Sentinel, sl_wideban and sl_masktype (a suggestion/wish)

dun_dacil · Post by **dun_dacil** » Fri Jun 20, 2003 2:52 am

Dear All,
I have been happily using netbots for a few years now

, but I run into a trouble yesterday.
First of all, let me give the scenario: I am from Italy, and my bots live there, and control
channels on IRCnet. My channels average from 90 to 200 people. In Italy, there are only a few ADSL providers, so a number of people on my channels have identical "masked" hosts (they have different IP, but the same hostmask).
I have sentinel.tcl on with sl_wideban 1 and sl_masktype 0
Yesterday afternoon somebody came on one of the channels with some 10 "bots", based on socks around the Italian network, and caused sentinel to trigger via join/part flood and/or tsunami flood. Sentinel reacted nicely (+mi etc.). Then sentinel processed the ban list (sl_wideban 1), and proceeded to make the ban wider, given that the 10+ bots really belonged to only three different masked IP. But in so doing, sentinel banned a larg chunck of people on the channel itself, given that their hostmask also matched.
A solution could be to set sl_wideban to 0, but I am reluctant to do so, I like this feature.
Now comes my wish: in a future release of sentinel, could the variable sl_wideban be more than a switch? At the end of the day, it enters sentinel only in one line

. My suggestion/wish is to make sl_wideban such that if it is zero, the wide ban feature is disabled; but if it is larger than 1, it becomes the number of matching of masked hosts which needs to be exceeded before the wide ban is imposed. At the moment the wide ban triggers when the second masked host is found. In this way, setting sl_wideban to say 3, I would need 4 matching masked hosts before the wide ban triggers.
Thanks,
dun_dacil

Post by **slennox** » Fri Jun 20, 2003 11:44 am

I won't be releasing any new version soon (I'm trying to crank the development motor again, but any result from that won't be seen for some months), but this should not be too difficult to implement. Find the "sl_dcheck" proc in sentinel.tcl and replace it with:

Code: Select all

proc sl_dcheck {bhosts} {
  global sl_wideban
  set blist ""
  foreach bhost $bhosts {
    set baddr [lindex [split [maskhost $bhost] "@"] 1]
    set bident [string trimleft [lindex [split $bhost "@"] 0] "~"]
    if {![info exists baddrs($baddr)]} {
      set baddrs($baddr) 1
    } else {
      incr baddrs($baddr)
    }
    if {![info exists bidents($bident)]} {
      set bidents($bident) 1
    } else {
      incr bidents($bident)
    }
  }
  foreach baddr [array names baddrs] {
    if {$baddrs($baddr) >= [expr {$sl_wideban + 1}]} {
      lappend blist *!*@$baddr
    }
  }
  foreach bident [array names bidents] {
    if {$bidents($bident) >= [expr {$sl_wideban + 1}]} {
      lappend blist *!*$bident@*
    }
  }
  return $blist
}

One of the "features" of sentinel is changing one small thing in the code can affect a whole bunch of other things. I don't have time to look through it properly, but superficially I think the above should work

dun_dacil · Post by **dun_dacil** » Sat Jun 21, 2003 1:08 am

Thanks, slennox.

dun