Re: BOTNET rules question

Thu, 06 Jan 2011 06:13:48 -0800 

> On 1/5/2011 5:11 PM, Mark Martinec wrote:
> > Btw, the BOTNET plugin also produces a FP hit for any IPv6 connection,
> > regardless of its rDNS. If someone is interested in a quick hack
> > patch, I can post it.
> 
> Mark, please do post the patch.  It's good to see that someone is
> supporting this plugin.
> Bill

Well, I'm not supporting it, it's long been neglected.
Nertheless, out of necessity, here is a quick hack to prevent
Botnet FPs on IPv6 connections (that came with a bunch of
emitted warnings that accompanied each such mail message).
The patch is against Botnet-0.8 :


--- Botnet.pm.ori       2007-08-06 03:53:55.000000000 +0200
+++ Botnet.pm   2011-01-06 14:56:12.009017547 +0100
@@ -703,4 +703,6 @@
    my ($resolver, $query, $rr, $i, @a);
 
+   return 1  if defined $ip && $ip =~ /:/;  # does not handle IPv6
+
    if ( (defined $name) &&
         ($name ne "") &&
@@ -757,4 +759,5 @@
    
    unless ( (defined ($name)) && ($name ne "") ) { return 0; }
+   unless ($ip =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/) { return 0; }
 
    ($a, $b, $c, $d) = split(/\./, $ip); # decimal octets





For completeness, here is a re-post of the Daniel J McDonald's patch
to avoid Botnet stalling on certain unresponsive DNS servers
( posted on 2007-06-15: http://marc.info/?t=118133681000003 )


--- Botnet.pm.ori       2007-08-06 03:53:55.000000000 +0200
+++ Botnet.pm   2011-01-06 14:57:38.904353641 +0100
@@ -711,5 +711,14 @@
         (defined $max) &&
         ($max =~ /^-?\d+$/) ) {
-      $resolver = Net::DNS::Resolver->new();
+      $resolver = Net::DNS::Resolver->new(
+               udp_timeout => 5,
+               tcp_timeout => 5,
+               retrans => 0,
+               retry => 1,
+               persistent_tcp => 0,
+               persistent_udp => 0,
+               dnsrch => 0,
+               defnames => 0,
+       );
       if ($query = $resolver->search($name, $type)) {
          # found matches
@@ -834,5 +843,14 @@
    my ($ip) = @_;
    my ($query, @answer, $rr);
-   my $resolver = Net::DNS::Resolver->new();
+   my $resolver = Net::DNS::Resolver->new(
+       udp_timeout => 5,
+       tcp_timeout => 5,
+       retrans => 0,
+       retry => 1,
+       persistent_tcp => 0,
+       persistent_udp => 0,
+       dnsrch => 0,
+       defnames => 0,
+       );
    my $name = "";
 


Btw, is there any more recent version than 0.8 from 2007 ?

  Mark

Reply via email to