Banning multiple file extensions..

These are old archives. They are kept for historic purposes only.
Post Reply
fluid
Posts: 40
Joined: Fri Mar 18, 2005 4:16 am
Location: NYC

Banning multiple file extensions..

Post by fluid »

Hi, Im about to add about 30 file extensions to ban to prevent the spread of automated spreading of virl via dcc incase any of my users gets infected.

Instead of adding them seperatley to the unreal conf file line by line in the "Ban extension block", is there a way to shorten up the code.


THanks in advance
RandomNumber
Posts: 44
Joined: Mon Jan 24, 2005 6:10 pm

Post by RandomNumber »

Only way I can think of is to ban all dcc's using the asterick (*)
fluid
Posts: 40
Joined: Fri Mar 18, 2005 4:16 am
Location: NYC

Post by fluid »

Yea, i dont want to restrict them that much.

I just want to blockout the bad extensions that will carry executable code.
Im just looking to protect my users from virus/worms that spread via DCC.

Thanks.

Would it be possible to throw all the bans in a txt file, then point the "extension ban block" to the txt file?
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth »

If they are just file extensions you want to block:

Code: Select all

spamfilter {
  regex "\.(extention1|extention2|extention3|and|just|keep|listing|them)";
  type dcc;
  reason "Some reason here";
  action whatever;
};
If they are actual filenames:

Code: Select all

spamfilter {
  regex "(file1\.jpg|file2\.exe|file3\.bat|and|just|keep|listing|them)";
  type dcc;
  reason "Some reason here";
  action whatever;
};
Be sure to use proper regex's!
fluid
Posts: 40
Joined: Fri Mar 18, 2005 4:16 am
Location: NYC

Post by fluid »

Yea stealth just .extension like .vbs .bat ect...

I guess I will try the TOP code you wrote and throw it in my spamfilter.


Thank you for your help, appreciate it.

I am learning regex slowly.. Does this look correct?

spamfilter {
regex "\.(.bat|.vbs|.scr|.eml|.ini|.com|.vb|.chm)";
type dcc;
reason "Possible Virus";
action whatever; <-------- i just dont want the dcc to go thru./drop the DCC.
};

is it ok if i added the . before the extension, THanks again.
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth »

This will do:

Code: Select all

spamfilter { 
  regex "\.(bat|vbs|scr|eml|ini|com|vb|chm)"; 
  type dcc; 
  reason "Possible Virus"; 
  action block;
}; 
You dont need the . before each extention... that will make it not work :)

EDIT: Some stuff :-P
fluid
Posts: 40
Joined: Fri Mar 18, 2005 4:16 am
Location: NYC

Post by fluid »

Thank you, thats why i asked :D


*** Notice -- Loading IRCd configuration ..
-
*** Notice -- error: spamfilter.conf:210: Unknown directive 'spamfilter::type'
-
*** Notice -- error: spamfilter.conf:208: spamfilter::target is missing
-
*** Notice -- error: 2 errors encountered
-
*** Notice -- error: IRCd configuration failed to pass testing
Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth »

Oops...

Code: Select all

spamfilter { 
  regex "\.(bat|vbs|scr|eml|ini|com|vb|chm)"; 
  target dcc; 
  reason "Possible Virus"; 
  action block; 
}; 
Thats what I get for doing it from memory :P
fluid
Posts: 40
Joined: Fri Mar 18, 2005 4:16 am
Location: NYC

Post by fluid »

I know its late :wink:

Thank you..

/me goes to rehash

*** Notice -- Rehashing the Config file via the console
*** Notice -- Loading IRCd configuration ..
*** Notice -- Configuration loaded without any problems ..

:P
fluid
Posts: 40
Joined: Fri Mar 18, 2005 4:16 am
Location: NYC

Post by fluid »

I had a friend dcc me, Not sure the code/filter is working.


[09:20] DCC Send from NICK rejected (prono.url, file type ignored)


if anything it should say "Possible virus" and drop the dcc.

Says file type ignored, cause i dont have it set as an accept extension in my irc client. I guess I will add it as a vaild accept extension, and then have him dcc again, and will see if the spamfilter drops it, instead of my irc client. Just a FYI, thnx.
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

Why not use the dccallow system? (include "dccallow.conf";), it's especially meant for things like this ;)
The dccallow.conf will "soft reject" all filetypes except a few known good ones that are considered "safe" (see the .conf for much more details)
If a filetype is rejected it asks if the user considers <sender> to be trusted and wants to allow the dcc from that person anyway (see /dccallow help).
fluid
Posts: 40
Joined: Fri Mar 18, 2005 4:16 am
Location: NYC

Post by fluid »

Yes I will have to try that, because the spamfilter didnt work.

[11:47] DCC Get of test.vbs from NICK complete (00:00:21 41.4 KB/Sec)

yikes.

I would of liked it just to DROP the DCC, because what if a user has Auto-get on. Know what im saying.

/me goes to read the dccallow.conf

--this look correct? ---- thnx

/* badfiles / misc */
deny dcc { filename "*.vbs"; reason "Possible Virus"; soft yes; };
deny dcc { filename "*.eml"; reason "Possible Virus"; soft yes; };
deny dcc { filename "*.com"; reason "Possible Virus"; soft yes; };
deny dcc { filename "*.cmd"; reason "Possible Virus"; soft yes; };
deny dcc { filename "*.ini"; reason "Possible Virus"; soft yes; };

ok i got it, now to test it out.

Syzop :cry:

[12:21] DCC Get of test.vbs from NICK complete (00:00:09 37.1 KB/Sec)

I added the above to my dccallow.conf, then i went to my unrealircd.conf and added it to the include block.
include "dccallow.conf";

Then rehashed, and still i can recieve the bad files. Any idears?

Thanks.

ok now im going to try..

/* badfiles / misc */
deny dcc { filename "*"; reason "Possible Virus"; soft yes; };

then allow certain files.
will see if that works.
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

ircops are immune from spamfilters and dcc blocking (and many more things ;p).
fluid
Posts: 40
Joined: Fri Mar 18, 2005 4:16 am
Location: NYC

Post by fluid »

lol doh!

nowonder why i can recieve it lol..
Guess i will have to ask 2 users to try it out then.

THanks.


OK i re-added the code to the spamfilter & fixed the dccallow.
Now using both, its working great.

THanks again for the help.
RandomNumber
Posts: 44
Joined: Mon Jan 24, 2005 6:10 pm

Post by RandomNumber »

Or just deoper for a moment /mode YOURNICK -o
Post Reply