As an administrator for multiple servers, I run AMaViS - A Mail Virus Scanner with F-Prot Antivirus for Linux Workstations - for home users, to filter viri from my users mail.
Lately I've been getting 30 mails a day with (mainly W32/Netsky.B@mm) notices so I decided I'd write a logparser and put the email notifications off. It reads the amavis.log (be sure to turn syslog off) AND the saved email-part.
Below is the code, it works out of the box with f-prot, but should be fairly easy to change to other scanners. Output is currently like this:
At 8 Mar 11:51:45 f-prot detected a virus found in /var/amavis/amavis-11543378/parts/msg-6011-2.pif Name virus: W32/Netsky.B@mm Message saved as: /var/virusmails/virus-20040308-115145-6011 to: myadres@mydomain.nl from: somemoronthatusesoutlook@hisdomain.com subject: hello Virus Mailserver: node-c-6dbe.a2000.nl ipadres server: 62.194.109.190 -----------------------
Small update:
Included clamav as a scanner (thanks juerd).
Further code cleenups might follow when I have the time ;). To add the scanner in Limbic~Region's code rewrite add:
if ( $line =~ /FOUND/ ) { ($loc, $vir) = ( split( / /, $line ) )[0, 1]; }
#!/usr/bin/perl -W # # Descr: An amavis logfile/virusmail parser # when using f-prot for linux, home edition or clamav # should pretty easy to fix with others # # $Id: vircount v 0.02 2003/03/08 1:12:24 teabag Exp $ use strict; # config my $logfile = "/var/amavis/amavis.log"; my $fprotdir = "/var/virusmails"; my $virprog = "f-prot"; #or clamav # end config my ( @logbuffer, @logbuffer2, $loc, $vir, $file, $time, $month, $day, +$date, $sserv2, $senderserv, $from, $to, $subject ); my $div = "-----------------------\n"; open( LOGFILE, "<$logfile" ) || die "Error opening local log file: $!"; @logbuffer = <LOGFILE>; close(LOGFILE) || die "Error closing local log file: $!"; foreach my $line (@logbuffer) { unless ( $line !~ /Infection:/ ) { $loc = ( split( / /, $line ) )[0]; $vir = ( split( / /, $line ) )[3]; } unless ( $line !~ /FOUND/) { $loc = ( split( / /, $line ) )[0]; $vir = ( split( / /, $line ) )[1]; } unless ( $line !~ /quarantined/ ) { $file = ( split( / /, $line ) )[12]; $time = ( split( / /, $line ) )[3]; $month = ( split( / /, $line ) )[0]; $day = ( split( / /, $line ) )[2]; chomp( $time, $file, $loc, $vir, $month, $day ); $date = "$day $month $time"; print "At $date $virprog detected a virus\nfound in $loc\n"; print "Name virus: $vir\nMessage saved as: $fprotdir/$file\n"; &checkwhosi(); } } if ($vir eq "") { print "no viri received\n"; exit; } sub checkwhosi { open( VIRFILE, "<$fprotdir/$file" ) || die "Error opening viral log file: $!"; @logbuffer2 = <VIRFILE>; close(VIRFILE) || die "Error closing viral log file: $!"; foreach my $line2 (@logbuffer2) { unless ( $line2 !~ /Received:/ ) { $senderserv = ( split( / /, $line2 ) )[2]; $sserv2 = ( split( / /, $line2 ) )[3]; $sserv2 =~ s/\[//; $sserv2 =~ s/\]//; $sserv2 =~ s/\(//; chomp( $senderserv, $sserv2 ); } if ( $line2 =~ m/From:/ ) { $from = ( split( / /, $line2 ) )[1]; } if ( $line2 =~ m/To:/ ) { $to = ( split( / /, $line2 ) )[1]; } if ( $line2 =~ m/Subject:/ ) { $subject = ( split( / /, $line2 ) )[1]; } } chomp( $from, $to, $subject ); print "to: $to\nfrom: $from\nsubject: $subject\n"; print "Virus Mailserver: $senderserv\nipadres server: $sse +rv2\n"; print $div; }
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: amavis logfile/viruspart parser
by Limbic~Region (Chancellor) on Mar 08, 2004 at 15:49 UTC | |
Re: amavis logfile/viruspart parser
by Juerd (Abbot) on Mar 08, 2004 at 14:03 UTC |
Back to
Cool Uses for Perl