blob: fed59511dfbc075141cfc2e1fb6ac549c926d8b4 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
Overall alert system workings:
There are 6 alert levels. In order of least significant -> most significant, they are:
debug: New rules that are in need of testing. These can be extremely useful, or extremely spammy.
info: This is not meant to alert about a malicious action, rather to be a "heads up, keep an eye out because..."
low: These are various rules that may have some false positives. The importance of response time to these varies.
medium: These are rules that are not likely to be a false positive, and very likely mean the channel should receive immediate attention.
high: These are rules with a 99% certainty that a user is attempting to be malicious.
"opalert": The bot will never show an "opalert risk threat", rather, this level indicates who to ping when someone calls !ops
A user set to be pinged for any given level will be pinged for all higher levels.
For example, if a user is set to be pinged for "low", they'll be pinged for "opalert", but not "info".
In no particular order, the bot:
* Checks for what it thinks is a botnet cycling in a channel to spam
* Checks for nicks that join just to spam something and then leave
* Checks for various kinds of flooding - even distributed over multiple nicks - and has anti-anti-detection measures
* Checks for ascii-art pasting
* Checks channel messages against a large array of blacklisted strings
* Detects several IRC exploits
* Detects channel-ctcps (mostly deprecated thanks to cmode +C)
* Detects channel-notices
* Checks channel messages against a few regexes that are always spammy
* Detects some phishing attempts
* Detects some types of attempted ban evasion
* Detects some malicious shorturls
|
