Introducing Server-side Event Logging/Blocking

[eddieck 10]

RE: setpos.log

25:507 [11416,3316,54]

So I understand the second block is the coordinates. What are the XX:XX numbers?

x:y are entity IDs ...

I assume the entity ID in setpos.log is the same as the network ID referenced in $able's post:

92:4 is the network ID ([client ID]:[object ID])

[i76 1]

Its still extremely easy to spawn weapons, magazines and items directly to your characters inventory... no BE bypass required.

The only thing that prevents it is the script restriction for activating 'Shift + P' (dedi server interface)

*side note* script restriction for activating 'Shift + P' can be a pain for ingame server admins.

So players will go to a server where this action isn't restricted, spawn themselves and mates full kits and move back to their regular server... oh and this is related to dayz but can be done on any ArmA BE protected server.

[hohlraum 1]

Players are DOSing servers with setdamage as well. Had a guy flood 1.000000 damage to an object/player last night to the point (7MB setdamage.log) that battleye could no longer deal with the setdamage.log and kept spewing something about not being able to access the event log.

[$able 2]

Players are DOSing servers with setdamage as well. Had a guy flood 1.000000 damage to an object/player last night to the point (7MB setdamage.log) that battleye could no longer deal with the setdamage.log and kept spewing something about not being able to access the event log.

A solution for something like this will be provided soon.

[Prodavec 10]

It is still possible to mass spawn weapons in WeaponHolder and use addWeaponCargoGlobal / addMagazineCargoGlobal. No way to determine maintenance of a crate via createvehicle.log.

[shinkicker 5]

I must be doing something wrong here. Prepare for some stupidness...

I am using Mondkalb's Celle 2 Map which has some nice door opening candy, such as sliders. When a door is opened the following is called:

createvehiclelocal getpos _house;

This then generates a script restriction 21

Line 21:

5 createVehicle !"\"createVehicle\"," !"createVehicleLocal" !"createVehicle [\"WeaponHolder\", _iPos, [], _radius, \"CAN_COLLIDE\"" !"_fire = createVehicle [_classname, _location, [], 0, \"CAN_COLLIDE\"" !"_object = createVehicle [_classname, _location, [], 0, \"CAN_COLLIDE\"" !"if (_height < 100) then {\n_bolt = createVehicle [\"BoltSteelF\", _endPos, [], 0, \"CAN_COLLIDE\"];\n_bolt setPosATL _endPos;" !"_tent = createVehicle [\"TentStorage\", _location, [], 0, \"CAN_COLLIDE\"];\n_tent setdir _dir;" !"if ((random _int)>2.2) then\n{\n_b=\"SmallSecondary\" createvehicle (getpos _v);\n};" !"exitwith {};\n_b=\"SmallSecondary\" createvehicle (_v modelToWorld _effect2pos);\n} foreach (_list);" !"_bag = createVehicle [format[\"WeaponHolder_%1\",_item],getPosATL player,[], 0, \"CAN_COLLIDE\"];\n_bag setdir (getDir player);" !"_bag = createVehicle [\"WeaponHolder_ItemTent\",_pos,[], 0, \"CAN_COLLIDE\"];\n_bag setdir _dir;\nplayer reveal _bag;" !"_object =  _type createVehicleLocal _position;\n_object setPos _position;\n_object setDir _dir;\n_object allowDamage false;"

Changing the value to 1, still results in the player being kicked (Script Restriction #21), instead of just logged.

Commenting out the line (//) moves up to the next line 20, which seems to have nothing similiar syntax wise:

5 createTarget !"\"createTarget\","

So I try to change that to '1', but still kicked.

Comment out this line and the next line kicks:

5 createMine !"\"createMine\","

Is there anyway you can whitelist a command?

For example an entry such as the following is allowed:

createvehiclelocal getpos _house;

[sylvan 1]

A typical createvehicle.log entry looks like this:

12.08.2012 14:20:26: SomePlayer (95.7.111.10:2304) d3dcf429c679f9af82eb9a3b31c4df44 - #0 "MedBox0" 92:4 [-18594,25833,369]

#0 is the number of the filter/restriction in createvehicle.txt, usually line number - 1, "MedBox0" is the type of the vehicle/unit being created, 92:4 is the network ID ([client ID]:[object ID]) and [-18594,25833,369] is the spawn position.

How would I go about interpreting the spawn position of a createvehicle event, like the [-18594,25833,369] in the example given above? I assume the three numbers are x, y and z coordinates, but I can't for the life of me figure out how they map to in-game GPS-positions. This would really help in forensics when trying to investigate alledged cheating. Help?

[Prodavec 10]

player setPos [-18594, 25833, 369];

You will be teleported to that position.

Coordinates: [x, z, y]

y - your altitude above sea level.

[hohlraum 1]

A solution for something like this will be provided soon.

status?

[$able 2]

BE Server v1.165 adds the following new commands (you can specify them via BEServer.cfg / BE RCon):

- MaxCreateVehiclePerInterval [count] [interval in seconds]

- MaxSetPosPerInterval [count] [interval in seconds]

- MaxSetDamagePerInterval [count] [interval in seconds]

You can show the current values by entering the commands without arguments via RCon. The second argument is optional, i.e. it isn't changed if it isn't used. [count] = -1 disables the checking, [count] = 0 causes a single occurrence to be kicked for.

Note that these commands might only exist temporarily, as filter-specific rules will likely be added soon.

Additionally it is now also possible to specify filters in the known format in setdamage.txt, e.g. "5 1.000000" to cause all occurrences of this value (almost always related to cheats) to be logged and kicked for.

Edited October 16, 2012 by $able

[imf2000 1]

BE Server v1.165 adds the following new commands (you can specify them via BEServer.cfg / BE RCon):

- MaxSetDamageVehiclePerInterval [count] [interval in seconds]

MaxSetDamageVehiclePerInterval doesnt appear to work:

MaxCreateVehiclePerInterval
> 13:35:31   MaxCreateVehiclePerInterval
< 13:35:31   -1/0s
MaxSetPosPerInterval
> 13:35:42   MaxSetPosPerInterval
< 13:35:42   -1/0s
MaxSetDamageVehiclePerInterval
> 13:35:50   MaxSetDamageVehiclePerInterval
< 13:35:50   Unknown command

Did you mean MaxSetDamagePerInterval ? :)

[$able 2]

MaxSetDamageVehiclePerInterval doesnt appear to work:

MaxCreateVehiclePerInterval
> 13:35:31   MaxCreateVehiclePerInterval
< 13:35:31   -1/0s
MaxSetPosPerInterval
> 13:35:42   MaxSetPosPerInterval
< 13:35:42   -1/0s
MaxSetDamageVehiclePerInterval
> 13:35:50   MaxSetDamageVehiclePerInterval
< 13:35:50   Unknown command

Did you mean MaxSetDamagePerInterval ? :)

Yes, thanks, corrected.

[hohlraum 1]

What are the rest of you using for starting values?

DCBL already is kicking for any setdamage 1.000000 so maxsetdamageperinterval is really just for flooding non-1.000000 protection. and once every second is plenty for those.

maxsetposperinterval. I've gone through my logs looking for innocent entries and it looks like 1 every 9s should be sufficient.

For maxcreatevehicleperinterval I don't see how it can really be used because of heli explosions. actually looking closer basically anything more than 3 per second should be fine at a minimum and I think 4 per second is safe.

So for now I guess I'm starting with

MaxCreateVehiclePerInterval 4 1 .... strike that one. 4 1 randomly kicks people on login. guessing their clients call several of them very quickly on login.

MaxSetPosPerInterval 1 9

MaxSetDamagePerInterval 1 1 ... ended up going with 2 1 instead.

This is all using 1 second intervals. I think that stuff like MaxCreateVehiclePerInterval might be better suited for checking a larger interval. Dunno.

Edited October 17, 2012 by Hohlraum

[imf2000 1]

We really need some guidance on sane values...

Thanks.

[.kju 3239]

Thanks $able :bounce3: Keep up!

[Freeborne 10]

Nice work Sabre.

Would it effect performance much to use high or low intervals, so the checks are run less frequently?

Option 1:

MaxSetPosPerInterval 1 10

(max of 1 per 10 seconds, resets after 10 seconds)

Option 2:

MaxSetPosPerInterval 6 60

(max of 6 per minute, resets after 1 minute)

Is it opening the .log files each time it runs this check (or continually keeping it open) and thus would it now effect server performance (more than usual) if you don't cycle your log files often and have large files?

[rufor 1]

Hey $able can we get a screenshot function? It would be relatively easy to write considering all you vaguely need to do is take a screenshot on the client, upload it to battleye/screenshots folder with the name of the client+datestamp as the filename. It would help admins see if somebody is using hacks.

[TSAndrey 1]

Hey $able can we get a screenshot function? It would be relatively easy to write considering all you vaguely need to do is take a screenshot on the client, upload it to battleye/screenshots folder with the name of the client+datestamp as the filename. It would help admins see if somebody is using hacks.

I doubt it's "easy" to write. It would really need to be secure, cause hackers can bypass Punkbusters screenshot features!

Edited October 21, 2012 by TSAndrey

[Freeborne 10]

Can anyone confirm if they are using these new Max PerInterval commands?

I tried using them on a DayZ server, but after a few players were kicked for exceeding the intervals, innocent players were also getting kicked. When I looked in the log files, they had not exceeded their maximum set.

So I would have "MaxCreateVehiclePerInterval 10 30" for example. Someone would hack in lots of HE rounds and get kicked. Then I would notice later a few other players were getting kicked for exceeding MaxCreateVehiclePerInterval, but when I look in the "createvehicle.log" they are not there (or only have 1 or 2 "bearTraps" or something). It's like it would not reset the interval counters properly, and it would also get players confused. Not everyone would get kicked by the server, but about 50% were.

[hohlraum 1]

Can anyone confirm if they are using these new Max PerInterval commands?

I tried using them on a DayZ server, but after a few players were kicked for exceeding the intervals, innocent players were also getting kicked. When I looked in the log files, they had not exceeded their maximum set.

So I would have "MaxCreateVehiclePerInterval 10 30" for example. Someone would hack in lots of HE rounds and get kicked. Then I would notice later a few other players were getting kicked for exceeding MaxCreateVehiclePerInterval, but when I look in the "createvehicle.log" they are not there (or only have 1 or 2 "bearTraps" or something). It's like it would not reset the interval counters properly, and it would also get players confused. Not everyone would get kicked by the server, but about 50% were.

I wouldn't bother with MaxCreateVehiclePerInterval. When a player logs into the game they will get kicked if you use it depending where they are in game. Just use dayz anti-hax to deal with createvehicle stuff.

[hohlraum 1]

The set damage stuff isn't working. Just had someone flood 1.000000 over 2400 in 5 seconds.

setdamage.txt:

1 ""

5 "1.000000"

beserver.cfg:

MaxSetPosPerInterval 1 9

MaxSetDamagePerInterval 2 1

Confirmed via BERCon:

MaxSetDamagePerInterval

2/1s

He should have been booted instantly for the setdamage or he should have been booted for flooding. Neither did squat. Ideas?

Edited October 22, 2012 by Hohlraum

[$able 2]

Can anyone confirm if they are using these new Max PerInterval commands?

I tried using them on a DayZ server, but after a few players were kicked for exceeding the intervals, innocent players were also getting kicked. When I looked in the log files, they had not exceeded their maximum set.

So I would have "MaxCreateVehiclePerInterval 10 30" for example. Someone would hack in lots of HE rounds and get kicked. Then I would notice later a few other players were getting kicked for exceeding MaxCreateVehiclePerInterval, but when I look in the "createvehicle.log" they are not there (or only have 1 or 2 "bearTraps" or something). It's like it would not reset the interval counters properly, and it would also get players confused. Not everyone would get kicked by the server, but about 50% were.

That's probably because even those vehicles that are filtered out are counted.

I suggest everyone to first generate some complete logs (using "1 """) and analyzing them before setting any maximum values.

---------- Post added at 12:21 ---------- Previous post was at 12:15 ----------

The set damage stuff isn't working. Just had someone flood 1.000000 over 2400 in 5 seconds.

setdamage.txt:

1 ""

5 "1.000000"

beserver.cfg:

MaxSetPosPerInterval 1 9

MaxSetDamagePerInterval 2 1

Confirmed via BERCon:

MaxSetDamagePerInterval

2/1s

He should have been booted instantly for the setdamage or he should have been booted for flooding. Neither did squat. Ideas?

Are you sure he wasn't kicked afterwards? Due to the internal architecture the kicking takes until the next main server frame and therefore all events before that are still logged (I might change that in the future). They are still blocked according to your rules though.

---------- Post added at 12:51 ---------- Previous post was at 12:21 ----------

Nice work Sabre.

Would it effect performance much to use high or low intervals, so the checks are run less frequently?

Option 1:

MaxSetPosPerInterval 1 10

(max of 1 per 10 seconds, resets after 10 seconds)

Option 2:

MaxSetPosPerInterval 6 60

(max of 6 per minute, resets after 1 minute)

Is it opening the .log files each time it runs this check (or continually keeping it open) and thus would it now effect server performance (more than usual) if you don't cycle your log files often and have large files?

No, don't worry, those are just internal counters. The .log files aren't opened for this. You can use these settings without logging anything as well.

[hohlraum 1]

Are you sure he wasn't kicked afterwards? Due to the internal architecture the kicking takes until the next main server frame and therefore all events before that are still logged (I might change that in the future). They are still blocked according to your rules though.

The player was not kicked until he was banned and that job only runs every 15 seconds. I've reviewed EVERY set damage ban (since implementing the new interval and 5 "1.000000") and not a single one of them was kicked before they were banned and it was always several seconds later. It seems unlikely that DAH would always be able to beat battleye with a banning vs. a kick. Every other .txt kick seems to be instant.

Edited October 23, 2012 by Hohlraum

[Freeborne 10]

That's probably because even those vehicles that are filtered out are counted.

I suggest everyone to first generate some complete logs (using "1 """) and analyzing them before setting any maximum values.

If that's the case, may I suggest you change this in the next update?

"MaxCreateVehiclePerInterval" should only count items that are marked for logging in "CreateVehicles.txt".

createvehicles.txt:

5 "TKLaunchers_EP1"
1 "_HE" !"z_soldier_heavy" //!"G_40mm_HE" //keep monitoring to catch obvious abuse
1 "HE_" //keep monitoring to catch obvious abuse
1 "M_" !"G_40mm_HE" //!"40mm_" //keep monitoring to catch obvious abuse
//!"TentStorage"

If someone spawns in a TKLaunchers ammo box in DayZ, they are kicked (I'd prefer if I could auto-ban them). I want to allow players to spawn a few "HE" grenades though, but too many I want them kicked. (I've seen hackers spawn 50 in a few seconds). TentStorage is not logged because if someone fills up their tent I don't want them kicked for it, so it should not count towards the "MaxCreateVehiclePerInterval".

Make sense?

[$able 2]

If that's the case, may I suggest you change this in the next update?

"MaxCreateVehiclePerInterval" should only count items that are marked for logging in "CreateVehicles.txt".

createvehicles.txt:

5 "TKLaunchers_EP1"
1 "_HE" !"z_soldier_heavy" //!"G_40mm_HE" //keep monitoring to catch obvious abuse
1 "HE_" //keep monitoring to catch obvious abuse
1 "M_" !"G_40mm_HE" //!"40mm_" //keep monitoring to catch obvious abuse
//!"TentStorage"

If someone spawns in a TKLaunchers ammo box in DayZ, they are kicked (I'd prefer if I could auto-ban them). I want to allow players to spawn a few "HE" grenades though, but too many I want them kicked. (I've seen hackers spawn 50 in a few seconds). TentStorage is not logged because if someone fills up their tent I don't want them kicked for it, so it should not count towards the "MaxCreateVehiclePerInterval".

Make sense?

You might have missed the following note in my initial post:

Note that these commands might only exist temporarily, as filter-specific rules will likely be added soon.

Those commands are intended for flood protection, i.e. preventing hackers from crippling a server with too many commands/events. Therefore it makes no sense to filter out a certain vehicle type here.