As an administrator for multiple servers, I run
AMaViS - A Mail Virus Scanner with
F-Prot Antivirus for Linux Workstations - for home users, to filter viri from my users mail.
Lately I've been getting 30 mails a day with (mainly W32/Netsky.B@mm) notices so I decided I'd write a logparser and put the email notifications off. It reads the amavis.log (be sure to turn syslog off) AND the saved email-part.
Below is the code, it works out of the box with f-prot, but should be fairly easy to change to other scanners. Output is currently like this:
At 8 Mar 11:51:45 f-prot detected a virus
found in /var/amavis/amavis-11543378/parts/msg-6011-2.pif
Name virus: W32/Netsky.B@mm
Message saved as: /var/virusmails/virus-20040308-115145-6011
to: myadres@mydomain.nl
from: somemoronthatusesoutlook@hisdomain.com
subject: hello
Virus Mailserver: node-c-6dbe.a2000.nl
ipadres server: 62.194.109.190
-----------------------
Small update:
Included clamav as a scanner (thanks juerd).
Further code cleenups might follow when I have the time ;).
To add the scanner in Limbic~Region's code rewrite add:
if ( $line =~ /FOUND/ ) {
($loc, $vir) = ( split( / /, $line ) )[0, 1];
}
#!/usr/bin/perl -W
#
# Descr: An amavis logfile/virusmail parser
# when using f-prot for linux, home edition or clamav
# should pretty easy to fix with others
#
# $Id: vircount v 0.02 2003/03/08 1:12:24 teabag Exp $
use strict;
# config
my $logfile = "/var/amavis/amavis.log";
my $fprotdir = "/var/virusmails";
my $virprog = "f-prot"; #or clamav
# end config
my ( @logbuffer, @logbuffer2, $loc, $vir, $file, $time, $month, $day,
+$date, $sserv2, $senderserv, $from, $to, $subject );
my $div = "-----------------------\n";
open( LOGFILE, "<$logfile" )
|| die "Error opening local log file: $!";
@logbuffer = <LOGFILE>;
close(LOGFILE) || die "Error closing local log file: $!";
foreach my $line (@logbuffer) {
unless ( $line !~ /Infection:/ ) {
$loc = ( split( / /, $line ) )[0];
$vir = ( split( / /, $line ) )[3];
}
unless ( $line !~ /FOUND/) {
$loc = ( split( / /, $line ) )[0];
$vir = ( split( / /, $line ) )[1];
}
unless ( $line !~ /quarantined/ ) {
$file = ( split( / /, $line ) )[12];
$time = ( split( / /, $line ) )[3];
$month = ( split( / /, $line ) )[0];
$day = ( split( / /, $line ) )[2];
chomp( $time, $file, $loc, $vir, $month, $day );
$date = "$day $month $time";
print "At $date $virprog detected a virus\nfound in $loc\n";
print "Name virus: $vir\nMessage saved as: $fprotdir/$file\n";
&checkwhosi();
}
}
if ($vir eq "") {
print "no viri received\n";
exit;
}
sub checkwhosi {
open( VIRFILE, "<$fprotdir/$file" )
|| die "Error opening viral log file: $!";
@logbuffer2 = <VIRFILE>;
close(VIRFILE) || die "Error closing viral log file: $!";
foreach my $line2 (@logbuffer2) {
unless ( $line2 !~ /Received:/ ) {
$senderserv = ( split( / /, $line2 ) )[2];
$sserv2 = ( split( / /, $line2 ) )[3];
$sserv2 =~ s/\[//;
$sserv2 =~ s/\]//;
$sserv2 =~ s/\(//;
chomp( $senderserv, $sserv2 );
}
if ( $line2 =~ m/From:/ ) {
$from = ( split( / /, $line2 ) )[1];
}
if ( $line2 =~ m/To:/ ) {
$to = ( split( / /, $line2 ) )[1];
}
if ( $line2 =~ m/Subject:/ ) {
$subject = ( split( / /, $line2 ) )[1];
}
}
chomp( $from, $to, $subject );
print "to: $to\nfrom: $from\nsubject: $subject\n";
print "Virus Mailserver: $senderserv\nipadres server: $sse
+rv2\n";
print $div;
}