Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

amavis logfile/viruspart parser

by teabag (Pilgrim)
on Mar 08, 2004 at 13:59 UTC ( [id://334809]=CUFP: print w/replies, xml ) Need Help??

As an administrator for multiple servers, I run AMaViS - A Mail Virus Scanner with F-Prot Antivirus for Linux Workstations - for home users, to filter viri from my users mail.

Lately I've been getting 30 mails a day with (mainly W32/Netsky.B@mm) notices so I decided I'd write a logparser and put the email notifications off. It reads the amavis.log (be sure to turn syslog off) AND the saved email-part.

Below is the code, it works out of the box with f-prot, but should be fairly easy to change to other scanners. Output is currently like this:

At 8 Mar 11:51:45 f-prot detected a virus
found in /var/amavis/amavis-11543378/parts/msg-6011-2.pif
Name virus: W32/Netsky.B@mm
Message saved as: /var/virusmails/virus-20040308-115145-6011
to: myadres@mydomain.nl
from: somemoronthatusesoutlook@hisdomain.com
subject: hello
Virus Mailserver: node-c-6dbe.a2000.nl
ipadres server: 62.194.109.190
-----------------------

Small update:

Included clamav as a scanner (thanks juerd).

Further code cleenups might follow when I have the time ;). To add the scanner in Limbic~Region's code rewrite add:

if ( $line =~ /FOUND/ ) { ($loc, $vir) = ( split( / /, $line ) )[0, 1]; }
#!/usr/bin/perl -W # # Descr: An amavis logfile/virusmail parser # when using f-prot for linux, home edition or clamav # should pretty easy to fix with others # # $Id: vircount v 0.02 2003/03/08 1:12:24 teabag Exp $ use strict; # config my $logfile = "/var/amavis/amavis.log"; my $fprotdir = "/var/virusmails"; my $virprog = "f-prot"; #or clamav # end config my ( @logbuffer, @logbuffer2, $loc, $vir, $file, $time, $month, $day, +$date, $sserv2, $senderserv, $from, $to, $subject ); my $div = "-----------------------\n"; open( LOGFILE, "<$logfile" ) || die "Error opening local log file: $!"; @logbuffer = <LOGFILE>; close(LOGFILE) || die "Error closing local log file: $!"; foreach my $line (@logbuffer) { unless ( $line !~ /Infection:/ ) { $loc = ( split( / /, $line ) )[0]; $vir = ( split( / /, $line ) )[3]; } unless ( $line !~ /FOUND/) { $loc = ( split( / /, $line ) )[0]; $vir = ( split( / /, $line ) )[1]; } unless ( $line !~ /quarantined/ ) { $file = ( split( / /, $line ) )[12]; $time = ( split( / /, $line ) )[3]; $month = ( split( / /, $line ) )[0]; $day = ( split( / /, $line ) )[2]; chomp( $time, $file, $loc, $vir, $month, $day ); $date = "$day $month $time"; print "At $date $virprog detected a virus\nfound in $loc\n"; print "Name virus: $vir\nMessage saved as: $fprotdir/$file\n"; &checkwhosi(); } } if ($vir eq "") { print "no viri received\n"; exit; } sub checkwhosi { open( VIRFILE, "<$fprotdir/$file" ) || die "Error opening viral log file: $!"; @logbuffer2 = <VIRFILE>; close(VIRFILE) || die "Error closing viral log file: $!"; foreach my $line2 (@logbuffer2) { unless ( $line2 !~ /Received:/ ) { $senderserv = ( split( / /, $line2 ) )[2]; $sserv2 = ( split( / /, $line2 ) )[3]; $sserv2 =~ s/\[//; $sserv2 =~ s/\]//; $sserv2 =~ s/\(//; chomp( $senderserv, $sserv2 ); } if ( $line2 =~ m/From:/ ) { $from = ( split( / /, $line2 ) )[1]; } if ( $line2 =~ m/To:/ ) { $to = ( split( / /, $line2 ) )[1]; } if ( $line2 =~ m/Subject:/ ) { $subject = ( split( / /, $line2 ) )[1]; } } chomp( $from, $to, $subject ); print "to: $to\nfrom: $from\nsubject: $subject\n"; print "Virus Mailserver: $senderserv\nipadres server: $sse +rv2\n"; print $div; }

Replies are listed 'Best First'.
Re: amavis logfile/viruspart parser
by Limbic~Region (Chancellor) on Mar 08, 2004 at 15:49 UTC
    teabag,
    I know people have their own preference on coding style, but I find the following much more readable:
    #!/usr/bin/perl use strict; use warnings; my $logfile = $ARGV[0] || "/var/amavis/amavis.log"; my $fprotdir = $ARGV[1] || "/var/virusmails"; my $virprog = $ARGV[2] || "f-prot"; my ($loc, $vir); open(LOGFILE, '<', $logfile) or die "Unable to open $logfile for readi +ng: $!"; while ( my $line = <LOGFILE> ) { chomp $line; if ( $line =~ /Infection:/ ) { ($loc, $vir) = ( split( / /, $line ) )[0, 3]; } elsif ( $line =~ /quarantined/ ) { my ($file, $time, $month, $day) = ( split( / /, $line ) )[12, +3, 0, 2]; my $date = "$day $month $time"; print "At $date $virprog detected a virus\nfound in $loc\n"; print "Name virus: $vir\nMessage saved as: $fprotdir/$file\n"; Checkwhosi( $file ); } } close LOGFILE or die "Unable to close $logfile : $!"; print "no viri received\n" if ! $vir; sub Checkwhosi { my $file_name = shift; my $file_fqn = "$fprotdir/$file_name"; open(VIRFILE, '<', $file_fqn) or die "Unable to open $file_fqn for + reading : $!"; my ($senderserv, $sserv2, %header); while ( my $line = <VIRFILE> ) { chomp $line; if ( $line =~ /Received:/ ) { ($senderserv, $sserv2) = ( split( / /, $line ) )[2,3]; $sserv2 =~ s/[(\[\]]//g; } elsif ( $line =~ /(From|To|Subject):/ ) { $header{ $1 } = ( split( / /, $line ) )[1]; } } print map{defined $header{$_} ? "$_: $header{$_}\n" : () } qw(To F +rom Subject); print "Virus Mailserver: $senderserv\nipadres server: $sserv2\n"; print "-" x 23, "\n"; close(VIRFILE) || die "Error closing viral log file: $!"; }
    Cheers - L~R
Re: amavis logfile/viruspart parser
by Juerd (Abbot) on Mar 08, 2004 at 14:03 UTC

    OT, FYI

    clamav is an open source virus scanner. It doesn't contain many of the old DOS boot sector viruses and other viruses, but it is perfect for mail borne ones as all recent virus epidemies had. The scanner is very fast (mostly because it checks only old ones). It works with qmail-scanner and amavis, or stand alone.

    Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: CUFP [id://334809]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others sharing their wisdom with the Monastery: (5)
As of 2024-03-29 15:29 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found