Regular expression to notify of abuse

[fred]

I am in the process of creating a regular expression for ngrep (grep for networks, listening on the NIC) that will notify of k-lines, d-lines, kills and other signs of abuse so that the server administrator can take appropriate action. Here is my first attempt of something useful:

Code: Select all

^quit.*[dk][-:]line|^quit.*kill

Yes, it is case insensitive. It will log any line that starts with quit and contains certain chosen words. As far as I understand, what happens when an operator kills a user, is that he alters the user's QUIT message. What I am basically after, is how all the raw strings notifying abuse looks like, whether it is the string that is sent when a user is killed or the string that notifies an innocent client connecting that his mask is blocked. I was hoping that someone here could help me. The goal is to create something useful that can be implemented to track down IRC related abuse from users on a server.

[munky]

on ratbox, it might look somethign like:

:irc.server NOTICE * :*** Notice -- oper!irc@irc.server{bots} added temporary 14400 min. D-Line for [1.1.1.1] [hacked bot]
:irc.server NOTICE * :*** Notice -- DLINE active for user[irc@1.1.1.1]
:irc.server NOTICE * :*** Notice -- Client exiting: user (irc@1.1.1.1) [Connection closed] [1.1.1.1]


though the actual quit message can be configured by the server to just say "connection closed" (or whatever), or actually say "dline for: ..."