> On 1/5/2011 5:11 PM, Mark Martinec wrote: > > Btw, the BOTNET plugin also produces a FP hit for any IPv6 connection, > > regardless of its rDNS. If someone is interested in a quick hack > > patch, I can post it. > > Mark, please do post the patch. It's good to see that someone is > supporting this plugin. > Bill
Well, I'm not supporting it, it's long been neglected. Nertheless, out of necessity, here is a quick hack to prevent Botnet FPs on IPv6 connections (that came with a bunch of emitted warnings that accompanied each such mail message). The patch is against Botnet-0.8 : --- Botnet.pm.ori 2007-08-06 03:53:55.000000000 +0200 +++ Botnet.pm 2011-01-06 14:56:12.009017547 +0100 @@ -703,4 +703,6 @@ my ($resolver, $query, $rr, $i, @a); + return 1 if defined $ip && $ip =~ /:/; # does not handle IPv6 + if ( (defined $name) && ($name ne "") && @@ -757,4 +759,5 @@ unless ( (defined ($name)) && ($name ne "") ) { return 0; } + unless ($ip =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/) { return 0; } ($a, $b, $c, $d) = split(/\./, $ip); # decimal octets For completeness, here is a re-post of the Daniel J McDonald's patch to avoid Botnet stalling on certain unresponsive DNS servers ( posted on 2007-06-15: http://marc.info/?t=118133681000003 ) --- Botnet.pm.ori 2007-08-06 03:53:55.000000000 +0200 +++ Botnet.pm 2011-01-06 14:57:38.904353641 +0100 @@ -711,5 +711,14 @@ (defined $max) && ($max =~ /^-?\d+$/) ) { - $resolver = Net::DNS::Resolver->new(); + $resolver = Net::DNS::Resolver->new( + udp_timeout => 5, + tcp_timeout => 5, + retrans => 0, + retry => 1, + persistent_tcp => 0, + persistent_udp => 0, + dnsrch => 0, + defnames => 0, + ); if ($query = $resolver->search($name, $type)) { # found matches @@ -834,5 +843,14 @@ my ($ip) = @_; my ($query, @answer, $rr); - my $resolver = Net::DNS::Resolver->new(); + my $resolver = Net::DNS::Resolver->new( + udp_timeout => 5, + tcp_timeout => 5, + retrans => 0, + retry => 1, + persistent_tcp => 0, + persistent_udp => 0, + dnsrch => 0, + defnames => 0, + ); my $name = ""; Btw, is there any more recent version than 0.8 from 2007 ? Mark