This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.


For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

gseen won't find the most recent record over the botnet

Discussion of Eggdrop's code and module programming in C.
Post Reply
3
3rdBAR
Voice
Posts: 15
Joined: Mon May 15, 2006 6:39 am

gseen won't find the most recent record over the botnet

Post by 3rdBAR »

I have a botnet comprising multiple eggs on multiple networks. When I use gseen to find out when and where a particular nick was last seen, gseen wants to stop at the first bot it queries who has seen the particular nick. It does this regardless of whether the instance it finds is much older than instances of the same nick on other bots in the net. And it even stops like this when it finds an instance of a nick on the first bot it checks when the queried nick (the same person being sought) is in fact present on one of the other botnet bot's networks in one of its channels.

Can gseen be effectively used in the way I want? I want it to find the most recent occurrence of a nick's presence across the botnet. I currently have one hub and 12 leafs. Is this stop-on-first-hit a configuration issue?

TIA
3
3rdBAR
Voice
Posts: 15
Joined: Mon May 15, 2006 6:39 am

Post by 3rdBAR »

No replies, eh? Two days ago I wrote to the author of gseen about this as well. He hasn't replied either (or at least he hasn't replied yet).

One thing about this problem that puzzles me a bit is this: If a botnet were on a single IRC network, but its individual bots were on separate channels (no common channels among them), I'm guessing the same stop-on-first-hit problem would occur. Here's the scenario: The botnet bots are linked, someone initiates a gseen query for a nick, gseen checks the bots one at a time until it finds an instance of the entered nick. When it finds this first instance in one of the bot's gseen.dat files, it checks no further. So if this first bot who replies that the nick has visited one of its channels reports that the nick had been there, say, 2 weeks ago, but yesterday the same nick had joined a channel monitored exclusively by one of the other not yet queried botnet bots, the person initiating the query will never learn of this nick's recent join to that channel.

So is this how it works? If not, why does gseen stop on the first hit and check no further on my multi-network botnet? If this is simply how gseen works, I'm surprised that it doesn't get more complaints from people using it with botnets. If I'm missing something, please tell me.
C
Callisto
Halfop
Posts: 86
Joined: Sun Mar 13, 2005 11:04 am

Post by Callisto »

dont know if you checked this in the gseen.conf file or not

Code: Select all

# forward a request to other bots, if a !seen returned no result?
set botnet-seens 1
If so apologies
3
3rdBAR
Voice
Posts: 15
Joined: Mon May 15, 2006 6:39 am

Post by 3rdBAR »

Callisto wrote:dont know if you checked this in the gseen.conf file or not

Code: Select all

set botnet-seens 1
Yes, all bots in the net are set to "1" for set botnet-seens. I believe "1" is the default for that directive anyway. The !seen requests have always queried subsequent bots in the net fine. The process just stops cold after finding the first instance, irrespective of whether or not it's the most recent one.

Thanks for the reply.
User avatar
Sir_Fz
Revered One
Posts: 3794
Joined: Sun Apr 27, 2003 3:10 pm
Location: Lebanon
Contact:

Post by Sir_Fz »

If that's the case then I guess this is a bug in the module and should be fixed. Unfortunately, the author has stopped developing the module long time ago. I'm not sure if bseen has this feature, but you can try it (search the tcl archive for bseen).
3
3rdBAR
Voice
Posts: 15
Joined: Mon May 15, 2006 6:39 am

Post by 3rdBAR »

Okay, here's the bottom line. I've just received a response from the author of gseen and this is what he said:
Florian wrote:IIRC this is the coded functionality, sorry. The only way to change it is to write an extension... either in gseen's c-code directly, or maybe via tcl (can't remember the details of the implementation, so I'm not sure if tcl is an option).
It's a bit astonishing to me that no one has noticed this flaw before. I'll have to check into bseen, as you've suggested.

Thanks.
User avatar
Alchera
Revered One
Posts: 3344
Joined: Mon Aug 11, 2003 12:42 pm
Location: Ballarat Victoria, Australia
Contact:

Post by Alchera »

3rdBAR wrote:It's a bit astonishing to me that no one has noticed this flaw before.

Thanks.
Probably because no one bothered to set "botnet-seens"; I disabled it as I am interested in the results of just one channel, which would be the norm.
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM
3
3rdBAR
Voice
Posts: 15
Joined: Mon May 15, 2006 6:39 am

Post by 3rdBAR »

Alchera wrote: Probably because no one bothered to set "botnet-seens"; I disabled it as I am interested in the results of just one channel, which would be the norm.
Maybe, but I find that hard to imagine. Since botnet-seens is enabled by default, and since lots of eggdrop users have botnets and multiple channels, and since gseen has been around for a relatively long while, I'd have guessed someone would've reported it well before now.
Post Reply