decoy.pl works as follows:
get line (url) from the standard input (squid) then check if this line can be matched against list of regular expression patterns. if found return specific url (usually empty gif image--1x1 transparent). if no match found it will return empty line.
decoy.pl will reload configuration and patterns list if any of those two files has been changed during decoy.pl’s run time. reload will be done on HUP signal as well. checks for file changes are performed on 1 minute (could be configurable in the future).
for setup instructions see INSTALL section below.
Used files are:
this is the main executable--can be placed anywhere you want.decoy.cfg
this is configuration file which can be placed in one of these locations: /etc/decoy.cfg /usr/etc/decoy.cfg /usr/local/etc/decoy.cfg /usr/local/decoy/decoy.cfg and finally in the current working directory (for test purposes mostly).patterns.def
this file holds regular expressions (well mostly simple strings matching known ad hosts). each line is considered expression. empty lines or lines with leading ‘#’ will be ignored. this file name is not fixed and can be changed in the decoy.cfgaccess.log
this file is used to log decoy.pl activity. its name is not fixed and can be changed in decoy.cfg. (see CONFIGURATION)profile.log
this file is used to log used patterns, i.e. every matched pattern will be logged for later statistics.
PATTERNS=/usr/local/decoy/patterns.def LOG=/usr/local/decoy/access.log PROFILE=/usr/local/decoy/profile.log REDIRECT=http://192.168.3.1/pub/banner.gif
which file to be loaded as pattern definition.LOG which file to be used as activity log.
which file to be used as profile (pattern usage) log.
url to which requests will be redirected if pattern matched.
install decoy.pl anywhere you want. edit decoy.cfg as you want and set it in one of the locations mentioned in the FILES/decoy.cfg section above. edit squid.conf and set "redirect_program" to point location of decoy.pl. for example my is:
redirect_program /usr/local/decoy/decoy.plrestart squid
this should be enough, if you have problems contact me :)
if you want to check what are the top 10 matched patterns, the simplest way to do is:
cat profile.log | sort | uniq -c | sort -r | head -n 10in the directory where ‘profile.log’ is. this only works if profile log is enabled and its name is set to ‘profile.log’, otherwise you have to fix the command line above.
it is good idea to add all patterns you can think of (usefull really) and at the end of the month (or any time period you want) to sort the profile and use it as patterns list. one way to do this is:
cat profile.log | sort | uniq -c | sort -r | cut -f 2 > patterns.defthis will overwrite your original patterns file so make a copy before! this will not work if patterns contain spaces. the good thing is that profile entries are sorted by match count so most used patterns will be probed first.
it would be very nice if you send me your top 10 matched patterns with their hit counts, so I’ll be able to maintain useable sample of the patterns file with decoy.pl distribution package.
Distributed under the GPLv2 license, see COPYING file for the full text.
2018-2021 (c) Vladi Belperchinov-Shabanski "Cade" <[email protected]> <[email protected]> <[email protected]> http://cade.noxrun.com/projects/immuse http://github.com/cade-vs/immuse