On Thu, 2 Feb 2006, George R. Kasica wrote:
> From: George R. Kasica <[EMAIL PROTECTED]>
> To: ClamAV users ML <clamav-users@lists.clamav.net>
> Date: Thu, 02 Feb 2006 15:40:41 -0600
> Subject: Re: [Clamav-users] Unofficial Phishing Signatures
> Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
>
> >On Thu, 02 Feb 2006 19:40:17 +0000, you wrote:
...
> Steve or Dennis:
>
> Where did you get the tool to get clamav stats? We just installed it
> here and could really use something like that.
I suspect this will greatly depend on the MTA you're using. I'm
using exim as my MTA and all incoming mail is run through both ClamAV
and Sophos virus scanners. Mail containing a virus is rejected after
the DATA phase of the SMTP dialogue and I've set up exim to log this.
For example:
2006-02-03 09:21:56 1F4x8d-0004hS-G1 H=mars.math.nctu.edu.tw
(Webmail.Math.NCTU.edu.tw) [140.113.22.51] I=[138.38.32.23]:25 U=root F=<[EMAIL
PROTECTED]> rejected after DATA: rejected by exiscan-acl: message contains
malware (Html.Phishing.Pay.Sanesecurity.05082900 ClamAV).
Logs are rotated daily. So it's a simple matter to run a perl script
over yesterday's logs, pick out lines similar to the above[1], and
produce a summary.
I do much the same with spam scores. Spam counts are logged and
a daily summary produced.
[1] Simple perl code of the form:
if ($line =~ "This message contains a virus" ||
$line =~ "message contains malware") {
($day, $time, $junk) = split (/ /, $line);
$last = $time;
$first = $time unless defined ($first);
print EXISCANLOG "$line\n";
$line =~ s/^.* \(//;
$line =~ s/..$//;
$virus{$line} += 1;
next;
}
will add up the virus counts and produce a "condensed" log
that can be used to produce weekly and/or monthly summaries.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL PROTECTED] Phone: +44 1225 386101
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
