="sorbsbl" class="dnsbl" reason="host $evhost is in dnsbl.sorbs.net ( $xresult )" risk="info" type="join">dnsbl.sorbs.net.</event>--> - <event id="suckmynick" class="re" reason="using a potentially offensive nick" risk="low" type="join">(suck.*dick)</event> - <event id="wikifags2" class="re" reason="saying 'sure are a lot of wikifag'..." risk="low" type="public">(?i)^sure are a ?lot of .*fags? in here</event> - <event id="xchatbroad" class="re" reason="using an x-chat for windows unicode exploit (broad detection version, may be error prone)" risk="low" type="public,part,quit,caction">THISHASBEENDISABLED[ð-÷][€-¿]{3}</event> - <event id="xchatexploit" class="re" override="xchatbroad" reason="using an x-chat for windows unicode exploit" risk="high" type="public,part,quit,caction">󠁟</event> - <event id="proxylist" class="proxy" reason="IP is blacklisted" risk="info" type="join">lolz</event> - <event id="nickbl" class="nickfuzzy" reason="fuzzy matching against nick blacklist (services set)" risk="low" type="join,nick">1:chanserv,nickserv,hostserv,operserv,memoserv</event> - <event id="nickbl2" class="nickfuzzy" reason="fuzzy matching against nick blacklist (set 2)" risk="debug" type="join,nick">1:incog,meepsheep,blackman,brthmthr,patroclus_rex</event> - <event id="nickbl_impersonate" class="nickfuzzy" reason="fuzzy matching against nick blacklist (impersonation set), see ;falsematch if in error" risk="medium" type="join,nick">2:botchlab,bremmyfag,ilbelkyr,bremsstrahlung,ishanyx</event> - <event id="botnickbl" class="nickbl" reason="matches against a possible bot nick" risk="info" type="join,nick">contentisuseless</event> - <event id="botpattern1" class="nuhg" reason="matches probable botnet pattern" risk="debug" type="join">DISABLED[A-Za-z]{4}\d+!~[A-Za-z]{4}@.*![A-Za-z]{4}</event> - <event id="banevade" class="banevade" reason="appears to be ban evading" risk="info" type="join">contentisuseless</event> - <event id="joinfloodquiet" class="floodqueue2" reason="join flood (3 joins in 90 seconds) by quieted user" risk="low" type="join">3:90</event> - <event id="invite" class="invite" reason="invited to a channel" risk="debug" type="invite">blah</event> - <event id="urlcrunch" class="urlcrunch" reason="URL that resolves to some place that is bad" risk="medium" type="public">^(https?:\/\/bitly.com\/a\/warning|https?://(?:i.)?imgur.com|https?://(?:www.)?hotxgirls.net)</event> - <!--<event id="incredibl" class="dnsbl" reason="host $evhost is in dnsbl.incredibl.org ( $xresult )" risk="info" type="join">dnsbl.incredibl.org.</event>--> -</events> diff --git a/config-default/settings.json b/config-default/settings.json new file mode 100644 index 0000000..6b6347c --- /dev/null +++ b/config-default/settings.json @@ -0,0 +1,35 @@ +{ + "altnicks" : [ + "AntiSpamMeta_", + "AntiSpamMeta2" + ], + "autojoins" : "#antispammeta", + "debugchan" : "#antispammeta-debug", + "log" : { + "actiondir" : "actionlogs/", + "detectdir" : "detectlogs/", + "dir" : "logs/", + "filefmt" : "-%Y-%m-%d.log", + "timefmt" : "%Y-%m-%d %T ", + "zone" : "GMT" + }, + "masterchan" : "#antispammeta", + "nick" : "AntiSpamMeta", + "pass" : {}, + "port" : "6697", + "realname" : "I am a new AntiSpamBot in the making.", + "server" : [ + "irc.freenode.net" + ], + "ssl" : "1", + "username" : "MetaBot", + "web" : { + "groupfile" : "/var/www/.htgroup", + "shortener" : { + "apikey" : "yoursecretkey", + "domain" : "yourls.org", + "secure" : "0" + }, + "userfile" : "/var/www/.htpasswd" + } +} diff --git a/config-default/settings.xml b/config-default/settings.xml deleted file mode 100644 index c9b84a0..0000000 --- a/config-default/settings.xml +++ /dev/null @@ -1,37 +0,0 @@ -<settings> - <altnicks> - <altnick>AntiSpamMeta_</altnick> - <altnick>AntiSpamMeta2</altnick> - </altnicks> - <autojoins> - <autojoin>#antispammeta</autojoin> - </autojoins> - <debugchan>#antispammeta-debug</debugchan> - <log> - <actiondir>actionlogs/</actiondir> - <detectdir>detectlogs/</detectdir> - <dir>logs/</dir> - <filefmt>-%Y-%m-%d.log</filefmt> - <timefmt>%Y-%m-%d %T </timefmt> - <zone>GMT</zone> - </log> - <masterchan>#antispammeta</masterchan> - <nick>AntiSpamMeta</nick> - <pass></pass> - <port>6697</port> - <ssl>1</ssl> - <realname>I am a new AntiSpamBot in the making.</realname> - <server> - <host>irc.freenode.net</host> - </server> - <username>MetaBot</username> - <web> - <groupfile>/var/www/.htgroup</groupfile> - <userfile>/var/www/.htpasswd</userfile> - <shortener> - <apikey>yoursecretkey</apikey> - <domain>yourls.org</domain> - <secure>0</secure> - </shortener> - </web> -</settings> diff --git a/config-default/users.json b/config-default/users.json new file mode 100644 index 0000000..68ef65c --- /dev/null +++ b/config-default/users.json @@ -0,0 +1,7 @@ +{ + "person" : { + "YOU" : { + "flags" : "acdhps" + } + } +} diff --git a/config-default/users.xml b/config-default/users.xml deleted file mode 100644 index a9ae193..0000000 --- a/config-default/users.xml +++ /dev/null @@ -1,3 +0,0 @@ -<people> - <person id="YOU" flags="acdhps" /> -</people> |