I have a botnet comprising multiple eggs on multiple networks. When I use gseen to find out when and where a particular nick was last seen, gseen wants to stop at the first bot it queries who has seen the particular nick. It does this regardless of whether the instance it finds is much older than instances of the same nick on other bots in the net. And it even stops like this when it finds an instance of a nick on the first bot it checks when the queried nick (the same person being sought) is in fact present on one of the other botnet bot's networks in one of its channels.
Can gseen be effectively used in the way I want? I want it to find the most recent occurrence of a nick's presence across the botnet. I currently have one hub and 12 leafs. Is this stop-on-first-hit a configuration issue?
TIA
This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.
For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.
All data has been migrated (including user logins/passwords) to a new phpBB version.
For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.
gseen won't find the most recent record over the botnet
No replies, eh? Two days ago I wrote to the author of gseen about this as well. He hasn't replied either (or at least he hasn't replied yet).
One thing about this problem that puzzles me a bit is this: If a botnet were on a single IRC network, but its individual bots were on separate channels (no common channels among them), I'm guessing the same stop-on-first-hit problem would occur. Here's the scenario: The botnet bots are linked, someone initiates a gseen query for a nick, gseen checks the bots one at a time until it finds an instance of the entered nick. When it finds this first instance in one of the bot's gseen.dat files, it checks no further. So if this first bot who replies that the nick has visited one of its channels reports that the nick had been there, say, 2 weeks ago, but yesterday the same nick had joined a channel monitored exclusively by one of the other not yet queried botnet bots, the person initiating the query will never learn of this nick's recent join to that channel.
So is this how it works? If not, why does gseen stop on the first hit and check no further on my multi-network botnet? If this is simply how gseen works, I'm surprised that it doesn't get more complaints from people using it with botnets. If I'm missing something, please tell me.
One thing about this problem that puzzles me a bit is this: If a botnet were on a single IRC network, but its individual bots were on separate channels (no common channels among them), I'm guessing the same stop-on-first-hit problem would occur. Here's the scenario: The botnet bots are linked, someone initiates a gseen query for a nick, gseen checks the bots one at a time until it finds an instance of the entered nick. When it finds this first instance in one of the bot's gseen.dat files, it checks no further. So if this first bot who replies that the nick has visited one of its channels reports that the nick had been there, say, 2 weeks ago, but yesterday the same nick had joined a channel monitored exclusively by one of the other not yet queried botnet bots, the person initiating the query will never learn of this nick's recent join to that channel.
So is this how it works? If not, why does gseen stop on the first hit and check no further on my multi-network botnet? If this is simply how gseen works, I'm surprised that it doesn't get more complaints from people using it with botnets. If I'm missing something, please tell me.
dont know if you checked this in the gseen.conf file or not
If so apologies
Code: Select all
# forward a request to other bots, if a !seen returned no result?
set botnet-seens 1Yes, all bots in the net are set to "1" for set botnet-seens. I believe "1" is the default for that directive anyway. The !seen requests have always queried subsequent bots in the net fine. The process just stops cold after finding the first instance, irrespective of whether or not it's the most recent one.Callisto wrote:dont know if you checked this in the gseen.conf file or not
Code: Select all
set botnet-seens 1
Thanks for the reply.
Okay, here's the bottom line. I've just received a response from the author of gseen and this is what he said:
Thanks.
It's a bit astonishing to me that no one has noticed this flaw before. I'll have to check into bseen, as you've suggested.Florian wrote:IIRC this is the coded functionality, sorry. The only way to change it is to write an extension... either in gseen's c-code directly, or maybe via tcl (can't remember the details of the implementation, so I'm not sure if tcl is an option).
Thanks.
Maybe, but I find that hard to imagine. Since botnet-seens is enabled by default, and since lots of eggdrop users have botnets and multiple channels, and since gseen has been around for a relatively long while, I'd have guessed someone would've reported it well before now.Alchera wrote: Probably because no one bothered to set "botnet-seens"; I disabled it as I am interested in the results of just one channel, which would be the norm.