Benny Pedersen wrote:
i have changed to use BadRelay from
http://sa.hege.li/BadRelay.pm
http://sa.hege.li/BadRelay.cf
After reading BadRelay.pm I see that it does not really replace
Botnet.
Some of the differences in what is checked are due to Botnet
doing DNS-lookups while BadRelay avoids that. That's fair enough
since one of the points of BadRelay is to avoid those lookups. It
does mean that BadRelay has less info to base decisions on than
Botnet though.
One differences is simply due to the fact that all Badrelay does
is the simple regexp matches. BadRelay doesn't have Botnet's
check for IP in host name, wich it could do without DNS lookups.
Also, it should be a small and simple change to Botnet in order
to use some of it's functions without making it do it's own DNS
lookups AFAICT. The eval checks "botnet_ipinhostname",
"botnet_clientwords" and "botnet_serverwords" should be able work
without any DNS lookups with this small change. I might do a
patch for this (if there is any interest).
What would be nice though would be a plugin that:
1: Have a simple (for the user) cf option to decide on wether
*any* additional DNS lookups should *ever* be done or not.
2: If told to do lookups, do as many of those as possible
asynchronously, the way SAs DNSL checks are done.
This would require a redesign of the plugins structure though. I
*might* do this (in that case I'd do a completely new plugin
based on Botnet) if I get time for it, but I currently have no
way of knowing when or if that might be.
Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/