This weekend kicked my ass. Usually weekends are more or less just a fat chunk of time that I use to veg and relax. This weekend I didn't do much relaxing though.

I saw the movie Grindhouse with my dad and a couple of his friends from college. It was a great movie. Some people were complaining that being over 3 hours long, it was too much for a typical movie go-er. Well, the 3 hours went by very quick. I liked the first movie, Planet Terror, a helluva lot more than Death Proof. Death Proof was just boring. It had a lot of talking, a car chase that lasted way too long and had too much repetition, and the action in it was lacking. Planet Terror was fucking awesome. It was non-stop zombie horror action. It was super ridiculous (which made it good). Dialogue was hilarious as well. I definitely recommend that everyone see Grindhouse.

Next on the line-up we had an external report about some bots on IRC at work. My bot detector didn't catch them though. At the time that the report came in, I hopped on IRC and checked to see if any nodes were connected from work. Nothing showed up though, so that may explain it. Anyways, I've been busy modding the bejezus out of the bot script. I've added lots of crap

  • forking daemons for servers</li>
  • app supports an arbitrary number of servers</li>
  • arbitrary number of bot nicks</li>
  • an exemption list for nicks</li>
  • recording conversations from people who speak to the bot</li>
  • alert table for when it finds another nick on the server</li>
  • arbitrary 'who' list</li>
  • it also uses a sqlite backend</li>
  • in the process of adding a netflow interface right now</li>
  • and adding a bro interface sometime this week</li>
    Lots of crap eh? The netflow and BRO interfaces are supplemental data inputs for detecting bots. The app is able to create bots on the fly, so what the interfaces will do is basically give the app more IRC servers to watch for bots.

    The app will read netflow and watch for outgoing IRC connections. Any new connections will cause the botmaster script to spawn a new bot that will connect to the destination IP and watch for connections from our site for ~24 hours, alerting as necessary. After that, the bot will die.

    The app also will talk with BRO. BRO has an awesome IRC filter so we're going to piggy back on that. When BRO fires an IRC alert, the app will receive it and, if it's a new alert, will spawn a bot to watch that server for ~24 hours, alerting as necessary.

    It's almost all finished, so next week I'll be busy making sure it works and stays working. I've been re-learning python through the whole process though. I think Python sucks.

    And if all that other stuff wasn't enough, I have to balance doing work on nessquik also. I have a lot of documentation to write before 2.5 can be released. I'm helping someone I met at Illinois Institute of Technology set up nessquik. He's installing it in XAMPP to test it, but XAMPP is being troublesome. Oh well.

    One part of nessquik that I've been working on heavily this weekend is porting the Perl Nmap::Parser to PHP. Actually it's not so much porting as it is "gee I wonder how they did that" and move some of it to PHP. That's some bastardized code, lemme tell you. I only have a general knowledge of Perl and some of the crap that is being done there is just way too confusing. My classes will be available in nessquik as part of portscan-me-now. I need to move over to the Nmap XML output anyway because the raw output from Nmap looks really shitty and doesn't work well in a browser.