Just a thought. I produce this list nightly with a batch file with unxtools. I really like the add I have to tell me if it's an inside machine or outside. Inside ones show the IP of the sending computer. See the EXE banned at the bottom.
I'd be happy to share my bat file for this, it does require unxtools and certain values in the eml files and I send all items to a catchall user for parsing. bob 27 Virus Name: : W32/[EMAIL PROTECTED] outside 19 Virus Name: : HTML/[EMAIL PROTECTED] outside 16 Virus Name: : W32/[EMAIL PROTECTED] outside 9 Virus Name: : W32/[EMAIL PROTECTED] outside 8 Virus Name: : W32/[EMAIL PROTECTED] outside 4 Virus Name: : W32/[EMAIL PROTECTED] outside 2 Virus Name: : W32/[EMAIL PROTECTED] outside 1 Virus Name: [Outlook 'MIME segment in MIME Preamble' Vulnerability] outside 1 Virus Name: [Outlook 'Blank Folding' Vulnerability] outside 1 Virus Name: : W32/[EMAIL PROTECTED] outside 1 Virus Name: : W32/[EMAIL PROTECTED] outside 1 Virus Name: : W32/[EMAIL PROTECTED] outside 1 Virus Name: : W32/[EMAIL PROTECTED] outside 1 Virus Name: : W32/[EMAIL PROTECTED] outside 1 Virus Name: : W32/[EMAIL PROTECTED] outside 1 Banned Attachment: URL outside 1 Banned Attachment: JS outside 1 Banned Attachment: EXE In-District Attempt 10.13.1.77 On Wednesday, December 1, 2004 3:59 PM, John Dobbin <[EMAIL PROTECTED]> wrote: >grep INFECTED virMMDD.log | gawk "{print $8}" | sort | uniq -ic | sort >/reverse > >Gives a nice listing of catches: > > 50 HTML/[EMAIL PROTECTED]: > 33 W32/[EMAIL PROTECTED]: > 19 'CR' > 18 W32/[EMAIL PROTECTED]: > 3 W32/[EMAIL PROTECTED]: > 2 Encoding > 1 W32/Wurmark.A: > 1 W32/[EMAIL PROTECTED]: > 1 W32/[EMAIL PROTECTED]: > 1 W32/[EMAIL PROTECTED]: > 1 W32/[EMAIL PROTECTED]: > 1 W32/[EMAIL PROTECTED]: > 1 'Space > 1 'MIME > 1 'Blank > > >John Dobbin > >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Nick >> Sent: Wednesday, December 01, 2004 4:31 PM >> To: [EMAIL PROTECTED] >> Subject: RE: [Declude.Virus] log file grepping >> >> Bill?.. or anyone :) >> >> Is there a way in a single line to use grep or a similar tool >> on a virus log file and have it return 2 values: >> total_scanned and viruses found? >> >> I have been able to do this in multiple lines with temp files >> but am stuck trying to do it on a single command line. >> >> The purpose here is to use mrtg to graph virus traffic - I >> can do it with one value but when I try to combine both I am lost. >> >> Thanks in advance - >> >> -Nick >> >> --- >> [This E-mail was scanned for viruses by Declude Virus >> (http://www.declude.com)] >> >> --- >> This E-mail came from the Declude.Virus mailing list. To >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >> type "unsubscribe Declude.Virus". The archives can be found >> at http://www.mail-archive.com. >> > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.