Page 1 of 1
Banning multiple file extensions..
Posted: Tue Mar 22, 2005 5:57 am
by fluid
Hi, Im about to add about 30 file extensions to ban to prevent the spread of automated spreading of virl via dcc incase any of my users gets infected.
Instead of adding them seperatley to the unreal conf file line by line in the "Ban extension block", is there a way to shorten up the code.
THanks in advance
Posted: Tue Mar 22, 2005 6:00 am
by RandomNumber
Only way I can think of is to ban all dcc's using the asterick (*)
Posted: Tue Mar 22, 2005 6:05 am
by fluid
Yea, i dont want to restrict them that much.
I just want to blockout the bad extensions that will carry executable code.
Im just looking to protect my users from virus/worms that spread via DCC.
Thanks.
Would it be possible to throw all the bans in a txt file, then point the "extension ban block" to the txt file?
Posted: Tue Mar 22, 2005 6:14 am
by Stealth
If they are just file extensions you want to block:
Code: Select all
spamfilter {
regex "\.(extention1|extention2|extention3|and|just|keep|listing|them)";
type dcc;
reason "Some reason here";
action whatever;
};
If they are actual filenames:
Code: Select all
spamfilter {
regex "(file1\.jpg|file2\.exe|file3\.bat|and|just|keep|listing|them)";
type dcc;
reason "Some reason here";
action whatever;
};
Be sure to use proper regex's!
Posted: Tue Mar 22, 2005 6:21 am
by fluid
Yea stealth just .extension like .vbs .bat ect...
I guess I will try the TOP code you wrote and throw it in my spamfilter.
Thank you for your help, appreciate it.
I am learning regex slowly.. Does this look correct?
spamfilter {
regex "\.(.bat|.vbs|.scr|.eml|.ini|.com|.vb|.chm)";
type dcc;
reason "Possible Virus";
action whatever; <-------- i just dont want the dcc to go thru./drop the DCC.
};
is it ok if i added the . before the extension, THanks again.
Posted: Tue Mar 22, 2005 6:30 am
by Stealth
This will do:
Code: Select all
spamfilter {
regex "\.(bat|vbs|scr|eml|ini|com|vb|chm)";
type dcc;
reason "Possible Virus";
action block;
};
You dont need the . before each extention... that will make it not work
EDIT: Some stuff
Posted: Tue Mar 22, 2005 6:33 am
by fluid
Thank you, thats why i asked
*** Notice -- Loading IRCd configuration ..
-
*** Notice -- error: spamfilter.conf:210: Unknown directive 'spamfilter::type'
-
*** Notice -- error: spamfilter.conf:208: spamfilter::target is missing
-
*** Notice -- error: 2 errors encountered
-
*** Notice -- error: IRCd configuration failed to pass testing
Posted: Tue Mar 22, 2005 6:56 am
by Stealth
Oops...
Code: Select all
spamfilter {
regex "\.(bat|vbs|scr|eml|ini|com|vb|chm)";
target dcc;
reason "Possible Virus";
action block;
};
Thats what I get for doing it from memory
Posted: Tue Mar 22, 2005 6:58 am
by fluid
I know its late
Thank you..
/me goes to rehash
*** Notice -- Rehashing the Config file via the console
*** Notice -- Loading IRCd configuration ..
*** Notice -- Configuration loaded without any problems ..
Posted: Tue Mar 22, 2005 3:16 pm
by fluid
I had a friend dcc me, Not sure the code/filter is working.
[09:20] DCC Send from NICK rejected (prono.url, file type ignored)
if anything it should say "Possible virus" and drop the dcc.
Says file type ignored, cause i dont have it set as an accept extension in my irc client. I guess I will add it as a vaild accept extension, and then have him dcc again, and will see if the spamfilter drops it, instead of my irc client. Just a FYI, thnx.
Posted: Tue Mar 22, 2005 3:42 pm
by Syzop
Why not use the dccallow system? (include "dccallow.conf";), it's especially meant for things like this ;)
The dccallow.conf will "soft reject" all filetypes except a few known good ones that are considered "safe" (see the .conf for much more details)
If a filetype is rejected it asks if the user considers <sender> to be trusted and wants to allow the dcc from that person anyway (see /dccallow help).
Posted: Tue Mar 22, 2005 4:49 pm
by fluid
Yes I will have to try that, because the spamfilter didnt work.
[11:47] DCC Get of test.vbs from NICK complete (00:00:21 41.4 KB/Sec)
yikes.
I would of liked it just to DROP the DCC, because what if a user has Auto-get on. Know what im saying.
/me goes to read the dccallow.conf
--this look correct? ---- thnx
/* badfiles / misc */
deny dcc { filename "*.vbs"; reason "Possible Virus"; soft yes; };
deny dcc { filename "*.eml"; reason "Possible Virus"; soft yes; };
deny dcc { filename "*.com"; reason "Possible Virus"; soft yes; };
deny dcc { filename "*.cmd"; reason "Possible Virus"; soft yes; };
deny dcc { filename "*.ini"; reason "Possible Virus"; soft yes; };
ok i got it, now to test it out.
Syzop 
[12:21] DCC Get of test.vbs from NICK complete (00:00:09 37.1 KB/Sec)
I added the above to my dccallow.conf, then i went to my unrealircd.conf and added it to the include block.
include "dccallow.conf";
Then rehashed, and still i can recieve the bad files. Any idears?
Thanks.
ok now im going to try..
/* badfiles / misc */
deny dcc { filename "*"; reason "Possible Virus"; soft yes; };
then allow certain files.
will see if that works.
Posted: Tue Mar 22, 2005 5:39 pm
by Syzop
ircops are immune from spamfilters and dcc blocking (and many more things ;p).
Posted: Tue Mar 22, 2005 5:43 pm
by fluid
lol doh!
nowonder why i can recieve it lol..
Guess i will have to ask 2 users to try it out then.
THanks.
OK i re-added the code to the spamfilter & fixed the dccallow.
Now using both, its working great.
THanks again for the help.
Posted: Wed Mar 23, 2005 12:44 am
by RandomNumber
Or just deoper for a moment /mode YOURNICK -o