Banning multiple file extensions..
Banning multiple file extensions..
Hi, Im about to add about 30 file extensions to ban to prevent the spread of automated spreading of virl via dcc incase any of my users gets infected.
Instead of adding them seperatley to the unreal conf file line by line in the "Ban extension block", is there a way to shorten up the code.
THanks in advance
Instead of adding them seperatley to the unreal conf file line by line in the "Ban extension block", is there a way to shorten up the code.
THanks in advance
-
- Posts: 44
- Joined: Mon Jan 24, 2005 6:10 pm
Yea, i dont want to restrict them that much.
I just want to blockout the bad extensions that will carry executable code.
Im just looking to protect my users from virus/worms that spread via DCC.
Thanks.
Would it be possible to throw all the bans in a txt file, then point the "extension ban block" to the txt file?
I just want to blockout the bad extensions that will carry executable code.
Im just looking to protect my users from virus/worms that spread via DCC.
Thanks.
Would it be possible to throw all the bans in a txt file, then point the "extension ban block" to the txt file?
-
- Head of Support
- Posts: 2085
- Joined: Tue Jun 15, 2004 8:50 pm
- Location: Chino Hills, CA, US
- Contact:
If they are just file extensions you want to block:
If they are actual filenames:
Be sure to use proper regex's!
Code: Select all
spamfilter {
regex "\.(extention1|extention2|extention3|and|just|keep|listing|them)";
type dcc;
reason "Some reason here";
action whatever;
};
Code: Select all
spamfilter {
regex "(file1\.jpg|file2\.exe|file3\.bat|and|just|keep|listing|them)";
type dcc;
reason "Some reason here";
action whatever;
};
Yea stealth just .extension like .vbs .bat ect...
I guess I will try the TOP code you wrote and throw it in my spamfilter.
Thank you for your help, appreciate it.
I am learning regex slowly.. Does this look correct?
spamfilter {
regex "\.(.bat|.vbs|.scr|.eml|.ini|.com|.vb|.chm)";
type dcc;
reason "Possible Virus";
action whatever; <-------- i just dont want the dcc to go thru./drop the DCC.
};
is it ok if i added the . before the extension, THanks again.
I guess I will try the TOP code you wrote and throw it in my spamfilter.
Thank you for your help, appreciate it.
I am learning regex slowly.. Does this look correct?
spamfilter {
regex "\.(.bat|.vbs|.scr|.eml|.ini|.com|.vb|.chm)";
type dcc;
reason "Possible Virus";
action whatever; <-------- i just dont want the dcc to go thru./drop the DCC.
};
is it ok if i added the . before the extension, THanks again.
-
- Head of Support
- Posts: 2085
- Joined: Tue Jun 15, 2004 8:50 pm
- Location: Chino Hills, CA, US
- Contact:
This will do:
You dont need the . before each extention... that will make it not work
EDIT: Some stuff
Code: Select all
spamfilter {
regex "\.(bat|vbs|scr|eml|ini|com|vb|chm)";
type dcc;
reason "Possible Virus";
action block;
};
EDIT: Some stuff
Thank you, thats why i asked
*** Notice -- Loading IRCd configuration ..
-
*** Notice -- error: spamfilter.conf:210: Unknown directive 'spamfilter::type'
-
*** Notice -- error: spamfilter.conf:208: spamfilter::target is missing
-
*** Notice -- error: 2 errors encountered
-
*** Notice -- error: IRCd configuration failed to pass testing
*** Notice -- Loading IRCd configuration ..
-
*** Notice -- error: spamfilter.conf:210: Unknown directive 'spamfilter::type'
-
*** Notice -- error: spamfilter.conf:208: spamfilter::target is missing
-
*** Notice -- error: 2 errors encountered
-
*** Notice -- error: IRCd configuration failed to pass testing
-
- Head of Support
- Posts: 2085
- Joined: Tue Jun 15, 2004 8:50 pm
- Location: Chino Hills, CA, US
- Contact:
Oops...
Thats what I get for doing it from memory
Code: Select all
spamfilter {
regex "\.(bat|vbs|scr|eml|ini|com|vb|chm)";
target dcc;
reason "Possible Virus";
action block;
};
I had a friend dcc me, Not sure the code/filter is working.
[09:20] DCC Send from NICK rejected (prono.url, file type ignored)
if anything it should say "Possible virus" and drop the dcc.
Says file type ignored, cause i dont have it set as an accept extension in my irc client. I guess I will add it as a vaild accept extension, and then have him dcc again, and will see if the spamfilter drops it, instead of my irc client. Just a FYI, thnx.
[09:20] DCC Send from NICK rejected (prono.url, file type ignored)
if anything it should say "Possible virus" and drop the dcc.
Says file type ignored, cause i dont have it set as an accept extension in my irc client. I guess I will add it as a vaild accept extension, and then have him dcc again, and will see if the spamfilter drops it, instead of my irc client. Just a FYI, thnx.
Why not use the dccallow system? (include "dccallow.conf";), it's especially meant for things like this ;)
The dccallow.conf will "soft reject" all filetypes except a few known good ones that are considered "safe" (see the .conf for much more details)
If a filetype is rejected it asks if the user considers <sender> to be trusted and wants to allow the dcc from that person anyway (see /dccallow help).
The dccallow.conf will "soft reject" all filetypes except a few known good ones that are considered "safe" (see the .conf for much more details)
If a filetype is rejected it asks if the user considers <sender> to be trusted and wants to allow the dcc from that person anyway (see /dccallow help).
Yes I will have to try that, because the spamfilter didnt work.
[11:47] DCC Get of test.vbs from NICK complete (00:00:21 41.4 KB/Sec)
yikes.
I would of liked it just to DROP the DCC, because what if a user has Auto-get on. Know what im saying.
/me goes to read the dccallow.conf
--this look correct? ---- thnx
/* badfiles / misc */
deny dcc { filename "*.vbs"; reason "Possible Virus"; soft yes; };
deny dcc { filename "*.eml"; reason "Possible Virus"; soft yes; };
deny dcc { filename "*.com"; reason "Possible Virus"; soft yes; };
deny dcc { filename "*.cmd"; reason "Possible Virus"; soft yes; };
deny dcc { filename "*.ini"; reason "Possible Virus"; soft yes; };
ok i got it, now to test it out.
Syzop
[12:21] DCC Get of test.vbs from NICK complete (00:00:09 37.1 KB/Sec)
I added the above to my dccallow.conf, then i went to my unrealircd.conf and added it to the include block.
include "dccallow.conf";
Then rehashed, and still i can recieve the bad files. Any idears?
Thanks.
ok now im going to try..
/* badfiles / misc */
deny dcc { filename "*"; reason "Possible Virus"; soft yes; };
then allow certain files.
will see if that works.
[11:47] DCC Get of test.vbs from NICK complete (00:00:21 41.4 KB/Sec)
yikes.
I would of liked it just to DROP the DCC, because what if a user has Auto-get on. Know what im saying.
/me goes to read the dccallow.conf
--this look correct? ---- thnx
/* badfiles / misc */
deny dcc { filename "*.vbs"; reason "Possible Virus"; soft yes; };
deny dcc { filename "*.eml"; reason "Possible Virus"; soft yes; };
deny dcc { filename "*.com"; reason "Possible Virus"; soft yes; };
deny dcc { filename "*.cmd"; reason "Possible Virus"; soft yes; };
deny dcc { filename "*.ini"; reason "Possible Virus"; soft yes; };
ok i got it, now to test it out.
Syzop
[12:21] DCC Get of test.vbs from NICK complete (00:00:09 37.1 KB/Sec)
I added the above to my dccallow.conf, then i went to my unrealircd.conf and added it to the include block.
include "dccallow.conf";
Then rehashed, and still i can recieve the bad files. Any idears?
Thanks.
ok now im going to try..
/* badfiles / misc */
deny dcc { filename "*"; reason "Possible Virus"; soft yes; };
then allow certain files.
will see if that works.
-
- Posts: 44
- Joined: Mon Jan 24, 2005 6:10 pm