-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathREADME.SecureServ.html
More file actions
78 lines (76 loc) · 74.3 KB
/
README.SecureServ.html
File metadata and controls
78 lines (76 loc) · 74.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>SecureServ 3.0 Manual</title><link rel="stylesheet" href="html.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.69.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="d0e1"></a>SecureServ 3.0 Manual</h2></div></div><hr></div><div class="toc"><dl><dt><span class="sect1"><a href="#d0e56">1. Prerequisites and Installation.</a></span></dt><dd><dl><dt><span class="sect2"><a href="#d0e102">1.1. Compiling and Installation</a></span></dt></dl></dd><dt><span class="sect1"><a href="#d0e155">2. Basic Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="#d0e172">2.1. Exclusion Lists</a></span></dt><dt><span class="sect2"><a href="#d0e242">2.2. Helper Lists</a></span></dt><dt><span class="sect2"><a href="#d0e295">2.3. Dat File Updates</a></span></dt><dt><span class="sect2"><a href="#d0e306">2.4. System Messages</a></span></dt></dl></dd><dt><span class="sect1"><a href="#d0e331">3. Detailed Configuration</a></span></dt><dd><dl><dt><span class="sect2"><a href="#d0e442">3.1. NICK Setting</a></span></dt><dt><span class="sect2"><a href="#d0e452">3.2. ALTNICK Setting</a></span></dt><dt><span class="sect2"><a href="#d0e462">3.3. USER Setting</a></span></dt><dt><span class="sect2"><a href="#d0e472">3.4. HOST Setting</a></span></dt><dt><span class="sect2"><a href="#d0e482">3.5. REALNAME Setting</a></span></dt><dt><span class="sect2"><a href="#d0e492">3.6. EXCLUSIONS Setting</a></span></dt><dt><span class="sect2"><a href="#d0e504">3.7. VERSION Setting</a></span></dt><dt><span class="sect2"><a href="#d0e515">3.8. CHECKFIZZER Setting</a></span></dt><dt><span class="sect2"><a href="#d0e524">3.9. DOONJOIN Setting</a></span></dt><dt><span class="sect2"><a href="#d0e533">3.10. ONJOINBOTMODES Setting</a></span></dt><dt><span class="sect2"><a href="#d0e542">3.11. CYCLETIME Setting</a></span></dt><dt><span class="sect2"><a href="#d0e551">3.12. DOPRIVCHAN Setting</a></span></dt><dt><span class="sect2"><a href="#d0e560">3.13. MULTICHECK Setting</a></span></dt><dt><span class="sect2"><a href="#d0e572">3.14. MONBOT Setting</a></span></dt><dt><span class="sect2"><a href="#d0e581">3.15. MONCHANCYCLE Setting</a></span></dt><dt><span class="sect2"><a href="#d0e590">3.16. MONCHANCYCLETIME Setting</a></span></dt><dt><span class="sect2"><a href="#d0e599">3.17. BOTECHO Setting</a></span></dt><dt><span class="sect2"><a href="#d0e608">3.18. BOTQUITMSG Setting</a></span></dt><dt><span class="sect2"><a href="#d0e617">3.19. HELPERS Setting</a></span></dt><dt><span class="sect2"><a href="#d0e626">3.20. AUTOSIGNOUT Setting</a></span></dt><dt><span class="sect2"><a href="#d0e635">3.21. JOINHELPCHAN Setting</a></span></dt><dt><span class="sect2"><a href="#d0e644">3.22. SVSJOIN Setting</a></span></dt><dt><span class="sect2"><a href="#d0e656">3.23. HELPCHAN Setting</a></span></dt><dt><span class="sect2"><a href="#d0e665">3.24. NOHELPMSG Setting</a></span></dt><dt><span class="sect2"><a href="#d0e674">3.25. REPORT Setting</a></span></dt><dt><span class="sect2"><a href="#d0e686">3.26. AKILL Setting</a></span></dt><dt><span class="sect2"><a href="#d0e695">3.27. AKILLTIME Setting</a></span></dt><dt><span class="sect2"><a href="#d0e704">3.28. AKILLMSG Setting</a></span></dt><dt><span class="sect2"><a href="#d0e713">3.29. AUTOUPDATE Setting</a></span></dt><dt><span class="sect2"><a href="#d0e722">3.30. AUTOUPDATETIME Setting</a></span></dt><dt><span class="sect2"><a href="#d0e731">3.31. VERBOSE Setting</a></span></dt></dl></dd><dt><span class="sect1"><a href="#d0e743">4. Operational Commands</a></span></dt><dd><dl><dt><span class="sect2"><a href="#d0e813">4.1. HELP Command</a></span></dt><dt><span class="sect2"><a href="#d0e824">4.2. VERSION Command</a></span></dt><dt><span class="sect2"><a href="#d0e833">4.3. ABOUT Command</a></span></dt><dt><span class="sect2"><a href="#d0e842">4.4. CREDITS Command</a></span></dt><dt><span class="sect2"><a href="#d0e851">4.5. LEVELS Command</a></span></dt><dt><span class="sect2"><a href="#d0e872">4.6. SET Command</a></span></dt><dt><span class="sect2"><a href="#d0e877">4.7. LOGIN Command</a></span></dt><dt><span class="sect2"><a href="#d0e886">4.8. LOGOUT Command</a></span></dt><dt><span class="sect2"><a href="#d0e895">4.9. ASSIST Command</a></span></dt><dt><span class="sect2"><a href="#d0e908">4.10. CHPASS Command</a></span></dt><dt><span class="sect2"><a href="#d0e921">4.11. CHECKCHAN Command</a></span></dt><dt><span class="sect2"><a href="#d0e930">4.12. LIST Command</a></span></dt><dt><span class="sect2"><a href="#d0e947">4.13. STATUS Command</a></span></dt><dt><span class="sect2"><a href="#d0e956">4.14. MONCHAN Command</a></span></dt><dt><span class="sect2"><a href="#d0e973">4.15. BOTS Command</a></span></dt><dt><span class="sect2"><a href="#d0e990">4.16. CYCLE Command</a></span></dt><dt><span class="sect2"><a href="#d0e1001">4.17. RELOAD Command</a></span></dt><dt><span class="sect2"><a href="#d0e1010">4.18. HELPERS Command</a></span></dt><dt><span class="sect2"><a href="#d0e1063">4.19. EXCLUDE Command</a></span></dt><dt><span class="sect2"><a href="#d0e1133">4.20. UPDATE Command</a></span></dt></dl></dd><dt><span class="sect1"><a href="#d0e1148">5. Custom Definitions</a></span></dt><dd><dl><dt><span class="sect2"><a href="#d0e1155">5.1. Custom Definitions file</a></span></dt><dd><dl><dt><span class="sect3"><a href="#d0e1160">5.1.1. Create customviri.dat file</a></span></dt><dt><span class="sect3"><a href="#d0e1165">5.1.2. add entries to customviri.dat</a></span></dt><dt><span class="sect3"><a href="#d0e1310">5.1.3. Reload the definitions</a></span></dt></dl></dd></dl></dd><dt><span class="sect1"><a href="#d0e1315">6. Final Words</a></span></dt><dd><dl><dt><span class="sect2"><a href="#d0e1320">6.1. Dealing with Un-detected Attacks/Trojans/Virus etc</a></span></dt></dl></dd></dl></div><p>Welcome to the SecureServ Manual. This document will aid you in setting up and running SercureServ on your IRC network.</p><p>SecureServ is a advanced IRC Trojan detector, much like a Virus Scanner, but aimed for IRC networks. Using Several different methods, including, but not limited to Version checks, Behavior analysis, and general pattern matching, it aims to detect Trojans and Virus's as well as FloodBots that connect to your IRC network.</p><p>SecureServ's "brains" are based on a "Definition file" or Dat file, that contain information on how to detect the trojans. This means to update SecureServ's detection for new Trojans/Bots only requires that you download a new dat file (which can be automated). There are some pre-conditions to obtaining new Dat files, and these can be found in the Installation chapter.</p><p>SecureServ also supports a "customised" dat file that administrators can add their own signatures to to help detect new, or unsupported clients/trojans. (eg, Bottlers). This requires some programing knowledge, and more information about the customviri.dat file can be found in the "Custom Definitions" chapter.</p><p>SecureServ can detect Trojan/Virus's or "Security Risks" to your Network a number of ways, including:</p><div class="itemizedlist"><ul type="disc"><li><p>CTCP Version Checks</p></li><li><p>NickName Patterns</p></li><li><p>UserName (Ident) Patterns</p></li><li><p>RealName Patterns</p></li><li><p>Channel MemberShip Patterns</p></li><li><p>Private/Notice Messages</p></li><li><p>Channel Utilization</p></li><li><p>Logic Checks</p></li><li><p>Away Messages</p></li><li><p>Quit Messages</p></li><li><p>Via Perl Scripts</p></li></ul></div><p>While we can detect a vast majority of Trojans, and its easy to extend SecureServ to detect new ones without Recompiling/upgrading, its not a fullproof solution. Additionally, Virus/Trojan/Bot authors are getting more and more sophisticated these days, and will always find ways to avoid detection. SecureServ aims to reduce the load on a Network Administration staff in dealing with these Trojans.</p><p>SecureServ is written and maintained by Justin Hammond. It requires the NeoStats software. More information about SecureServ, or NeoStats, can be found at <a href="#">http://www.neostats.net/</a></p><p>SecureServ is Copyright, 2005 by Justin Hammond.</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="d0e56"></a>1. Prerequisites and Installation.</h2></div></div></div><p>SecureServ is designed to run on Top of NeoStats. The Following requirements at the time of writing are required for NeoStats:</p><div class="itemizedlist"><ul type="disc"><li><p>A Linux or BSD based Server or Shell.</p></li><li><p>A IRCd supported by NeoStats. See the <a href="#">NeoStats</a> website.</p></li><li><p>Some basic Unix administration Skill</p></li><li><p>Of Course, a IRC network to connect it all together.</p></li></ul></div><p>Please refer to the NeoStats website for more information on the requirements</p><p>SecureServ itself requires the following:</p><div class="itemizedlist"><ul type="disc"><li><p>NeoStats 3.0 or Higher correctly installed and Running</p></li><li><p>A NeoNet account <a href="#">http://accounts.neostats.net</a> is required if you wish to take advantage of updated definition files</p></li><li><p>The time to read this entire document. </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>SecureServ has the potential to Akill/Gline your entire network. Its strongly suggested that you read this entire document before even attempting to compile SecureServ, as I'm just going to laugh, if you didn't read, and it AKILL's your entire network.</p></div></li></ul></div><p>The requirement to have a valid account on <a href="#">http://accounts.neostats.net</a> is due to the fact that I want to have some control over who receives the definition files. If these Definition files fall into the hands of the TrojanWritters or Virus Writers, its possible they might be able to re-write their bots to avoid detection. Please see the website for more information.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e102"></a>1.1. Compiling and Installation</h3></div></div></div><p>As long as you have successfully setup NeoStats, and installed it correctly, Compiling SecureServ is very simple and straight forward. First you must extract the files from the download package. This is as simple as:</p><pre class="screen">bash$<span><strong class="command"> tar -xzf SecureServ-<ver>.tar.gz</strong></span></pre><p>This should then create a directory called SecureServ-<version> where <version> is the Version of SecureServ. Then Proceed to Change into the SecureServ directory, and run Configure as follows:</p><pre class="screen">bash$<span><strong class="command">./configure [--enable-debug | --with-neostats=<dir> --enable-treatchanmsgaspm]</strong></span></pre><p>--enable-debug is only useful for diagnostics purposes when used in conjunction with debugging tools. There should be no need to use this option on a day to day basis</p><p>--with-neostats=<dir> should be used if your neostats directory is not in a standard location (~/NeoStats/). Replace <dir> with the full path to your NeoStats installation directory (NOT SOURCE DIRECTORY)</p><p>--enable-treatchanmsgaspm makes SecureServ treat all messages sent to a monitored channel as messages sent to a individual user. Enabling this option is not recommended as it greatly increases the CPU utilization if you have large, busy channels</p><p>Configuring SecureServ will look something like the following screen:</p><pre class="screen">Fishs-Mac:~/Documents/Dev/SecureServ justin$ ./configure
checking whether to enable maintainer-specific portions of Makefiles... no
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... no
checking for mawk... no
checking for nawk... no
<snip>
checking To Enable AutoTools Debug Mode?... no
checking silent building of source files... Enabled
configure: creating ./config.status
config.status: creating Makefile
config.status: creating modconfig.h
config.status: modconfig.h is unchanged
config.status: executing depfiles commands
Configuration complete.
Press Enter key to read the release notes</pre><p>The Configure process will then prompt you to read the release notes. You are encouraged to read this document throughly as it might contain important information about the current version of SecureServ that isn't covered in the manual.</p><p></p><p>If the configuration did not produce a error, you may then move onto Compiling SecureServ. Compiling is simply just issuing the "make" command (or "gmake" if you are running BSD):</p><pre class="screen">Fishs-Mac:~/Documents/Dev/SecureServ justin$ make
make -s all-am
Compiling Helpers.c: [OK]
Compiling SecureServ.c: [OK]
Compiling scan.c: [OK]
Compiling OnJoinBot.c: [OK]
Compiling SecureServ_help.c: [OK]
Compiling update.c: [OK] </pre><p>Again, check for Error messages. As long as there are not error messages, "make install" will install SecureServ, this README file, and any auxiliary files needed into your NeoStats directory:</p><pre class="screen">Fishs-Mac:~/Documents/Dev/SecureServ justin$ make install
Installing secureserv.so: [OK]
Installing viri.dat: [OK]
Installing README.SecureServ: [OK]
Installing README.SecureServ.html: [OK] </pre><p>If you receive *ANY* errors at all during the this process, please post them on our Support boards, at http//www.neostats.net/boards/</p><p>Once Installation is complete, you can either configure NeoStats to load SecureServ when it starts, or load SecureServ via IRC.</p><p>To Configure NeoStats to automatically load SecureServ when it boots, modify the neostats.conf file and add SecureServ to the list of modules to load:</p><pre class="screen">MODULENAME = {
"statserv",
"hostserv",
"secureserv",
} </pre><p>You also should now configure a NeoNet account if you wish to take advantage of updated virus definition files. To obtain a account for NeoNet, please go to http://accounts.neostats.net and sign up for a new account. Once you have signed up, you will recieve a email with instructions for configuring your NeoStats to use NeoNet. Please modify your neostats.conf file as per the instructions contained in the email.</p><p>To load SecureServ via IRC, you must make sure you have the appropriate permissions and issue the following command:</p><p><span><strong class="command">/msg neostats load SecureServ</strong></span></p><p>Thats it. SecureServ is now loaded and ready for use (in fact, it will already be running now, but read on for further information.)</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="d0e155"></a>2. Basic Configuration</h2></div></div></div><p>SecureServ is completely configured online via IRC. When you first start up SecureServ, it attempts some "Sane" defaults for you get started with, but you should always review these settings as soon as you install. There are a few important settings you may want to review right away. They are:</p><div class="itemizedlist"><ul type="disc"><li><p>Exclusion Lists - You should setup a Exclude list for your IRC Services server (NickServ etc)</p></li><li><p>Automatic or Manual updates of Dat Files</p></li><li><p>System Messages sent to users</p></li></ul></div><p>These are outlined below:</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e172"></a>2.1. Exclusion Lists</h3></div></div></div><p>Exclusion lists allow you to specify certain Hostmasks, Servers, or Channels that should be excluded from monitoring by SecureServ. This exclusion list would allow a administrator to say, allow users on that are matched against Trojans, when the administrator has verified that the Trojan does not in fact exist on the users host.</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>Exclusions should be setup for your Services Server, so that SecureServ does not try to scan ChanServ, or NickServ, or any of the bots relating to Nickname protection.</p></div><p>With NeoStats 3.0, you should also be aware that there are two types of Exclusion Lists. There are "Global" exclusion lists that all modules may optionally use, and there is module specific exclusion lists. SecureServ defaults to not using the Global Exclusion lists. You can enable it by the following command:</p><pre class="screen">/msg SecureServ set exclusions on</pre><p><span class="bold"><strong>Adding a Entry</strong></span></p><p>To add a entry to the Exclusion list, use the following format:</p><pre class="screen">/msg SecureServ exclude add <host/Server/Channel/UserHost> <pattern> <reason></pre><p>Where:</p><p><Host/Server/Channel/UserHost> = The type of exclusion you are adding. The different types are:</p><div class="itemizedlist"><ul type="disc"><li><p>Host - The Users real (Internet) Hostname</p></li><li><p>Server - The Users server they are connecting to. You should ensure you add a exclusion for your Services Server</p></li><li><p>Channel - A specific channel on your IRC Network</p></li><li><p>UserHost - The users Virtual Hostname (IRC)</p></li></ul></div><p><pattern> = The pattern you wish to match on. May include wildcard charactors such as * and ?</p><p><reason> = a short description of the exclusion, for operator reference only.</p><p>The output is as follows:</p><pre class="screen">[13:20] -SecureServ- Added *.blah.com (userhost) to exclusion list
[13:20] SecureServ Fish added *.blah.com (userhost) to the exclusion list</pre><p><span class="bold"><strong>Listing an Entry</strong></span></p><p>To list the Exclusions simple type:</p><pre class="screen">/msg SecureServ exclude list</pre><p>And all the current exclusions are listed. Additionally, a Position number is provided for use with the delete command. The output is as follows:</p><pre class="screen">[13:21] -SecureServ- Exclusion list:
[13:21] -SecureServ- #bothouse (Channel) Added by Fish on Sat Aug 13 2005 01:20 AM SGT for Requested
[13:21] -SecureServ- #ircop (Channel) Added by Fish on Sat Aug 13 2005 07:40 PM SGT for IRCop channel
[13:21] -SecureServ- *irc-chat.net (Host) Added by Fish on Tue Aug 09 2005 10:13 PM SGT for Services Exclusion
[13:21] -SecureServ- chieftess!*@* (Userhost) Added by Fish on Tue Aug 09 2005 10:14 PM SGT for buggy client
[13:21] -SecureServ- *.blah.com (Userhost) Added by Fish on Sun Jan 15 2006 01:20 PM SGT for Cause Blah.com is cool
[13:21] -SecureServ- End of list.</pre><p><span class="bold"><strong>Deleting an Entry</strong></span></p><p>To delete a entry, you should first lookup the Position of the entry that you wish to delete. The format of the command is as follows:</p><pre class="screen">/msg SecureServ exclude del <pattern></pre><p>Where:</p><p><pattern> is the pattern of the entry you wish to delete in the list</p><p>The output of the command is as follows:</p><pre class="screen">[13:22] SecureServ Fish used EXCLUDE
[13:22] -SecureServ- *.blah.com delete from exclusion list</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e242"></a>2.2. Helper Lists</h3></div></div></div><p>Helper lists let you grant non-privileged users the ability to maintain your Virus help channel and help users that are infected with virus's that could be removed with simple instructions (such as Spam Virus's that infect Mirc). These users are granted the ability to "release" a infected user from SecureServ or kill un-cooperative, or unresponsive users that SecureServ has identified as being infected. Users that have been joined to the help channel are "held" by SecureServ and are usually prevented from joining other channels (if your IRCd supports this option). This can be helpful so you can clean up users that are infected with simple script based virus's and you require their attention to help you clean their computer. More information about the commands available to use on infected users is available via the assist command detailed below.</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>Although SecureServ limits who a "Helper" may kill (only infected users joined to the Help Channel) you should only give out login accounts to trusted users.</p></div><p><span class="bold"><strong>Adding a Entry</strong></span></p><p>To add a entry to the Helper list, use the following format:</p><pre class="screen">/msg SecureServ helpers add <login> <pass> </pre><p>Where:</p><p><login> = The login name to use to gain access. Does not have to be a nickname.</p><p><pass> = The password to use to login</p><p>The output is as follows:</p><pre class="screen">>secureserv< helpers add myhelper mypass
-SecureServ- Successfully added Helper myhelper with Password mypass to Helpers List
</pre><p><span class="bold"><strong>Listing an Entry</strong></span></p><p>To list the helpers simple type:</p><pre class="screen">/msg SecureServ helpers list</pre><p>And all the helpers are listed. Additionally, if a nickname is provided after the login name, it means that this nick is logged into this particular helper account.</p><p>The output is as follows:</p><pre class="screen">>secureserv< helpers list
-SecureServ- Helpers List (2):
-SecureServ- fish (Fish)
-SecureServ- myhelper (Not Logged In)
-SecureServ- End of List.
</pre><p><span class="bold"><strong>Deleting an Entry</strong></span></p><p>To delete a entry, you must provide the login name you wish to delete. The format of the command is as follows:</p><pre class="screen">/msg SecureServ helpers del <login></pre><p>Where:</p><p><login> is the login account you wish to delete.</p><p>The output of the command is as follows:</p><pre class="screen">>secureserv< helpers del myhelper
-SecureServ- Deleted myhelper from Helpers List
</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e295"></a>2.3. Dat File Updates</h3></div></div></div><p>In order to update SecureServ's Detection, you need to register a account at http://accounts.neostats.net/ and apply for access to the Secure IRC-Chat website. Once your application for access has been recieved, you will be able to download updated dat files either automatically (as they are released) or manually. You also get access to some advanced reporting capabilities such as weekly reports on virus infections on your Network, as well as real time statistics.</p><p>When applying for access to the Secure IRC-Chat website, it might take a while for the application to be approved, as one of the Admins has to review the application and ensure its valid. Once your access has been granted, you will recieve a email informing you that your access has been granted. </p><p>Once you have received confirmation that you can now access Secure IRC-Chat via email, you can proceed to configure SecureServ to update Dat files automatically for you. SecureServ can be configured to check for updates on a Daily Basis. You can, disable this automatic update if you wish, but this is covered in the "Settings" Section.</p><p>For more information on the NeoNet configuration, please refer to the NeoStats Manual.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e306"></a>2.4. System Messages</h3></div></div></div><p>SecureServ sends different messages to users depending on whats happening. Examples of the messages its send is messages when they are AKILedL or warn a user about a possible "Trojan/Infection" etc. These messages can be customized to suit your network, or language of choice easily. The different messages that you can set are:</p><div class="itemizedlist"><ul type="disc"><li><p>"AKILL" messages</p><p>AKILL messages are sent to users when they are about to be akilled from your network due to a positive "infection". You could provide email addresses, contact information, should the user wish to contact you. In addition to the AKILL message, the user is also given a URL they can view with details about their "infection" and how to fix it.</p></li><li><p>"No Help Available" messages</p><p>As SecureServ can also detect Virus's, some network may have channels devoted to helping users remove virus's from their IRC clients. SecureServ has a "Helper" login function that allows you to setup "non-oper" or "oper" users to be helpers. If no one is logged into SecureServ and a virus infected user is detected, instead of attempting to automatically join him to the "Help" channel, he is akilled from the network. This message is sent to the user to let them know that they have a virus, and should seek help.</p></li></ul></div><p>Setting these three types of messages is simple. Just issue the following commands:</p><pre class="screen">/msg SecureServ set akillmesg <message></pre><pre class="screen">/msg SecureServ set nohelpmsg <message></pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>If you don't customize any of these messages, a Default system message is used automatically.</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="d0e331"></a>3. Detailed Configuration</h2></div></div></div><p>SecureServ attempts to be as configurable as possible in order to cater for each individual networks requirements. This in turn though makes the configuration very complex. There are many many settings with SecureServ that affect how it operates, how it responds and even, how affects the performance of NeoStats Overall. Out of the box, SecureServ provides sensible defaults for these settings, but you may wish to read this section for details on exactly what each option does, and its affect on how SecureServ operates.</p><p>The following list summaries the available options you can set in SecureServ</p><div class="itemizedlist"><ul type="disc"><li><p>NICK</p></li><li><p>ALTNICK</p></li><li><p>USER</p></li><li><p>HOST</p></li><li><p>REALNAME</p></li><li><p>EXCLUSIONS</p></li><li><p>VERSION</p></li><li><p>CHECKFIZZER</p></li><li><p>DOONJOIN</p></li><li><p>ONJOINBOTMODES</p></li><li><p>CYCLETIME</p></li><li><p>DOPRIVCHAN</p></li><li><p>MULTICHECK</p></li><li><p>MONBOT</p></li><li><p>MONCHANCYCLE</p></li><li><p>MONCHANCYCLETIME</p></li><li><p>BOTECHO</p></li><li><p>BOTQUITMSG</p></li><li><p>HELPERS</p></li><li><p>AUTOSIGNOUT</p></li><li><p>JOINHELPCHAN</p></li><li><p>SVSJOIN</p></li><li><p>HELPCHAN</p></li><li><p>NOHELPMSG</p></li><li><p>REPORT</p></li><li><p>AKILL</p></li><li><p>AKILLTIME</p></li><li><p>AKILLMSG</p></li><li><p>AUTOUPDATE</p></li><li><p>AUTOUPDATETIME</p></li><li><p>VERBOSE</p></li></ul></div><p>To change any of these settings, you use the Set Interface in SecureServ. Eg:</p><pre class="screen">/msg SecureServ set <option> <params></pre><p>To view the current settings, issue the following command:</p><pre class="screen">/msg SecureServ set list</pre><p>The following Sections describes the different options, their params, and the effect on SecureServ in detail.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e442"></a>3.1. NICK Setting</h3></div></div></div><p>This setting allows you to change the Nickname that SecureServ uses when it connects to your network. If you change this setting make sure you update your NeoNet account, otherwise you might loose access to the Secure IRC-Chat site if we perform a check on your network and can't find "SecureServ" running.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>This option requires you to reload SecureServ or restart NeoStats to take effect.</p></div><pre class="screen">/msg SecureServ set NICK <nickname></pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e452"></a>3.2. ALTNICK Setting</h3></div></div></div><p>This setting allows you to set a "Backup" nickname used for SecureServ. If the primary Nickname in the NICK Setting is not available, SecureServ will use this nickname, and if that is not available, it will use a automatically generated nickname</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>This option requires you to reload SecureServ or restart NeoStats to take effect</p></div><pre class="screen">/msg SecureServ set ALTNICK <nickname></pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e462"></a>3.3. USER Setting</h3></div></div></div><p>This option allows you to customize the "user" or ident portion of the SecureServ Bot. </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>This option requires you to reload SecureServ or restart NeoStats to take effect</p></div><pre class="screen">/msg SecureServ set USER <user></pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e472"></a>3.4. HOST Setting</h3></div></div></div><p>This option allows you to customize the Hostname that SecureServ uses when it signs onto your Network. It defaults to the Standard Hostname specified in your NeoStats configuration.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>This option requires you to reload SecureServ or restart NeoStats to take effect</p></div><pre class="screen">/msg SecureServ set HOST <host></pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e482"></a>3.5. REALNAME Setting</h3></div></div></div><p>This option allows you to customize the realname (or Gecos) that SecureServ uses when it signs onto your Network. </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>This option requires you to reload SecureServ or restart NeoStats to take effect</p></div><pre class="screen">/msg SecureServ set REALNAME <realname></pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e492"></a>3.6. EXCLUSIONS Setting</h3></div></div></div><p>This option enables SecureServ to use the Global Exclusions list that is control by the main NeoStats bot. This allows you to maintain a "global" exclusion list that is applicable to all modules in NeoStats, and then only apply individual exclusions to SecureServ. </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>This option only becomes effective on new users joining your Network. Existing users that are already connected when you enable this option will not be rescanned for exclusions, as the Global Exclusions are only effected when a new user signs onto the Network. In order to make the global exclusions list effective straight away, you should restart NeoStats.</p></div><p>If you wish to enable or disable the Global Exclusions lists, issue the following command</p><pre class="screen">/msg SecureServ set EXCLUSIONS <ON/OFF></pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e504"></a>3.7. VERSION Setting</h3></div></div></div><p>When users sign onto your IRC network, SecureServ or NeoStats will issue a "CTCP VERSION" command to the clients, as many Trojans/WarScripts/Virus's have unique replies to CTCP Version requests.</p><p>When SecureServ receives the reply, it compares it to the Definitions, and if there is a Match, will take action based on the Definition File (Either AKILL the user, Join them to a AV help channel, Warn the Operators, or just issue a warning message to the users)</p><p>If you wish to turn off the CTCP VERSION checks, issue the following command</p><pre class="screen">/msg SecureServ set VERSION <ON/OFF></pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e515"></a>3.8. CHECKFIZZER Setting</h3></div></div></div><p>SecureServ can Detect the Fizzer Worm on your IRC network. If you are not affected by Fizzer, its advisable to turn this option off, as it affects performance.</p><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set CHECKFIZZER <ON/OFF> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e524"></a>3.9. DOONJOIN Setting</h3></div></div></div><p>This setting decides if SecureServ should perform OnJoin Virus Checking. When enabled, every CYCLETIME Seconds, SecureServ will create a psydo user and join a random channel. When this setting is off, SecureServ will not check random channels for OnJoin Virus's.</p><p>To Change this Setting, issue the following Command:</p><pre class="screen">/msg SecureServ set DOONJOIN <ON/OFF></pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e533"></a>3.10. ONJOINBOTMODES Setting</h3></div></div></div><p>This option defines what usermodes the OnJoin Bots will have when they "Sign-On" to your network. By default no modes are assigned, but you may wish to assign some Oper or Helper or Services flags so that users at least can easily identify that the OnJoinBot is part of your services if they Whois the OnJoin Bot</p><p>If you wish to change the modes, issue the following command</p><pre class="screen">/msg SecureServ set ONJOINBOTMODES <modes></pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e542"></a>3.11. CYCLETIME Setting</h3></div></div></div><p>SecureServ automatically creates new "pseudo" users that randomly join channels looking for OnJoin virus's or SPAM. This option changes the interval that SecureServ will Cycle the random users and channels. On a Large network, you should aim for a smaller value, so it covers more of your channels quicker, but on a smaller network, this may become annoying for your users, so a higher value is recommended.</p><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set CYCLETIME <SECONDS> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e551"></a>3.12. DOPRIVCHAN Setting</h3></div></div></div><p>This setting controls if SecureServ's will check Private Channels. Private Channels are defined by the Channel Modes +I, +k +s +p or +O. Enabling this option forces SecureServ to check these channels. Disabling this feature means SecureServ will never check these channels unless forced via a /msg SecureServ check <chan></p><p>To Change this Setting, issue the following Command:</p><pre class="screen">/msg SecureServ set DOPRIVCHAN <ON/OFF></pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e560"></a>3.13. MULTICHECK Setting</h3></div></div></div><p>By Default, when SecureServ identifies a Positive Match for a Trojan/VIrus etc, it takes action straight away, and discontinues checking for any other matches. This option tells SecureServ, that even if it does find a Match, to continue checking, so that the user is warned of all matches, and not just the first one found.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Enabling MULTICHECK on a large network is not advised due to performance reasons.</p></div><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set MULTICHECK <ON/OFF> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e572"></a>3.14. MONBOT Setting</h3></div></div></div><p>SecureServ has the option to assign one of the random bots to stay in a channel all the time, instead of cycling like the ONJOIN bots do. This option sets which bot will be used to monitor the channels specified in the MONCHAN command. A listing of available bots is obtained via the Bots Command. .</p><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set MONBOT <bot> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e581"></a>3.15. MONCHANCYCLE Setting</h3></div></div></div><p>This setting specifies if SecureServ should cycle the MONCHAN's periodically (by default, it cycles one channel interval specified by the MONCHANCYCLETIME setting). This can help detect OnJoin virus's in the channels you specify a monitor bot should be placed.</p><p>To Change this setting, issue the following Command:</p><pre class="screen">/msg SecureServ set MONCHANCYCLE <ON/OFF></pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e590"></a>3.16. MONCHANCYCLETIME Setting</h3></div></div></div><p>This setting specified the interval that SecureServ will cycle one of the monchans. By Default, if MONCHANCYCLE is enabled, every 30 minutes, one of the MONCHAN's be selected and the monbot will cycle the channel looking for ONJOIN virus's. For example, if you are monitoring 4 channels, each channel will only be cycled every 2 hours (30 minutes x 4 channels) so you should adjust this value accordingly.</p><p>To Change this setting, issue the following Command:</p><pre class="screen">/msg SecureServ set MONCHANCYCLETIME <seconds></pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e599"></a>3.17. BOTECHO Setting</h3></div></div></div><p>This option enables SecureServ sending messages any of the onjoin bots, or monbot receives to the services channel. This can help you monitor for potentially new onjoin virus's, or monitor for spam users.</p><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set BOTECHO <ON/OFF> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e608"></a>3.18. BOTQUITMSG Setting</h3></div></div></div><p>This option specified the "Quit" message that a Onjoin bot will use when its finished scanning. If not set, it uses a default message</p><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set BOTQUITMSG <msg> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e617"></a>3.19. HELPERS Setting</h3></div></div></div><p>This option enables the SecureServ Helper SubSystem. It allows you to grant users access to SecureServ to manage any user that is joined to your help channel. See the Helpers section in the introduction for more information on helpers.</p><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set HELPERS <ON/OFF> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e626"></a>3.20. AUTOSIGNOUT Setting</h3></div></div></div><p>SecureServ has the ability to automatically logout helpers that set away while being logged in. This ensures that infected users are only joined to the help channel if a helper is available to help them.</p><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set AUTOSIGNOUT <ON/OFF> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e635"></a>3.21. JOINHELPCHAN Setting</h3></div></div></div><p>SecureServ can optionally join the help channel with the first helper logs in, and leave the help channel when the last helper logs out. No additional functionality is provided when SecureServ joins the channel, its only for the "look" and "feel" of having SecureServ in your antivirus channel.</p><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set JOINHELPCHAN <ON/OFF> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e644"></a>3.22. SVSJOIN Setting</h3></div></div></div><p>If you dont want SecureServ to automatically join some infected users to your help channel, then turn of SVSJOIN and instead if a user is matched against a signature that specifies it should SVSJOIN the user, it will akill the user instead.</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>This option does not turn on a global option for actions SecureServ performs. Instead it just specifies what SecureServ should do if a signature specifies SVSJOIN as the action.</p></div><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set SVSJOIN <ON/OFF> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e656"></a>3.23. HELPCHAN Setting</h3></div></div></div><p>If your network has a AntiVirus Channel setup, HELPCHAN sets that channel name. The default is #nohack</p><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set HELPCHAN <NAME> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e665"></a>3.24. NOHELPMSG Setting</h3></div></div></div><p>If there are no helpers logged into SecureServ and a user is infected with a Signature that specifies SVSJOIN, this is the message that is sent to the user informing them there are no users available, and it then proceeds to AKILL the infected user.</p><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set NOHELPMSG <msg> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e674"></a>3.25. REPORT Setting</h3></div></div></div><p>SecureServ has the option to report positive infections to secure.irc-chat.net site for both statistically and in future a blacklist type setup. Enabling this option means that statistics about infections can be reported to you on the secure.irc-chat.net site as well as providing Summarized data to the public (No Private information, such as infected hostnames, or your networks infection rate is reported to the public though - See the secure.irc-chat.net site for more information.</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>You must have configured a NeoNet account in your NeoStats configuration for this option to be enabled.</p></div><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set REPORT <ON/OFF> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e686"></a>3.26. AKILL Setting</h3></div></div></div><p>If you do not wish SecureServ to ever AKILL a user for a positive match, turn this option off. It will then just issue a warning to all operators about the Client, and Operators are free to do as they see fit.</p><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set AKILL <ON/OFF> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e695"></a>3.27. AKILLTIME Setting</h3></div></div></div><p>This setting changes the Timeout value for AKILL's that SecureServ sets when it detects a "infection"</p><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set AKILLTIME <SECONDS> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e704"></a>3.28. AKILLMSG Setting</h3></div></div></div><p>This option allows you to customize the message sent to users when they are AKILLED. You can point them to your website or provide additional information to help them if required. </p><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set AKILLMSG <MSG> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e713"></a>3.29. AUTOUPDATE Setting</h3></div></div></div><p>If SecureServ has been Configured with a username and password (as Covered in Section 2.2, you can optionally Setup SecureServ to automatically check and download new dat files if available on a Daily basis. If you prefer to manually update the DAT files via /msg secureserv update, then disable this option</p><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set AUTOUPDATE <ON/OFF> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e722"></a>3.30. AUTOUPDATETIME Setting</h3></div></div></div><p>This option specifies how often to Check for new Dat files. </p><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set AUTOUPDATETIME <SECONDS> </pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e731"></a>3.31. VERBOSE Setting</h3></div></div></div><p>If you like to know what SecureServ is doing (and like to be flooded in the #services channel, then enable this option.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Not Recommended on a Large Network. SecureServ can get quiet busy!</p></div><p>To Change the setting, issue the following Command:</p><pre class="screen">/msg SecureServ set VERBOSE <ON/OFF> </pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="d0e743"></a>4. Operational Commands</h2></div></div></div><p>SecureServ has a number of commands that you can issue it in order to perform checks or operations on your IRC network. These commands aid Administrators in keeping their network secure, and keeping SecureServ upto date.</p><p>The following list summarizes these commands:</p><div class="itemizedlist"><ul type="disc"><li><p>HELP</p></li><li><p>VERSION</p></li><li><p>ABOUT</p></li><li><p>CREDITS</p></li><li><p>LEVELS</p></li><li><p>SET</p></li><li><p>LOGIN</p></li><li><p>LOGOUT</p></li><li><p>ASSIST</p></li><li><p>CHPASS</p></li><li><p>CHECKCHAN</p></li><li><p>LIST</p></li><li><p>STATUS</p></li><li><p>MONCHAN</p></li><li><p>BOTS</p></li><li><p>CYCLE</p></li><li><p>RELOAD</p></li><li><p>HELPERS</p></li><li><p>EXCLUDE</p></li><li><p>UPDATE</p></li></ul></div><p>The following Sections Describe these commands in detail</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e813"></a>4.1. HELP Command</h3></div></div></div><p>The help command allows the users to access the online help for the different commands available. You can get general help about the available commands, or can access more specific information about a command.</p><p>To see the help pages, use the following format:</p><pre class="screen">/msg SecureServ help [command]
</pre><p>command is optional and only required if you want more specific information about a particular command</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e824"></a>4.2. VERSION Command</h3></div></div></div><p>This command displays the Version of SecureServ, and the dat files. </p><p>The format of the command is as follows:</p><pre class="screen">/msg SecureServ version
</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e833"></a>4.3. ABOUT Command</h3></div></div></div><p>The about command shows a brief description of the Bot and its purpose.</p><p>The format of the command is as follows:</p><pre class="screen">/msg SecureServ about
</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e842"></a>4.4. CREDITS Command</h3></div></div></div><p>The credits command shows details about the authors or contributors of to the Module</p><p>The format of the command is as follows:</p><pre class="screen">/msg SecureServ credits
</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e851"></a>4.5. LEVELS Command</h3></div></div></div><p>The levels command allows you to adjust the security of each command available in this module. You can make certian commands only available to higher "level" users in NeoStats. </p><p>For more information about NeoStats Levels and Security, please consult the NeoStats Manual</p><p>To list the currently configured levels, issue the following command:</p><pre class="screen">/msg SecureServ levels list
</pre><p>To change the minimum level required to execute a command, issue the following command:</p><pre class="screen">/msg SecureServ levels <command> <level></pre><p>Where:</p><p>command = is the actual command name you wish to modify</p><p>level = a number between 0 and 200 that specifies the new level.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e872"></a>4.6. SET Command</h3></div></div></div><p>The set command allows you to modify settings applicable to this module. For a complete description of the available set options, please consult the Detailed Configuration Section of this manual.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e877"></a>4.7. LOGIN Command</h3></div></div></div><p>This command allows a "helper" or trusted user that mans your Antivirus or help channel to login to SecureServ to gain additional functionality with regards to handling infected users. The helpers must have a valid login account and password as set in the helpers command.</p><p>The format of the command is as follows:</p><pre class="screen">/msg SecureServ login <login> <pass></pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e886"></a>4.8. LOGOUT Command</h3></div></div></div><p>This command allows a logged in helper to logout of SecureServ if he is going to be away or not paying attention to the help channel for a period of time. You should encourage your users to logout if they can not provide timely response to infected users that may be forcejoined to the channel.</p><p>The format of the command is as follows:</p><pre class="screen">/msg SecureServ logout</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e895"></a>4.9. ASSIST Command</h3></div></div></div><p>This option is only available to "helpers" that have logged into secureserv and is used to control SecureServ's limits over users that have been identified as infected with simple virus's and joined to a help channel. They allow the "helpers" to either release a user from SecureServ's restrictions, or kill un-cooperative, or un-responsive users from the network. The helpers may only perform these actions on users that SecureServ has identified as infected with a simple virus, and automatically joined to the help channel. Helpers may not "kill" users that SecureServ has NOT identified as infected.</p><p>The format of the assist command is as follows:</p><pre class="screen">/msg SecureServ assist release/kill <target></pre><p>The release option allows the user to join all previous channels and continue as normal. After release is used on a user, a helper can no longer kill the target.</p><p>The kill option removes the user from the network via a akill command and broadcasts a message to all opers indicating the helper that used the kill command, and the initial virus the users was detected as having.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e908"></a>4.10. CHPASS Command</h3></div></div></div><p>This option is only available to "helpers" that have logged into secureserv and is used to change thier password that they use to login to SecureServ. </p><p>The format of the chpass command is as follows:</p><pre class="screen">/msg SecureServ chpass <newpass></pre><p>Where:</p><p>newpass = The new password to set your helper account to</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e921"></a>4.11. CHECKCHAN Command</h3></div></div></div><p>If you suspect that a user in a Channel is infected with a OnJoin virus, you can force SecureServ to check the channel on your behalf. If SecureServ finds any infection in the channel, it will take the normal action associated with that virus.</p><p>The format of the command is as follows:</p><pre class="screen">/msg SecureServ checkchan <chan>
</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e930"></a>4.12. LIST Command</h3></div></div></div><p>The List command shows a brief list of all the Definitions that SecureServ currently has loaded. These are direct from the Dat file that is downloaded from the <a href="#">http://secure.irc-chat.net</a> website.</p><p>The format of the command is as follows:</p><pre class="screen">/msg SecureServ list
</pre><p>More detail about each "Virus" can be found at the <a href="#">http://secure.irc-chat.net/</a> site by searching for the Virus Name.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e947"></a>4.13. STATUS Command</h3></div></div></div><p>This command gives the Administrator statistics on the how SecureServ is performing, how many checks it has conducted, and currently logged in "helper" users.</p><p>The format of the command is as follows:</p><pre class="screen">/msg SecureServ status
</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e956"></a>4.14. MONCHAN Command</h3></div></div></div><p>This option allows you to manipulate the list of channels that will be monitored all the time by SecureServ for Private Message type virus's. The bot that joins these channels is specified in the monbot section of the set command. You should also investigate the MONCHANCYCLE and MONCHANCYCLETIME options listed above on how to enable the monbot to cycle these monitored channels, as a OnJoin bot will not check a MONCHAN channel.</p><pre class="screen">/msg SecureServ monchan list</pre><p>This option lists all the channels that will be monitored. If the channels do not exist when SecureServ is started, they will be joined when the first user joins the channel. When the last user leaves the channel, they will also leave the channel.</p><pre class="screen">/msg SecureServ monchan add <chan></pre><p>This option adds a channel to be monitored.</p><pre class="screen">/msg SecureServ monchan del <chan></pre><p>This option lists will delete a channel from the monitored list.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e973"></a>4.15. BOTS Command</h3></div></div></div><p>This option allows you to manipulate the random bot list that is used to join random channels (or channels monitored with the monchan command, as detailed below). The available options are:</p><pre class="screen">/msg SecureServ bots list</pre><p>This option lists all available bots.</p><pre class="screen">/msg SecureServ bots add <nick> <ident> <host> <realname></pre><p>This option adds a bot with the nickname, ident, host and realname as specified in the command to the list of bots that will be used to randomly join a channel.</p><pre class="screen">/msg SecureServ bots del <num></pre><p>This option lists will delete a bot from the available bots if its not currently in use.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e990"></a>4.16. CYCLE Command</h3></div></div></div><p>This command forces SecureServ to part the existing channel it is checking and join the next random Channel.</p><p>The format of the command is as follows:</p><pre class="screen">/msg SecureServ cycle</pre><p>The next channel is chosen at random, but is guaranteed not to be the previous channel it checked.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e1001"></a>4.17. RELOAD Command</h3></div></div></div><p>This option reloads the viri.dat and customviri.dat files. Its no the same as a update command, as it does not attempt to download new dat files from http://secure.irc-chat.net site. Its useful if you make a change to your customviri.dat file.</p><p>The format of the reload command is as follows:</p><pre class="screen">/msg SecureServ reload</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e1010"></a>4.18. HELPERS Command</h3></div></div></div><p>Helper lists let you grant non-privileged users the ability to maintain your Virus help channel and help users that are infected with virus's that could be removed with simple instructions (such as Spam Virus's that infect Mirc). These users are granted the ability to "release" a infected user from SecureServ or kill un-cooperative, or unresponsive users that SecureServ has identified as being infected. Users that have been joined to the help channel are "held" by SecureServ and are usually prevented from joining other channels (if your IRCd supports this option). This can be helpful so you can clean up users that are infected with simple script based virus's and you require their attention to help you clean their computer. More information about the commands available to use on infected users is available via the assist command detailed below.</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>Although SecureServ limits who a "Helper" may kill (only infected users joined to the Help Channel) you should only give out login accounts to trusted users.</p></div><p><span class="bold"><strong>Adding a Entry</strong></span></p><p>To add a entry to the Helper list, use the following format:</p><pre class="screen">/msg SecureServ helpers add <login> <pass> </pre><p>Where:</p><p><login> = The login name to use to gain access. Does not have to be a nickname.</p><p><pass> = The password to use to login</p><p>The output is as follows:</p><pre class="screen">>secureserv< helpers add myhelper mypass
-SecureServ- Successfully added Helper myhelper with Password mypass to Helpers List
</pre><p><span class="bold"><strong>Listing an Entry</strong></span></p><p>To list the helpers simple type:</p><pre class="screen">/msg SecureServ helpers list</pre><p>And all the helpers are listed. Additionally, if a nickname is provided after the login name, it means that this nick is logged into this particular helper account.</p><p>The output is as follows:</p><pre class="screen">>secureserv< helpers list
-SecureServ- Helpers List (2):
-SecureServ- fish (Fish)
-SecureServ- myhelper (Not Logged In)
-SecureServ- End of List.
</pre><p><span class="bold"><strong>Deleting an Entry</strong></span></p><p>To delete a entry, you must provide the login name you wish to delete. The format of the command is as follows:</p><pre class="screen">/msg SecureServ helpers del <login></pre><p>Where:</p><p><login> is the login account you wish to delete.</p><p>The output of the command is as follows:</p><pre class="screen">>secureserv< helpers del myhelper
-SecureServ- Deleted myhelper from Helpers List
</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e1063"></a>4.19. EXCLUDE Command</h3></div></div></div><p>Exclusion lists allow you to specify certain Hostmasks, Servers, or Channels that should be excluded from monitoring by SecureServ. This exclusion list would allow a administrator to say, allow users on that are matched against Trojans, when the administrator has verified that the Trojan does not in fact exist on the users host.</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>Exclusions should be setup for your Services Server, so that SecureServ does not try to scan ChanServ, or NickServ, or any of the bots relating to Nickname protection.</p></div><p>With NeoStats 3.0, you should also be aware that there are two types of Exclusion Lists. There are "Global" exclusion lists that all modules may optionally use, and there is module specific exclusion lists. SecureServ defaults to not using the Global Exclusion lists. You can enable it by the following command:</p><pre class="screen">/msg SecureServ set exclusions on</pre><p><span class="bold"><strong>Adding a Entry</strong></span></p><p>To add a entry to the Exclusion list, use the following format:</p><pre class="screen">/msg SecureServ exclude add <host/Server/Channel/UserHost> <pattern> <reason></pre><p>Where:</p><p><Host/Server/Channel/UserHost> = The type of exclusion you are adding. The different types are:</p><div class="itemizedlist"><ul type="disc"><li><p>Host - The Users real (Internet) Hostname</p></li><li><p>Server - The Users server they are connecting to. You should ensure you add a exclusion for your Services Server</p></li><li><p>Channel - A specific channel on your IRC Network</p></li><li><p>UserHost - The users Virtual Hostname (IRC)</p></li></ul></div><p><pattern> = The pattern you wish to match on. May include wildcard charactors such as * and ?</p><p><reason> = a short description of the exclusion, for operator reference only.</p><p>The output is as follows:</p><pre class="screen">[13:20] -SecureServ- Added *.blah.com (userhost) to exclusion list
[13:20] SecureServ Fish added *.blah.com (userhost) to the exclusion list</pre><p><span class="bold"><strong>Listing an Entry</strong></span></p><p>To list the Exclusions simple type:</p><pre class="screen">/msg SecureServ exclude list</pre><p>And all the current exclusions are listed. Additionally, a Position number is provided for use with the delete command. The output is as follows:</p><pre class="screen">[13:21] -SecureServ- Exclusion list:
[13:21] -SecureServ- #bothouse (Channel) Added by Fish on Sat Aug 13 2005 01:20 AM SGT for Requested
[13:21] -SecureServ- #ircop (Channel) Added by Fish on Sat Aug 13 2005 07:40 PM SGT for IRCop channel
[13:21] -SecureServ- *irc-chat.net (Host) Added by Fish on Tue Aug 09 2005 10:13 PM SGT for Services Exclusion
[13:21] -SecureServ- chieftess!*@* (Userhost) Added by Fish on Tue Aug 09 2005 10:14 PM SGT for buggy client
[13:21] -SecureServ- *.blah.com (Userhost) Added by Fish on Sun Jan 15 2006 01:20 PM SGT for Cause Blah.com is cool
[13:21] -SecureServ- End of list.</pre><p><span class="bold"><strong>Deleting an Entry</strong></span></p><p>To delete a entry, you should first lookup the Position of the entry that you wish to delete. The format of the command is as follows:</p><pre class="screen">/msg SecureServ exclude del <pattern></pre><p>Where:</p><p><pattern> is the pattern of the entry you wish to delete in the list</p><p>The output of the command is as follows:</p><pre class="screen">[13:22] SecureServ Fish used EXCLUDE
[13:22] -SecureServ- *.blah.com delete from exclusion list</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e1133"></a>4.20. UPDATE Command</h3></div></div></div><p>That command forces SecureServ to check the Dat File version at <a href="#">http://secure.irc-chat.net/</a> and download the latest version if required.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Repeated use of this command in a short period of time will result in your account at secure.irc-chat.net being suspended for abuse. Use with CARE</p></div><p>The format of the command is as follows:</p><pre class="screen">/msg SecureServ update</pre></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="d0e1148"></a>5. Custom Definitions</h2></div></div></div><p>You can create your own definitions to be used by SecureServ, but it requires a bit of programing skill, and knowledge of how to detect the trojan/virus.</p><p>We have enabled SecureServ to obtain additional definitions from a custom, administrator defined definition file. This allows IRC administrators to add additional signatures to SecureServ to ban clients that the IRC network does not permit. A common signature is one for Bottlers or IRCork clients. The only drawback is that the definition file is not simple, and some degree of programing knowledge is required.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e1155"></a>5.1. Custom Definitions file</h3></div></div></div><p>If you wish to create your own custom definition, follow these steps:</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="d0e1160"></a>5.1.1. Create customviri.dat file</h4></div></div></div><p>with a text editor, create a new file called customviri.dat in your ~/NeoStats/data directory.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="d0e1165"></a>5.1.2. add entries to customviri.dat</h4></div></div></div><p>The format of the customviri.dat file is as follows:</p><div class="example"><a name="d0e1170"></a><p class="title"><b>Example 1. customvir.dat</b></p><p><span class="emphasis"><em>name</em></span> <span class="emphasis"><em>dettype</em></span> 0 0 "<span class="emphasis"><em>detectionregex</em></span>" "<span class="emphasis"><em>message</em></span>" <span class="emphasis"><em>action</em></span></p><p>It is very important that you follow the spacing format, otherwise your custom definition will fail to load.</p><p>Each individual field is described below:</p><p><span class="bold"><strong><code class="varname">name</code></strong></span></p><p>This is the Virus Name. It can be any combination of upper and lower case characters or numbers, but can not contain spaces, or punctuation.</p><p><span class="bold"><strong><code class="varname">dettype</code></strong></span></p><p>This defines how SecureServ should use this signature to detect Trojans. Its a number and can only be one of the following:</p><p><span class="bold"><strong><span class="type">0 - CTCP Version check.</span></strong></span> This trys to match the detectionregex against a received CTCP version reply.</p><p><span class="bold"><strong><span class="type">1 - Private Message.</span> </strong></span>This trys to match the detectionregex against a private message received by the onjoin bots or monbot</p><p><span class="bold"><strong><span class="type">2 - Nick.</span></strong></span> This trys to match the detectionregex against a nickname.</p><p><span class="bold"><strong><span class="type">3 - Ident.</span> </strong></span>This trys to match a detectionregex against a ident.</p><p><span class="bold"><strong><span class="type">4 - Realname.</span></strong></span> This trys to match a detectionregex against a users real name.</p><p><span class="bold"><strong><span class="type">5 - Channel.</span> </strong></span>This trys to match a detectionregex against a channel name.</p><p><span class="bold"><strong><span class="type">6 - Channel Message.</span> </strong></span>This trys to match a detectionregex against a channel Message (only channels that are monitored by MONBOTS or ONJOINBOTS)</p><p><span class="bold"><strong><span class="type">6 - Away Message.</span> </strong></span>This trys to match a detectionregex against a away Message that a client sets</p><p><span class="bold"><strong><span class="type">6 - Topic Message.</span> </strong></span>This trys to match a detectionregex against a channel topic.</p><p><span class="bold"><strong><span class="type">10 - Internal.</span></strong></span> This is reserved.</p><p><span class="bold"><strong><code class="varname">detectionregex</code></strong></span></p><p>This field is used to define how to detect a Trojan. If for example in the dettype we specify a value of 0, then this is a regular expression that is applied to all CTCP VERSION replies that secureserv receives. </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>This is a "Regular Expression" field. It is not the same as a wildcard field. Regular expressions are much more powerful pattern matching expressions than the standard ? and * options available in typical filesystem or IRC pattern matching code. If you have never used regular expression before, I STRONGLY suggest you test your "Regular expression" code with a utility called "pcretest" available as part of libpcre at www.pcre.org. Additionally, you should try to learn the pattern matching language. This can be done by looking at the man page for "perlre" or the documentation available on www.pcre.org. If you get your pattern matching code wrong, you have the ability to kill everyone on your IRC network, so be extremely careful.</p></div><p>This field must be enclosed in double quotation marks (") and if you use " in your regular expression, you must escape them.</p><p><span class="bold"><strong><code class="varname">message</code></strong></span></p><p>This is the private message sent to the "Infected" user when they are matched against this definition. As customviri.dat definitions do not direct users to the secure.irc-chat.net. site, you should provide as much information as possible in this, or optionally, direct them to your own hosted IRC page. You should place your message inside double quotation marks (") and if you use " in your regular expression, you must escape them.</p><p><span class="bold"><strong><code class="varname">action</code></strong></span></p><p>This field defines what SecureServ should do when it matches a user against this definition. The field is a number only and should only be one of the following.</p><p><span class="bold"><strong><span class="type">0 - SVSJOIN.</span></strong></span> On IRCds that support SVSJOIN, the user is automatically joined to the help channel, and any online opers are notified of the users infection. If no helpers are logged in, then the user is akilled instead.</p><p><span class="bold"><strong><span class="type">1 - AKILL.</span></strong></span> Akill the user from the IRC network.</p><p><span class="bold"><strong><span class="type">2 - WARN.</span></strong></span> Send the message to the user indicating they matched a definition, warn the operators via a global message, and do nothing else.</p><p><span class="bold"><strong><span class="type">3 - NOTHING.</span></strong></span> Only send the message to the user. Do not take any further action.</p><p><span class="bold"><strong><span class="type">3 - KILL.</span></strong></span> just issue a standard kill message for the infected user</p><p>We don't support any customviri.dat definitions, either by the secure.irc-chat.net site, or via our boards, though members of the community may choose to share their customviri.dat files. If you are in doubt or unsure about creating your own customviri.dat files you should always test them with the warn or nothing option as the action type until you are sure that you have the matching correct.</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="d0e1310"></a>5.1.3. Reload the definitions</h4></div></div></div><p>If SecureServ is already operating, you can reload the definitions by issuing a /msg SecureServ reload command. This will make SecureServ reload both the viri.dat file as well as the customviri.dat file. Your customviri.dat entries will be placed before any viri.dat entries, so if you wish to override the action of a viri.dat entry, you can place a copy in the customviri.dat file.</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="d0e1315"></a>6. Final Words</h2></div></div></div><p>This Section is my "Rant" for SecureServ. Although you don't need to read it to operate SecureServ, it does provide you some tips</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="d0e1320"></a>6.1. Dealing with Un-detected Attacks/Trojans/Virus etc</h3></div></div></div><p>If you come across a new "Trojan" or Virus or attack on your network, it might be possible to update SecureServ to be able to detect these new "Virus's"</p><p>If you wish us to consider adding support to SecureServ's Definition files for new "Virus's" please provide us with the following information via http://secure.irc-chat.net/ using the "submit new" link (only available when logged in as a member)</p><p>The following information is required:</p><div class="itemizedlist"><ul type="disc"><li><p>the output from /whois <infected user></p><p>If there are multiple Infected users, please provide multiple /whois outputs. This will aid us in determining a pattern.</p></li><li><p>The results from a /ctcp <infected user> version command, if any</p></li><li><p>Logfiles extracts of the behavior of the bot that makes you suspect it is a new Trojan/Virus</p><p>we will NOT add detection to SecureServ for anything we can not verify is in fact a risk to IRC security. If you submit to us the details of a script that a user is using, because you don't like the colors, Tough. Find some other way to deal with that user.</p></li><li><p>Details of your IRC network</p><p>So that we may contact you directly on your network if we require additional information or wish to the "Virus" in the wild.</p></li></ul></div><p>Before adding new items to the Definitions, we do as much research as possible, and also share this information with other "IRC Security" professionals or teams in order to determine the most effective way to detect this "infection"</p><p>Additionally, we will add "warning" messages to users that are running old copies of IRC software that are vulnerable to security issues (such as allows a Hacker to break into the users computer via IRC) and advise the user to upgrade their IRC client. If you are a client Author of a script or IRC client that has had Security Issues in the past, and wish us to add this "warning" to the Definitions, please contact us directly.</p></div></div></div></body></html>