1551 lines
No EOL
60 KiB
XML
1551 lines
No EOL
60 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article>
|
|
<title>SecureServ Manual</title>
|
|
|
|
<para>Welcome to the SecureServ Manual. This document will aid you in
|
|
setting up and running SercureServ on your IRC network.</para>
|
|
|
|
<para>SecureServ is a advanced IRC Trojan detector, much like a Virus
|
|
Scanner, but aimed for IRC networks. Using Several different methods,
|
|
including, but not limited to Version checks, Behavior analysis, and general
|
|
pattern matching, it aims to detect Trojans and Virus's as well as
|
|
FloodBots that connect to your IRC network.</para>
|
|
|
|
<para>SecureServ's "brains" are based on a "Definition
|
|
file" or Dat file, that contain information on how to detect the
|
|
trojans. This means to update SecureServ's detection for new
|
|
Trojans/Bots only requires that you download a new dat file (which can be
|
|
automated). There are some pre-conditions to obtaining new Dat files, and
|
|
these can be found in the Installation chapter.</para>
|
|
|
|
<para>Additionally, with 1.0 version of SecureServ, we now support a
|
|
"customised" dat file that administrators can add their own
|
|
signatures to to help detect new, or unsupported clients/trojans. (eg,
|
|
Bottlers). This requires some programing knowledge, and more information
|
|
about the customviri.dat file can be found in the "Custom
|
|
Definitions" chapter.</para>
|
|
|
|
<para>SecureServ can detect Trojan/Virus's or "Security Risks"
|
|
to your Network a number of ways, including:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>CTCP Version Checks</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>NickName Patterns</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>UserName (Ident) Patterns</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>RealName Patterns</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Channel MemberShip Patterns</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Private/Notice Messages</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Channel Utilization</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Logic Checks</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>While we can detect a vast majority of Trojans, and its easy to extend
|
|
SecureServ to detect new ones without Recompiling/upgrading, its not a
|
|
fullproof solution. Additionally, Virus/Trojan/Bot authors are getting more
|
|
and more sophisticated these days, and will always find ways to avoid
|
|
detection. SecureServ aims to reduce the load on a Network Administration
|
|
staff in dealing with these Trojans.</para>
|
|
|
|
<para>SecureServ is written and maintained by Justin Hammond. It requires
|
|
the NeoStats software. More information about SecureServ, or NeoStats, can
|
|
be found at <link linkend="???">http://www.neostats.net/</link></para>
|
|
|
|
<para>SecureServ is Copyright, 2004 by Justin Hammond.</para>
|
|
|
|
<sect1>
|
|
<title>Prerequisites and Installation.</title>
|
|
|
|
<para>SecureServ is designed to run on Top of NeoStats. The Following
|
|
requirements at the time of writing are required for NeoStats:<itemizedlist><listitem><para>A
|
|
Linux or BSD based Server or Shell.</para></listitem><listitem><para>A
|
|
supported IRCd. Currently, Hybrid7, Unreal, Ultimate2.x or Ultimate3.x or
|
|
NeoIRCd</para></listitem><listitem><para>Some basic Unix administration
|
|
Skill</para></listitem><listitem><para>Of Course, a IRC network to connect
|
|
it all together.</para></listitem></itemizedlist></para>
|
|
|
|
<para>Please refer to the NeoStats website for more information on the
|
|
requirements</para>
|
|
|
|
<para>SecureServ itself requires the following:<itemizedlist><listitem><para>NeoStats
|
|
2.5.9 or Higher correctly installed and Running</para></listitem><listitem><para>A
|
|
account on <link linkend="???">http://secure.irc-chat.net</link> is
|
|
required if you wish to take advantage of updated definition files</para></listitem><listitem><para>The
|
|
time to read this entire document. <warning><para>SecureServ has the
|
|
potential to Akill/Gline your entire network. Its strongly suggested that
|
|
you read this entire document before even attempting to compile
|
|
SecureServ, as I'm just going to laugh, if you didn't read, and it
|
|
AKILL's your entire network.</para></warning></para></listitem></itemizedlist></para>
|
|
|
|
<para>The requirement to have a valid account on <link linkend="???">http://secure.irc-chat.net</link>
|
|
is due to the fact that I want to have some control over who receives the
|
|
definition files. If these Definition files fall into the hands of the
|
|
TrojanWritters or Virus Writers, its possible they might be able to
|
|
re-write their bots to avoid detection. Please see the website for more
|
|
information.</para>
|
|
|
|
<sect2>
|
|
<title>Compiling and Installation</title>
|
|
|
|
<para>As long as you have successfully setup NeoStats, and installed it
|
|
correctly, Compiling SecureServ is very simple and straight forward.
|
|
First you must extract the files from the download package. This is as
|
|
simple as:</para>
|
|
|
|
<screen>bash$<command> tar -xzf SecureServ-<ver>.tar.gz</command></screen>
|
|
|
|
<para>This should then create a directory called
|
|
SecureServ-<version> where <version> is the Version of
|
|
SecureServ. Then Proceed to Change into the SecureServ directory, and
|
|
run Configure as follows:<screen>bash$<command>./configure [--enable-debug | --with-neostats=<dir>]</command></screen></para>
|
|
|
|
<para>--enable-debug is only useful for diagnostics purposes when used
|
|
in conjunction with debugging tools. There should be no need to use this
|
|
option on a day to day basis</para>
|
|
|
|
<para>--with-neostats=<dir> should be used if your neostats
|
|
directory is not in a standard location (~/NeoStats/). Replace
|
|
<dir> with the full path to your NeoStats installation directory
|
|
(NOT SOURCE DIRECTORY)</para>
|
|
|
|
<para>Configuring SecureServ will look something like the following
|
|
screen:</para>
|
|
|
|
<screen>[Fish@fish-dt]$ ./configure
|
|
checking for gcc... gcc
|
|
checking for C compiler default output... a.out
|
|
checking whether the C compiler works... yes
|
|
checking whether we are cross compiling... no
|
|
checking for suffix of executables...
|
|
checking for suffix of object files... o
|
|
checking whether we are using the GNU C compiler... yes
|
|
checking whether gcc accepts -g... yes
|
|
checking for gcc option to accept ANSI C... none needed
|
|
checking for a BSD-compatible install... /usr/bin/install -c
|
|
checking for pcre_compile in -lpcre... yes
|
|
checking Location of NeoStats...... /home/fish/NeoStats/
|
|
checking for /home/fish/NeoStats//include/dl.h... yes
|
|
checking Version of NeoStats...... Compatible Version
|
|
checking Whether to Enable Debuging...... no
|
|
configure: creating ./config.status
|
|
config.status: creating Makefile
|
|
|
|
(*----------------------------------------------------------*)
|
|
(| To compile your module, please type 'make' |)
|
|
(| If make completes without errors, then you |)
|
|
(| Must 'make install', but please be sure that NeoStats |)
|
|
(| Is not currently running with a module of the same name |)
|
|
(| Running, otherwise Make install will not work |)
|
|
(| !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! |)
|
|
(| If you are running a BSD, make install may produce a |)
|
|
(| Error, if that is the case, then please manually copy |)
|
|
(| opsb.so to the NeoStats/dl directory |)
|
|
(| !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! |)
|
|
(*----------------------------------------------------------*)
|
|
(| For Support please visit: |)
|
|
(| IRC: /server irc.irc-chat.org |)
|
|
(| #neostats channel |)
|
|
(| WWW: http://www.neostats.net/boards/ |)
|
|
(*----------------------------------------------------------*)
|
|
(|This Module was written by: |)
|
|
(| fish (fish@dynam.ac) |)
|
|
(*----------------------------------------------------------*)
|
|
</screen>
|
|
|
|
<para>If the configuration did not produce a error, you may then move
|
|
onto Compiling SecureServ. Compiling is simply just issuing the
|
|
"make" command (or "gmake" if you are running BSD):</para>
|
|
|
|
<screen>[Fish@fish-dt]$ make
|
|
gcc -c -O2 -Wall -I/usr/include/pcre -I/home/fish/NeoStats//include/ -I. SecureServ.c
|
|
gcc -c -O2 -Wall -I/usr/include/pcre -I/home/fish/NeoStats//include/ -I. SecureServ_help.c
|
|
gcc -c -O2 -Wall -I/usr/include/pcre -I/home/fish/NeoStats//include/ -I. http.c
|
|
gcc -c -O2 -Wall -I/usr/include/pcre -I/home/fish/NeoStats//include/ -I. OnJoinBot.c
|
|
gcc -c -O2 -Wall -I/usr/include/pcre -I/home/fish/NeoStats//include/ -I. FloodCheck.c
|
|
ld -shared -o SecureServ.so SecureServ.o SecureServ_help.o http.o OnJoinBot.o FloodCheck.o -L/usr/lib -lpcre
|
|
</screen>
|
|
|
|
<para>Again, check for Error messages. As long as there are not error
|
|
messages, "make install" will install SecureServ, this README
|
|
file, and any auxiliary files needed into your NeoStats directory:</para>
|
|
|
|
<screen>[Fish@fish-dt]$ make install
|
|
/usr/bin/install -c -m 644 SecureServ.so /home/fish/NeoStats//dl/
|
|
/usr/bin/install -c -m 644 README.SecureServ SecureServ.settings /home/fish/NeoStats//dl/../doc/
|
|
/usr/bin/install -c -m 644 viri.dat /home/fish/NeoStats//dl/../data/
|
|
</screen>
|
|
|
|
<para>If you receive *ANY* errors at all during the this process, please
|
|
post them on our Support boards, at http//www.neostats.net/boards/</para>
|
|
|
|
<para>Once Installation is complete, you can either configure NeoStats
|
|
to load SecureServ when it starts, or load SecureServ via IRC.</para>
|
|
|
|
<para>To Configure NeoStats to automatically load SecureServ when it
|
|
boots, add the following line to your "neostats.cfg" file in the
|
|
NeoStats directory:</para>
|
|
|
|
<para><command>LOAD_MODULE SecureServ</command></para>
|
|
|
|
<para>To load SecureServ via IRC, you must make sure you have the
|
|
appropriate permissions and issue the following command:</para>
|
|
|
|
<para><command>/msg neostats load SecureServ</command></para>
|
|
|
|
<para>Thats it. SecureServ is now loaded and ready for use (in fact, it
|
|
will already be running now, but read on for further information.</para>
|
|
</sect2>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Basic Configuration</title>
|
|
|
|
<para>SecureServ is completely configured online via IRC. When you first
|
|
start up SecureServ, it attempts some "Sane" defaults for you get
|
|
started with, but you should always review these settings as soon as you
|
|
install. There are a few important settings you may want to review right
|
|
away. They are:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Exclusion Lists - You should setup a Exclude list for your IRC
|
|
Services server (NickServ etc)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Username and Password for Dat File Updates</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>System Messages sent to users</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>These are outlined below:</para>
|
|
|
|
<sect2>
|
|
<title>Exclusion Lists</title>
|
|
|
|
<para>Exclusion lists allow you to specify certain Hostmasks, Servers,
|
|
or Channels that should be excluded from monitoring by SecureServ. This
|
|
exclusion list would allow a administrator to say, allow users on that
|
|
are matched against Trojans, when the administrator has verified that
|
|
the Trojan does not in fact exist on the users host. Additionally,</para>
|
|
|
|
<caution>
|
|
<para>Exclusions should be setup for your Services Server, so that
|
|
SecureServ does not try to scan ChanServ, or NickServ, or any of the
|
|
bots relating to Nickname protection.</para>
|
|
</caution>
|
|
|
|
<para><emphasis role="bold">Adding a Entry</emphasis></para>
|
|
|
|
<para>To add a entry to the Exclusion list, use the following format:</para>
|
|
|
|
<screen>/msg SecureServ exclude add <host/Server/Channel> <type> <reason></screen>
|
|
|
|
<para>Where:</para>
|
|
|
|
<para><host> = The HostName/Server or Channel name. WildCards ?
|
|
and * are permitted.</para>
|
|
|
|
<para><type> = The type of exclusion. 0 is for HostNames, 1 is
|
|
for Servers, and 2 is for channels.</para>
|
|
|
|
<para><reason> = a short description of the exclusion, for
|
|
operator reference only.</para>
|
|
|
|
<para>The output is as follows:</para>
|
|
|
|
<screen>>secureserv< exclude add #chan 2 Blah is my reason
|
|
-SecureServ- Added #chan (Channel) exception to list</screen>
|
|
|
|
<para><emphasis role="bold">Listing an Entry</emphasis></para>
|
|
|
|
<para>To list the Exclusions simple type:</para>
|
|
|
|
<screen>/msg SecureServ exclude list</screen>
|
|
|
|
<para>And all the current exclusions are listed. Additionally, a
|
|
Position number is provided for use with the delete command. The output
|
|
is as follows:</para>
|
|
|
|
<screen>>secureserv< exclude list
|
|
-SecureServ- Exception List:
|
|
-SecureServ- 1) *.blah.com (Server) Added by Fish for Blah is my reason
|
|
-SecureServ- 2) is.blah.com (HostName) Added by Fish for can by high
|
|
-SecureServ- 3) #chan (Channel) Added by Fish for Blah is my reason
|
|
-SecureServ- End of List.</screen>
|
|
|
|
<para><emphasis role="bold">Deleting an Entry</emphasis></para>
|
|
|
|
<para>To delete a entry, you should first lookup the Position of the
|
|
entry that you wish to delete. The format of the command is as follows:</para>
|
|
|
|
<screen>/msg SecureServ exclude del <num></screen>
|
|
|
|
<para>Where:</para>
|
|
|
|
<para><num> is the position of the entry you wish to delete in
|
|
the list</para>
|
|
|
|
<para>The output of the command is as follows:</para>
|
|
|
|
<screen>>secureserv< exclude del 1
|
|
-SecureServ- Deleted #chan Channel out of exception list</screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Helper Lists</title>
|
|
|
|
<para>Helper lists let you grant non-privileged users the ability to
|
|
maintain your Virus help channel and help users that are infected with
|
|
virus's that could be removed with simple instructions (such as Spam
|
|
Virus's that infect Mirc). These users are granted the ability to
|
|
"release" a infected user from SecureServ or kill
|
|
un-cooperative, or unresponsive users that SecureServ has identified as
|
|
being infected. Users that have been joined to the help channel are
|
|
"held" by SecureServ and are usually prevented from joining
|
|
other channels (if your IRCd supports this option). This can be helpful
|
|
so you can clean up users that are infected with simple script based
|
|
virus's and you require their attention to help you clean their
|
|
computer. More information about the commands available to use on
|
|
infected users is available via the assist command detailed below.</para>
|
|
|
|
<caution>
|
|
<para>Although SecureServ limits who a "Helper" may kill (only
|
|
infected users joined to the Help Channel) you should only give out
|
|
login accounts to trusted users.</para>
|
|
</caution>
|
|
|
|
<para><emphasis role="bold">Adding a Entry</emphasis></para>
|
|
|
|
<para>To add a entry to the Helper list, use the following format:</para>
|
|
|
|
<screen>/msg SecureServ helpers add <login> <pass> </screen>
|
|
|
|
<para>Where:</para>
|
|
|
|
<para><login> = The login name to use to gain access. Does not
|
|
have to be a nickname.</para>
|
|
|
|
<para><pass> = The password to use to login</para>
|
|
|
|
<para>The output is as follows:</para>
|
|
|
|
<screen>>secureserv< helpers add myhelper mypass
|
|
-SecureServ- Successfully added Helper myhelper with Password mypass to Helpers List
|
|
</screen>
|
|
|
|
<para><emphasis role="bold">Listing an Entry</emphasis></para>
|
|
|
|
<para>To list the helpers simple type:</para>
|
|
|
|
<screen>/msg SecureServ helpers list</screen>
|
|
|
|
<para>And all the helpers are listed. Additionally, if a nickname is
|
|
provided after the login name, it means that this nick is logged into
|
|
this particular helper account.</para>
|
|
|
|
<para>The output is as follows:</para>
|
|
|
|
<screen>>secureserv< helpers list
|
|
-SecureServ- Helpers List (2):
|
|
-SecureServ- fish (Fish)
|
|
-SecureServ- myhelper (Not Logged In)
|
|
-SecureServ- End of List.
|
|
</screen>
|
|
|
|
<para><emphasis role="bold">Deleting an Entry</emphasis></para>
|
|
|
|
<para>To delete a entry, you must provide the login name you wish to
|
|
delete. The format of the command is as follows:</para>
|
|
|
|
<screen>/msg SecureServ helpers del <login></screen>
|
|
|
|
<para>Where:</para>
|
|
|
|
<para><login> is the login account you wish to delete.</para>
|
|
|
|
<para>The output of the command is as follows:</para>
|
|
|
|
<screen>>secureserv< helpers del myhelper
|
|
-SecureServ- Deleted myhelper from Helpers List
|
|
</screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Username and Password for Dat File Updates</title>
|
|
|
|
<para>In order to update SecureServ's Detection, you need to
|
|
register for a account at http://secure.irc-chat.net/ Once you have
|
|
received your username and password via email, you can proceed to
|
|
configure SecureServ to update Dat files automatically for you.
|
|
SecureServ can be configured to check for updates on a Daily Basis. You
|
|
can, disable this automatic update if you wish, but this is covered in
|
|
the "Settings" Section.</para>
|
|
|
|
<para>Once you have received your username and password, Issue the
|
|
following command to SecureServ:</para>
|
|
|
|
<screen>/msg SecureServ set updateinfo <username> <password></screen>
|
|
|
|
<para>The output should be as follows:</para>
|
|
|
|
<screen>>SecureServ< set updateinfo myusername myl33tpassword
|
|
-SecureServ- Update Username and Password has been updated to myusername and myl33tpassword</screen>
|
|
|
|
<para>You can then issue the following command to check that the
|
|
username and password are correct and also, update your dat file to the
|
|
latest version automatically:</para>
|
|
|
|
<screen>/msg secureserv update</screen>
|
|
|
|
<para>If all goes well, SecureServ should respond with:</para>
|
|
|
|
<screen>>SecureServ< update
|
|
-SecureServ- Requesting New Dat File. Please Monitor the Services Channel for Success/Failure
|
|
<SecureServ>/#services Fish requested a update to the Dat file
|
|
<SecureServ>/#ervices DatFile Version 32 has been downloaded and installed</screen>
|
|
|
|
<para>If the update failed for any reason, you will either not receive
|
|
any message about DatFile being downloaded and installed, or will
|
|
receive a message detailing the problem.</para>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>System Messages</title>
|
|
|
|
<para>SecureServ sends different messages to users depending on whats
|
|
happening. Examples of the messages its send is a "Warning
|
|
message" to users that they are about to be checked for Virus's,
|
|
and also messages when they AKILL or warn a user about a possible
|
|
"Trojan/Infection" etc. These messages can be customized to suit
|
|
your network, or language of choice easily. The different messages that
|
|
you can set are:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>"Greeting" messages</para>
|
|
|
|
<para>Greeting Messages are sent to uses when they sign on your
|
|
Network. They are just to inform the user that a CTCP VERSION check
|
|
is being conducted.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>"AKILL" messages</para>
|
|
|
|
<para>AKILL messages are sent to users when they are about to be
|
|
akilled from your network due to a positive "infection". You
|
|
could provide email addresses, contact information, should the user
|
|
wish to contact you. In addition to the AKILL message, the user is
|
|
also given a URL they can view with details about their
|
|
"infection" and how to fix it.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>"No Help Available" messages</para>
|
|
|
|
<para>As SecureServ can also detect Virus's, some network may
|
|
have channels devoted to helping users remove virus's from their
|
|
IRC clients. SecureServ has a "Helper" login function that
|
|
allows you to setup "non-oper" or "oper" users to be
|
|
helpers. If no one is logged into SecureServ and a virus infected
|
|
user is detected, instead of attempting to automatically join him to
|
|
the "Help" channel, he is akilled from the network. This
|
|
message is sent to the user to let them know that they have a virus,
|
|
and should seek help.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Setting these three types of messages is simple. Just issue the
|
|
following commands:</para>
|
|
|
|
<screen>/msg SecureServ set signonmsg <message></screen>
|
|
|
|
<screen>/msg SecureServ set akillmesg <message></screen>
|
|
|
|
<screen>/msg SecureServ set nohelpmsg <message></screen>
|
|
|
|
<note>
|
|
<para>If you don't customize any of these messages, a Default
|
|
system message is used automatically.</para>
|
|
</note>
|
|
</sect2>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Detailed Configuration</title>
|
|
|
|
<para>SecureServ attempts to be as configurable as possible in order to
|
|
cater for each individual networks requirements. This in turn though makes
|
|
the configuration very complex. There are many many settings with
|
|
SecureServ that affect how it operates, how it responds and even, how
|
|
affects the performance of NeoStats Overall. Out of the box, SecureServ
|
|
provides sensible defaults for these settings, but you may wish to read
|
|
this section for details on exactly what each option does, and its affect
|
|
on how SecureServ operates.</para>
|
|
|
|
<para>The following list summaries the available Options you can set in
|
|
SecureServ</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>SPLITTIME</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>VERSION</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>CHECKFIZZER</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>DOONJOIN</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>DOPRIVCHAN</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>FLOODPROT</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>CHANKEY</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>CHANLOCKTIME</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>MULTICHECK</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>MONBOT</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>MONCHANCYCLE</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>MONCHANCYCLETIME</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>REPORT</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>AUTOSIGNOUT</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>JOINHELPCHAN</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>AKILL</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>AKILLTIME</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>DOJOIN</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>NFCOUNT</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>VERBOSE</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>CYCLETIME</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>AUTOUPDATE</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>SAMPLETIME</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>HELPCHAN</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>BOTECHO</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>TREATCHANMSGASPM</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>To change any of these settings, you use the Set Interface in
|
|
SecureServ. Eg:</para>
|
|
|
|
<screen>/msg SecureServ set <option> <params></screen>
|
|
|
|
<para>To view the current settings, issue the following command:</para>
|
|
|
|
<screen>/msg SecureServ set list</screen>
|
|
|
|
<para>The following Sections describes the different options, their
|
|
params, and the effect on SecureServ in detail.</para>
|
|
|
|
<sect2>
|
|
<title>SPLITTIME Setting</title>
|
|
|
|
<para>SecureServ Monitors the number of joins on a Channel in order to
|
|
determine if the channel is been attacked by FloodBots. In Order for
|
|
SecureServ to help Determine what is a FloodBot attack, and what might
|
|
be a simple Net-Join, it examines the time the user signed on IRC. This
|
|
value determines how long a user must be on IRC before its determined
|
|
that their channel join is not part of a "FloodBot" attack.</para>
|
|
|
|
<para>The default setting for this option is 300 Seconds (5 Minutes,
|
|
which, in most cases, is ideal for most networks. You should not need to
|
|
change this value.</para>
|
|
|
|
<warning>
|
|
<para>If you set this value to high, then during a netjoin (when 2
|
|
split servers rejoin) SecureServ may determine that the users coming
|
|
back from the Split are FloodBots and Close down Channels. Be careful
|
|
with modifying this value.</para>
|
|
</warning>
|
|
|
|
<para>To Change the setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set SPLITTIME <seconds> </screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>VERSION Setting</title>
|
|
|
|
<para>When users sign onto your IRC network, SecureServ issues a
|
|
"CTCP VERSION" command to the clients, as many
|
|
Trojans/WarScripts/Virus's have unique replies to CTCP Version
|
|
requests.</para>
|
|
|
|
<para>When SecureServ receives the reply, it compares it to the
|
|
Definitions, and if there is a Match, will take action based on the
|
|
Definition File (Either AKILL the user, Join them to a AV help channel,
|
|
Warn the Operators, or just issue a warning message to the users)</para>
|
|
|
|
<para>If you wish to turn off the CTCP VERSION checks, issue the
|
|
following command</para>
|
|
|
|
<screen>/msg SecureServ set VERSION <ON/OFF></screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>CHECKFIZZER Setting</title>
|
|
|
|
<para>SecureServ can Detect the Fizzer Worm on your IRC network. If you
|
|
are not affected by Fizzer, its advisable to turn this option off, as it
|
|
affects performance.</para>
|
|
|
|
<para>To Change the setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set CHECKFIZZER <ON/OFF> </screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>DOONJOIN Setting</title>
|
|
|
|
<para>This setting decides if SecureServ should perform OnJoin Virus
|
|
Checking. When enabled, every CYCLETIME Seconds, SecureServ will create
|
|
a psydo user and join a random channel. When this setting is off,
|
|
SecureServ will not check random channels for OnJoin Virus's.</para>
|
|
|
|
<para>To Change this Setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set DOONJOIN <ON/OFF></screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>DOPRIVCHAN Setting</title>
|
|
|
|
<para>This setting controls if SecureServ's will check Private
|
|
Channels. Private Channels are defined by the Channel Modes +I, +k +s +p
|
|
or +O. Enabling this option forces SecureServ to check these channels.
|
|
Disabling this feature means SecureServ will never check these channels
|
|
unless forced via a /msg SecureServ check <chan></para>
|
|
|
|
<para>To Change this Setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set DOPRIVCHAN <ON/OFF></screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>FLOODPROT</title>
|
|
|
|
<para>This setting enables SecureServ to monitor the Channels for
|
|
possible FloodBot attacks, and to temporarily set the channel +ik when a
|
|
attack occurs. This option uses the settings from CHANLOCKTIME,
|
|
SAMPLETIME, and CHANKEY to be configured to work correctly as well.</para>
|
|
|
|
<para>To Change this setting, issue the following command:</para>
|
|
|
|
<screen>/msg SecureServ set FLOODPROT <ON/OFF></screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>CHANKEY</title>
|
|
|
|
<para>This setting controls what key will be used when SecureServ
|
|
"Locks" a channel during a attack. (+k key). You should try to
|
|
change this key regularly so that attackers can not re-program their
|
|
floodbots to gain access to your channels with a well known key. If you
|
|
don't set this option, SecureServ uses a default Key. The length of
|
|
this key is restricted, and if you try to set a key that is too long,
|
|
you will receive a error message.</para>
|
|
|
|
<para>To Change this setting, issue the following command:</para>
|
|
|
|
<screen>/msg SecureServ set CHANKEY <newkey)</screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>CHANLOCKTIME</title>
|
|
|
|
<para>This setting controls how long SecureServ will "Lock" a
|
|
channel after detecting a attack. During this time, Channel
|
|
Administrotors/Operators may remove the mode set, and SecureServ will
|
|
not mind. If after this time period (+/- 10 seconds) the channel will
|
|
have the modes that SecureServ set automatically removed, so the channel
|
|
can return to normal operation.</para>
|
|
|
|
<para>To Change this setting, issue the following command:</para>
|
|
|
|
<screen>/msg SecureServ set CHANLOCKTIME <seconds></screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>MULTICHECK Setting</title>
|
|
|
|
<para>By Default, when SecureServ identifies a Positive Match for a
|
|
Trojan/VIrus etc, it takes action straight away, and discontinues
|
|
checking for any other matches. This option tells SecureServ, that even
|
|
if it does find a Match, to continue checking, so that the user is
|
|
warned of all matches, and not just the first one found.</para>
|
|
|
|
<warning>
|
|
<para>Enabling MULTICHECK on a large network is not advised due to
|
|
performance reasons.</para>
|
|
</warning>
|
|
|
|
<para>To Change the setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set MULTICHECK <ON/OFF> </screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>MONBOT Setting</title>
|
|
|
|
<para>SecureServ has the option to assign one of the random bots to stay
|
|
in a channel all the time, instead of cycling like the ONJOIN bots do.
|
|
This option sets which bot will be used to monitor the channels
|
|
specified in the MONCHAN command. A listing of available bots is
|
|
obtained via the Bots Command. .</para>
|
|
|
|
<para>To Change the setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set MONBOT <bot> </screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>MONCHANCYCLE Setting</title>
|
|
|
|
<para>This setting specifies if SecureServ should cycle the
|
|
MONCHAN's periodically (by default, it cycles one channel interval
|
|
specified by the MONCHANCYCLETIME setting). This can help detect OnJoin
|
|
virus's in the channels you specify a monitor bot should be placed.</para>
|
|
|
|
<para>To Change this setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set MONCHANCYCLE <ON/OFF></screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>MONCHANCYCLETIME Setting</title>
|
|
|
|
<para>This setting specified the interval that SecureServ will cycle one
|
|
of the monchans. By Default, if MONCHANCYCLE is enabled, every 30
|
|
minutes, one of the MONCHAN's be selected and the monbot will cycle
|
|
the channel looking for ONJOIN virus's. For example, if you are
|
|
monitoring 4 channels, each channel will only be cycled every 2 hours
|
|
(30 minutes x 4 channels) so you should adjust this value accordingly.
|
|
</para>
|
|
|
|
<para>To Change this setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set MONCHANCYCLETIME <seconds></screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>REPORT Setting</title>
|
|
|
|
<para>SecureServ has the option to report positive infections to
|
|
secure.irc-chat.net site for both statistically and in future a
|
|
blacklist type setup. Enabling this option means that statistics about
|
|
infections can be reported to you on the secure.irc-chat.net site as
|
|
well as providing Summarized data to the public (No Private information,
|
|
such as infected hostnames, or your networks infection rate is reported
|
|
to the public though - See the secure.irc-chat.net site for more
|
|
information.</para>
|
|
|
|
<para>To Change the setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set REPORT <ON/OFF> </screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>AUTOSIGNOUT Setting</title>
|
|
|
|
<para>SecureServ has the ability to automatically logout helpers that
|
|
set away while being logged in. This ensures that infected users are
|
|
only joined to the help channel if a helper is available to help them.</para>
|
|
|
|
<para>To Change the setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set AUTOSIGNOUT <ON/OFF> </screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>JOINHELPCHAN Setting</title>
|
|
|
|
<para>SecureServ can optionally join the help channel with the first
|
|
helper logs in, and leave the help channel when the last helper logs
|
|
out. No additional functionality is provided when SecureServ joins the
|
|
channel, its only for the "look" and "feel" of having
|
|
SecureServ in your antivirus channel.</para>
|
|
|
|
<para>To Change the setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set JOINHELPCHAN <ON/OFF> </screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>AKILL Setting</title>
|
|
|
|
<para>If you do not wish SecureServ to ever AKILL a user for a positive
|
|
match, turn this option off. It will then just issue a warning to all
|
|
operators about the Client, and Operators are free to do as they see
|
|
fit.</para>
|
|
|
|
<para>To Change the setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set AKILL <ON/OFF> </screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>AKILLTIME Setting</title>
|
|
|
|
<para>This setting changes the Timeout value for AKILL's that
|
|
SecureServ sets when it detects a "infection"</para>
|
|
|
|
<para>To Change the setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set AKILLTIME <SECONDS> </screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>DOJOIN Setting</title>
|
|
|
|
<para>IF SecureServ detects a user is infected with a virus, it can
|
|
optionally join that user to a Antivirus channel. If you do not operate
|
|
such a channel on your network, then disable this option. If its is
|
|
disabled, then the user will be AKILLED instead.</para>
|
|
|
|
<para>To Change the setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set DOJOIN <ON/OFF> </screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>NFCOUNT Setting</title>
|
|
|
|
<para>SecureServ monitors the number of nick changes a user makes in a
|
|
10 second period. If the user exceeds a threshold, it considers the user
|
|
to be performing a "nickflood" and will akill the user from the
|
|
network. This Setting Control how many nick changes in a 10 second
|
|
period the user performs. The default is 5, which should be suitable for
|
|
most users.</para>
|
|
|
|
<para>To Change this Setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set NFCOUNT <number></screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>VERBOSE Setting</title>
|
|
|
|
<para>If you like to know what SecureServ is doing (and like to be
|
|
flooded in the #services channel, then enable this option.</para>
|
|
|
|
<warning>
|
|
<para>Not Recommended on a Large Network. SecureServ can get quiet
|
|
busy!</para>
|
|
</warning>
|
|
|
|
<para>To Change the setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set VERBOSE <ON/OFF> </screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>CYCLETIME Setting</title>
|
|
|
|
<para>SecureServ automatically creates new "pseudo" users that
|
|
randomly join channels looking for OnJoin virus's or SPAM. This
|
|
option changes the interval that SecureServ will Cycle the random users
|
|
and channels. On a Large network, you should aim for a smaller value, so
|
|
it covers more of your channels quicker, but on a smaller network, this
|
|
may become annoying for your users, so a higher value is recommended.</para>
|
|
|
|
<para>To Change the setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set CYCLETIME <SECONDS> </screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>AUTOUPDATE Setting</title>
|
|
|
|
<para>If SecureServ has been Configured with a username and password (as
|
|
Covered in Section 2.2, you can optionally Setup SecureServ to
|
|
automatically check and download new dat files if available on a Daily
|
|
basis. If you prefer to manually update the DAT files via /msg
|
|
secureserv update, then disable this option</para>
|
|
|
|
<para>To Change the setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set AUTOUPDATE <ON/OFF> </screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>SAMPLETIME Setting</title>
|
|
|
|
<para>As previously mentioned, SecureServ monitors the number of joins
|
|
on a particular channel over a period of Time. Within SecureServ, this
|
|
measurement is known as "Average Joins Per Period" or AJPP for
|
|
short. If this AJPP value is exceeded, SecureServ assumes that the
|
|
Channel is under a floodbot attack, and will "close" the
|
|
channel.</para>
|
|
|
|
<para>This setting controls the AJPP threshold. Only experienced users
|
|
should need to modify this setting.</para>
|
|
|
|
<para>To Change the setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set SAMPLETIME <SAMPLETIME> <JOINS> </screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>HELPCHAN Setting</title>
|
|
|
|
<para>If your network has a AntiVirus Channel setup, HELPCHAN sets that
|
|
channel name. The default is #nohack</para>
|
|
|
|
<para>To Change the setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set HELPCHAN <NAME> </screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>BOTECHO Setting</title>
|
|
|
|
<para>This option enables SecureServ sending messages any of the onjoin
|
|
bots, or monbot receives to the services channel. This can help you
|
|
monitor for potentially new onjoin virus's, or monitor for spam
|
|
users.</para>
|
|
|
|
<para>To Change the setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set BOTECHO <ON/OFF> </screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>TREATCHANMSGASPM</title>
|
|
|
|
<para>This option changes the way that SecureServ treats Channel
|
|
Messages sent to channels that either a Onjoin bot is a member off, or a
|
|
channel that is being monitored via a MonBot. SecureServ has its own
|
|
list of channel messages that it considers as "bad" and will act
|
|
on accordingly, but sometimes Spambots will spam a channel instead of a
|
|
individual user. Enabling this option will cause SecureServ to check
|
|
channel messages against both the list of Signatures for Private
|
|
Messages as well as the list of Signatures for Channel Messages. </para>
|
|
|
|
<warning>
|
|
<para>Enabling this option is NOT a good idea if you have large
|
|
channels with lots of chatter, as it is very very CPU intensive (and
|
|
will get worse as we add more PM signatures to the official Viri.dat
|
|
file). You should only enable this if you enjoy wasting your CPU
|
|
cycles. Its added benifit is very small in terms of detection rates.
|
|
As a extra pre-caution, we make it difficult for you to enable this
|
|
option. This should give you a idea of how *bad* it is to enable.
|
|
</para>
|
|
</warning>
|
|
|
|
<para>To Change this setting, issue the following Command:</para>
|
|
|
|
<screen>/msg SecureServ set TREATCHANMSGASPM <ON/OFF></screen>
|
|
</sect2>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Operational Commands</title>
|
|
|
|
<para>SecureServ has a number of commands that you can issue it in order
|
|
to perform checks or operations on your IRC network. These commands aid
|
|
Administrators in keeping their network secure, and keeping SecureServ
|
|
upto date.</para>
|
|
|
|
<para>The following list summarizes these commands:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>List</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>checkchan</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>cycle</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>status</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>update</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>login</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>logout</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>bots</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>monchan</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>assist</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>reload</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The following Sections Describe these commands in detail</para>
|
|
|
|
<sect2>
|
|
<title>list Command</title>
|
|
|
|
<para>The List command shows a brief list of all the Definitions that
|
|
SecureServ currently has loaded. These are direct from the Dat file that
|
|
is downloaded from the <link linkend="???">http://secure.irc-chat.net</link>
|
|
website.</para>
|
|
|
|
<para>The format of the command is as follows:</para>
|
|
|
|
<screen>/msg SecureServ list
|
|
-SecureServ- Virus List:
|
|
-SecureServ- ===========
|
|
-SecureServ- 1) Virus: HTTPSpam. Detection: PM. Action: OpersWarn Hits: 0
|
|
-SecureServ- 2) Virus: IRCSpam. Detection: PM. Action: OpersWarn Hits: 0
|
|
-SecureServ- 3) Virus: Mirc4BUF. Detection: Version. Action: ClientWarn Hits: 0
|
|
-SecureServ- 4) Virus: Mirc5BUF. Detection: Version. Action: ClientWarn Hits: 0
|
|
-SecureServ- 5) Virus: Mirc6DCC00. Detection: Version. Action: SVSjoin Hits: 0
|
|
<....snip.....>
|
|
-SecureServ- 30) Virus: Botnet16. Detection: Ident. Action: Akill Hits: 0
|
|
-SecureServ- 31) Virus: Botnet18. Detection: Ident. Action: Akill Hits: 0
|
|
-SecureServ- 32) Virus: FizzerBot. Detection: Built-In. Action: Akill Hits: 0
|
|
-SecureServ- End of List.
|
|
</screen>
|
|
|
|
<para>More detail about each "Virus" can be found at the <link
|
|
linkend="???">http://secure.irc-chat.net/</link> site by searching for
|
|
the Virus Name.</para>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>CheckChan Command</title>
|
|
|
|
<para>If you suspect that a user in a Channel is infected with a OnJoin
|
|
virus, you can force SecureServ to check the channel on your behalf. If
|
|
SecureServ finds any infection in the channel, it will take the normal
|
|
action associated with that virus.</para>
|
|
|
|
<para>The format of the command is as follows:</para>
|
|
|
|
<screen>/msg SecureServ checkchan <chan>
|
|
</screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>cycle Command</title>
|
|
|
|
<para>This command forces SecureServ to part the existing channel it is
|
|
checking and join the next random Channel.</para>
|
|
|
|
<para>The format of the command is as follows:</para>
|
|
|
|
<screen>/msg SecureServ cycle</screen>
|
|
|
|
<para>The next channel is chosen at random, but is guaranteed not to be
|
|
the previous channel it checked.</para>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>status Command</title>
|
|
|
|
<para>This command gives the Administrator statistics on the how
|
|
SecureServ is performing, how many checks it has conducted, and
|
|
currently logged in "helper" users.</para>
|
|
|
|
<para>The format of the command is as follows:</para>
|
|
|
|
<screen>/msg SecureServ status
|
|
-SecureServ- SecureServ Status:
|
|
-SecureServ- ==================
|
|
-SecureServ- Virus Patterns Loaded: 17
|
|
-SecureServ- CTCP Version Messages Scanned: 106287
|
|
-SecureServ- CTCP Messages Acted On: 1729
|
|
-SecureServ- CTCP Definitions: 11
|
|
-SecureServ- Private Messages Received: 75
|
|
-SecureServ- Private Messages Acted on: 0
|
|
-SecureServ- Private Message Definitions: 3
|
|
-SecureServ- NickNames Checked: 15084
|
|
-SecureServ- NickName Acted on: 0
|
|
-SecureServ- NickName Definitions: 1
|
|
-SecureServ- Ident's Checked: 14287
|
|
-SecureServ- Ident's Acted on: 0
|
|
-SecureServ- Ident Definitions: 1
|
|
-SecureServ- RealNames Checked: 0
|
|
-SecureServ- RealNames Acted on: 0
|
|
-SecureServ- RealName Definitions: 0
|
|
-SecureServ- ChannelNames Checked: 0
|
|
-SecureServ- ChannelNames Acted on: 0
|
|
-SecureServ- ChannelName Definitions: 0
|
|
-SecureServ- Built-In Checks Run: 0
|
|
-SecureServ- Built-In Checks Acted on: 0
|
|
-SecureServ- Built-In Functions: 1
|
|
-SecureServ- AV Channel Helpers Logged in: 0
|
|
-SecureServ- Current Top AJPP: 28 (in 5 Seconds): #w4f
|
|
-SecureServ- End of List.</screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>update Command</title>
|
|
|
|
<para>That command forces SecureServ to check the Dat File version at
|
|
<link linkend="???">http://secure.irc-chat.net/</link> and download the
|
|
latest version if required.</para>
|
|
|
|
<warning>
|
|
<para>Repeated use of this command in a short period of time will
|
|
result in your account at secure.irc-chat.net being suspended for
|
|
abuse. Use with CARE</para>
|
|
</warning>
|
|
|
|
<para>The format of the command is as follows:</para>
|
|
|
|
<screen>/msg SecureServ update</screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>login Command</title>
|
|
|
|
<para>This command allows a "helper" or trusted user that mans
|
|
your Antivirus or help channel to login to SecureServ to gain additional
|
|
functionality with regards to handling infected users. The helpers must
|
|
have a valid login account and password as set in the helpers command.</para>
|
|
|
|
<para>The format of the command is as follows:</para>
|
|
|
|
<screen>/msg SecureServ login <login> <pass></screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>logout Command</title>
|
|
|
|
<para>This command allows a logged in helper to logout of SecureServ if
|
|
he is going to be away or not paying attention to the help channel for a
|
|
period of time. You should encourage your users to logout if they can
|
|
not provide timely response to infected users that may be forcejoined to
|
|
the channel.</para>
|
|
|
|
<para>The format of the command is as follows:</para>
|
|
|
|
<screen>/msg SecureServ logout</screen>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>bots Command</title>
|
|
|
|
<para>This option allows you to manipulate the random bot list that is
|
|
used to join random channels (or channels monitored with the monchan
|
|
command, as detailed below). The available options are:</para>
|
|
|
|
<screen>/msg SecureServ bots list</screen>
|
|
|
|
<para>This option lists all available bots.</para>
|
|
|
|
<screen>/msg SecureServ bots add <nick> <ident> <host> <realname></screen>
|
|
|
|
<para>This option adds a bot with the nickname, ident, host and realname
|
|
as specified in the command to the list of bots that will be used to
|
|
randomly join a channel.</para>
|
|
|
|
<screen>/msg SecureServ bots del <num></screen>
|
|
|
|
<para>This option lists will delete a bot from the available bots if its
|
|
not currently in use.</para>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>monchan Command</title>
|
|
|
|
<para>This option allows you to manipulate the list of channels that
|
|
will be monitored all the time by SecureServ for Private Message type
|
|
virus's. The bot that joins these channels is specified in the
|
|
monbot section of the set command. You should also investigate the
|
|
MONCHANCYCLE and MONCHANCYCLETIME options listed above on how to enable
|
|
the monbot to cycle these monitored channels, as a OnJoin bot will not
|
|
check a MONCHAN channel.</para>
|
|
|
|
<screen>/msg SecureServ monchan list</screen>
|
|
|
|
<para>This option lists all the channels that will be monitored. If the
|
|
channels do not exist when SecureServ is started, they will be joined
|
|
when the first user joins the channel. When the last user leaves the
|
|
channel, they will also leave the channel. </para>
|
|
|
|
<screen>/msg SecureServ monchan add <chan></screen>
|
|
|
|
<para>This option adds a channel to be monitored.</para>
|
|
|
|
<screen>/msg SecureServ monchan del <chan></screen>
|
|
|
|
<para>This option lists will delete a channel from the monitored list.</para>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>assist Command</title>
|
|
|
|
<para>This option is only available to "helpers" that have
|
|
logged into secureserv and is used to control SecureServ's limits
|
|
over users that have been identified as infected with simple virus's
|
|
and joined to a help channel. They allow the "helpers" to either
|
|
release a user from SecureServ's restrictions, or kill
|
|
un-cooperative, or un-responsive users from the network. The helpers may
|
|
only perform these actions on users that SecureServ has identified as
|
|
infected with a simple virus, and automatically joined to the help
|
|
channel. Helpers may not "kill" users that SecureServ has NOT
|
|
identified as infected.</para>
|
|
|
|
<para>The format of the assist command is as follows:</para>
|
|
|
|
<screen>/msg SecureServ assist release/kill <target></screen>
|
|
|
|
<para>The release option allows the user to join all previous channels
|
|
and continue as normal. After release is used on a user, a helper can no
|
|
longer kill the target.</para>
|
|
|
|
<para>The kill option removes the user from the network via a akill
|
|
command and broadcasts a message to all opers indicating the helper that
|
|
used the kill command, and the initial virus the users was detected as
|
|
having.</para>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>reload Command</title>
|
|
|
|
<para>This option reloads the viri.dat and customviri.dat files. Its no
|
|
the same as a update command, as it does not attempt to download new dat
|
|
files from http://secure.irc-chat.net site. Its useful if you make a
|
|
change to your customviri.dat file.</para>
|
|
|
|
<para>The format of the reload command is as follows:</para>
|
|
|
|
<screen>/msg SecureServ reload</screen>
|
|
</sect2>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Custom Definitions</title>
|
|
|
|
<para>You can create your own definitions to be used by SecureServ, but it
|
|
requires a bit of programing skill, and knowledge of how to detect the
|
|
trojan/virus.</para>
|
|
|
|
<para>We have enabled SecureServ to obtain additional definitions from a
|
|
custom, administrator defined definition file. This allows IRC
|
|
administrators to add additional signatures to SecureServ to ban clients
|
|
that the IRC network does not permit. A common signature is one for
|
|
Bottlers or IRCork clients. The only drawback is that the definition file
|
|
is not simple, and some degree of programing knowledge is required.</para>
|
|
|
|
<sect2>
|
|
<title>Custom Definitions file</title>
|
|
|
|
<para>If you wish to create your own custom definition, follow these
|
|
steps:</para>
|
|
|
|
<sect3>
|
|
<title>Create customviri.dat file</title>
|
|
|
|
<para>with a text editor, create a new file called customviri.dat in
|
|
your ~/NeoStats/data directory.</para>
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>add entries to customviri.dat</title>
|
|
|
|
<para>The format of the customviri.dat file is as follows:</para>
|
|
|
|
<example>
|
|
<title>customvir.dat</title>
|
|
|
|
<para><emphasis>name</emphasis> <emphasis>dettype</emphasis> 0 0
|
|
"<emphasis>detectionregex</emphasis>" "<emphasis>message</emphasis>"
|
|
<emphasis>action</emphasis></para>
|
|
|
|
<para>It is very important that you follow the spacing format,
|
|
otherwise your custom definition will fail to load.</para>
|
|
|
|
<para>Each individual field is described below:</para>
|
|
|
|
<para><emphasis role="bold"><varname>name</varname></emphasis></para>
|
|
|
|
<para>This is the Virus Name. It can be any combination of upper and
|
|
lower case characters or numbers, but can not contain spaces, or
|
|
punctuation.</para>
|
|
|
|
<para><emphasis role="bold"><varname>dettype</varname></emphasis></para>
|
|
|
|
<para>This defines how SecureServ should use this signature to
|
|
detect Trojans. Its a number and can only be one of the following:</para>
|
|
|
|
<para><emphasis role="bold"><type>0 - CTCP Version check.</type></emphasis>
|
|
This trys to match the detectionregex against a received CTCP
|
|
version reply.</para>
|
|
|
|
<para><emphasis role="bold"><type>1 - Private Message.</type>
|
|
</emphasis>This trys to match the detectionregex against a private
|
|
message received by the onjoin bots or monbot</para>
|
|
|
|
<para><emphasis role="bold"><type>2 - Nick.</type></emphasis> This
|
|
trys to match the detectionregex against a nickname.</para>
|
|
|
|
<para><emphasis role="bold"><type>3 - Ident.</type> </emphasis>This
|
|
trys to match a detectionregex against a ident.</para>
|
|
|
|
<para><emphasis role="bold"><type>4 - Realname.</type></emphasis>
|
|
This trys to match a detectionregex against a users real name.</para>
|
|
|
|
<para><emphasis role="bold"><type>5 - Channel.</type> </emphasis>This
|
|
trys to match a detectionregex against a channel name.</para>
|
|
|
|
<para><emphasis role="bold"><type>10 - Internal.</type></emphasis>
|
|
This is reserved.</para>
|
|
|
|
<para><emphasis role="bold"><varname>detectionregex</varname></emphasis></para>
|
|
|
|
<para>This field is used to define how to detect a Trojan. If for
|
|
example in the dettype we specify a value of 0, then this is a
|
|
regular expression that is applied to all CTCP VERSION replies that
|
|
secureserv receives. <warning><para>This is a "Regular
|
|
Expression" field. It is not the same as a wildcard field.
|
|
Regular expressions are much more powerful pattern matching
|
|
expressions than the standard ? and * options available in typical
|
|
filesystem or IRC pattern matching code. If you have never used
|
|
regular expression before, I STRONGLY suggest you test your
|
|
"Regular expression" code with a utility called
|
|
"pcretest" available as part of libpcre at www.pcre.org.
|
|
Additionally, you should try to learn the pattern matching language.
|
|
This can be done by looking at the man page for "perlre" or
|
|
the documentation available on www.pcre.org. If you get your pattern
|
|
matching code wrong, you have the ability to kill everyone on your
|
|
IRC network, so be extremely careful.</para></warning></para>
|
|
|
|
<para>This field must be enclosed in double quotation marks (")
|
|
and if you use " in your regular expression, you must escape
|
|
them.</para>
|
|
|
|
<para><emphasis role="bold"><varname>message</varname></emphasis></para>
|
|
|
|
<para>This is the private message sent to the "Infected"
|
|
user when they are matched against this definition. As
|
|
customviri.dat definitions do not direct users to the
|
|
secure.irc-chat.net. site, you should provide as much information as
|
|
possible in this, or optionally, direct them to your own hosted IRC
|
|
page. You should place your message inside double quotation marks
|
|
(") and if you use " in your regular expression, you must
|
|
escape them.</para>
|
|
|
|
<para><emphasis role="bold"><varname>action</varname></emphasis></para>
|
|
|
|
<para>This field defines what SecureServ should do when it matches a
|
|
user against this definition. The field is a number only and should
|
|
only be one of the following.</para>
|
|
|
|
<para><emphasis role="bold"><type>0 - SVSJOIN.</type></emphasis> On
|
|
IRCds that support SVSJOIN, the user is automatically joined to the
|
|
help channel, and any online opers are notified of the users
|
|
infection. If no helpers are logged in, then the user is akilled
|
|
instead.</para>
|
|
|
|
<para><emphasis role="bold"><type>1 - AKILL.</type></emphasis> Akill
|
|
the user from the IRC network.</para>
|
|
|
|
<para><emphasis role="bold"><type>2 - WARN.</type></emphasis> Send
|
|
the message to the user indicating they matched a definition, warn
|
|
the operators via a global message, and do nothing else.</para>
|
|
|
|
<para><emphasis role="bold"><type>3 - NOTHING.</type></emphasis>
|
|
Only send the message to the user. Do not take any further action.</para>
|
|
|
|
<para>We don't support any customviri.dat definitions, either by
|
|
the secure.irc-chat.net site, or via our boards, though members of
|
|
the community may choose to share their customviri.dat files. If you
|
|
are in doubt or unsure about creating your own customviri.dat files
|
|
you should always test them with the warn or nothing option as the
|
|
action type until you are sure that you have the matching correct.</para>
|
|
</example>
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Reload the definitions</title>
|
|
|
|
<para>If SecureServ is already operating, you can reload the
|
|
definitions by issuing a /msg SecureServ reload command. This will
|
|
make SecureServ reload both the viri.dat file as well as the
|
|
customviri.dat file. Your customviri.dat entries will be placed before
|
|
any viri.dat entries, so if you wish to override the action of a
|
|
viri.dat entry, you can place a copy in the customviri.dat file.</para>
|
|
</sect3>
|
|
</sect2>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Final Words</title>
|
|
|
|
<para>This Section is my "Rant" for SecureServ. Although you
|
|
don't need to read it to operate SecureServ, it does provide you some
|
|
tips</para>
|
|
|
|
<sect2>
|
|
<title>Dealing with Un-detected Attacks/Trojans/Virus etc</title>
|
|
|
|
<para>If you come across a new "Trojan" or Virus or attack on
|
|
your network, it might be possible to update SecureServ to be able to
|
|
detect these new "Virus's"</para>
|
|
|
|
<para>If you wish us to consider adding support to SecureServ's
|
|
Definition files for new "Virus's" please provide us with
|
|
the following information via http://secure.irc-chat.net/ using the
|
|
"submit new" link (only available when logged in as a member)</para>
|
|
|
|
<para>The following information is required:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>the output from /whois <infected user></para>
|
|
|
|
<para>If there are multiple Infected users, please provide multiple
|
|
/whois outputs. This will aid us in determining a pattern.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The results from a /ctcp <infected user> version
|
|
command, if any</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Logfiles extracts of the behavior of the bot that makes you
|
|
suspect it is a new Trojan/Virus</para>
|
|
|
|
<para>we will NOT add detection to SecureServ for anything we can
|
|
not verify is in fact a risk to IRC security. If you submit to us
|
|
the details of a script that a user is using, because you don't
|
|
like the colors, Tough. Find some other way to deal with that user.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Details of your IRC network</para>
|
|
|
|
<para>So that we may contact you directly on your network if we
|
|
require additional information or wish to the "Virus" in the
|
|
wild.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Before adding new items to the Definitions, we do as much research
|
|
as possible, and also share this information with other "IRC
|
|
Security" professionals or teams in order to determine the most
|
|
effective way to detect this "infection"</para>
|
|
|
|
<para>Additionally, we will add "warning" messages to users that
|
|
are running old copies of IRC software that are vulnerable to security
|
|
issues (such as allows a Hacker to break into the users computer via
|
|
IRC) and advise the user to upgrade their IRC client. If you are a
|
|
client Author of a script or IRC client that has had Security Issues in
|
|
the past, and wish us to add this "warning" to the Definitions,
|
|
please contact us directly.</para>
|
|
</sect2>
|
|
</sect1>
|
|
</article> |