Re: [Clamav-users] Additional logging info.
>>> [EMAIL PROTECTED] 8/10/2004 3:49:05 PM >>> > It looks good. I might steal some of this to do reporting for some > clients - do you mind? Go right ahead and use it anyway you want. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Additional logging info.
On Tue, Aug 10, 2004 at 01:47:52PM -0400, Brett Simpson said: > On Mon, 2004-08-09 at 22:21, Stephen Gran wrote: > > Don't loop - make a more complicated data structure, like a multi level > > hash (ugly pseudo-code to follow): > > Ok. > > > Just read the file once, fill in the bits as you go, and process the > > whole thing at the end. > > I wrote this and it's much much faster. In fact the old way of looping > through the file multiple times took a 1 minute and 20 seconds while the > code below took 20 seconds. It looks good. I might steal some of this to do reporting for some clients - do you mind? -- -- | Stephen Gran | You will be awarded the Nobel Peace | | [EMAIL PROTECTED] | Prize... posthumously. | | http://www.lobefin.net/~steve | | -- pgpneNJrtZcPD.pgp Description: PGP signature
Re: [Clamav-users] Additional logging info.
On Mon, 2004-08-09 at 22:21, Stephen Gran wrote:
> Don't loop - make a more complicated data structure, like a multi level
> hash (ugly pseudo-code to follow):
Ok.
> Just read the file once, fill in the bits as you go, and process the
> whole thing at the end.
I wrote this and it's much much faster. In fact the old way of looping
through the file multiple times took a 1 minute and 20 seconds while the
code below took 20 seconds.
#!/usr/bin/perl -w
print "Shows uniques hosts with a virus count over 10:\n";
open(FILE, "/var/log/maillog");
while() {
if
(/(\d|\D)+sendmail\[(\d)+\]:\s((\w)+):(\d|\D)+\[(\d+\.\d+\.\d+\.\d+)\]/)
{
$ip_addr = $6;
$message_id = $3;
unless ( $ip_addr eq "127.0.0.1" ) {
$email->{$message_id}->{ip_addr} = $ip_addr;
}
}
elsif
(/(\d|\D)+clamav-milter\[(\d)+\]:\s((\w)+):\sstream:\s(\d|\D+)virus(\d|\D)+/) {
$message_id = $3;
$virus = $5;
$email->{$message_id}->{virus} = $virus;
}
}
close(FILE);
foreach $message_id ( keys %{ $email } ) {
if ( $email->{$message_id}->{virus} ) {
$virus = $email->{$message_id}->{virus};
$ip_addr = $email->{$message_id}->{ip_addr};
$ip_addr{$virus}++;
$virus{$ip_addr}++;
}
}
sub hashValueDescendingNum {
$ip_addr{$b} <=> $ip_addr{$a};
}
foreach $virus (sort hashValueDescendingNum (keys(%ip_addr))) {
print "Count is $ip_addr{$virus} for $virus\n";
}
sub hashValueDescendingIp {
$virus{$b} <=> $virus{$a};
}
foreach $ip_addr (sort hashValueDescendingIp (keys(%virus))) {
if ($virus{"$ip_addr"} >= "10") {
print "Count is $virus{$ip_addr} for $ip_addr\n";
}
}
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Additional logging info.
Stephen Gran wrote: As for your actual question, I don;t think the milter has access to that - it gets the email as a data stream from sendmail, and is relatively isolated from the actual connection, AFAIK. If you feel like patching the milter http://www.milter.org/milter_api/xxfi_connect.html Or you could find and retrieve the apropriate macro from sendmail with http://www.milter.org/milter_api/smfi_getsymval.html In general this is a good resource for milters http://www.milter.org/milter_api/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Additional logging info.
On Mon, Aug 09, 2004 at 04:10:22PM -0400, Brett Simpson said: > Is there a way I can configure the following log entry for Clamav-milter to also > output the origin address? The reason I'm asking is because I'm using a script to go > through the log file and count all of the big virus senders but it takes forever to > run since I'm having to loop through my maillog file to find the message id > "i79K3CfR009900" with the ip address. > > So I see this > Aug 9 16:03:14 ns2b clamav-milter[9851]: i79K3CfR009900: stream: > Trojan.JS.RunMeIntercepted virus from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]> > > But would like to see something similar to this...(if possible) > Aug 9 16:03:14 ns2b clamav-milter[9851]: i79K3CfR009900: stream: > Trojan.JS.RunMeIntercepted virus from <[EMAIL PROTECTED]> at 4.4.103.77 to <[EMAIL > PROTECTED]> Don't loop - make a more complicated data structure, like a multi level hash (ugly pseudo-code to follow): my %hash = [ i79K3CfR009900 => [ virus => Trojan.JS.RunMeIntercepted, to => [EMAIL PROTECTED], from => [EMAIL PROTECTED], ip => 4.4.103.77,], nextmessageid => [ ...], ]; Just read the file once, fill in the bits as you go, and process the whole thing at the end. As for your actual question, I don;t think the milter has access to that - it gets the email as a data stream from sendmail, and is relatively isolated from the actual connection, AFAIK. -- -- | Stephen Gran | RMS for President??? | | [EMAIL PROTECTED] | ...or ESR, he wants a new job ;)| | http://www.lobefin.net/~steve | | -- pgpmlHGw3bGbo.pgp Description: PGP signature
Re: [Clamav-users] Additional logging info.
Brett Simpson wanted us to know: >Is there a way I can configure the following log entry for Clamav-milter to also >output the origin address? The reason I'm asking is because I'm using a script to go >through the log file and count all of the big virus senders but it takes forever to >run since I'm having to loop through my maillog file to find the message id >"i79K3CfR009900" with the ip address. > >So I see this >Aug 9 16:03:14 ns2b clamav-milter[9851]: i79K3CfR009900: stream: >Trojan.JS.RunMeIntercepted virus from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]> > >But would like to see something similar to this...(if possible) >Aug 9 16:03:14 ns2b clamav-milter[9851]: i79K3CfR009900: stream: >Trojan.JS.RunMeIntercepted virus from <[EMAIL PROTECTED]> at 4.4.103.77 to <[EMAIL >PROTECTED]> Does the milter even have access to the IP address? I didn't think that it did. -- Regards... Todd We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. -- Jeff Schiller on NANOG Linux kernel 2.6.3-15mdkenterprise 2 users, load average: 0.00, 0.04, 0.05 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Additional logging info.
Is there a way I can configure the following log entry for Clamav-milter to also output the origin address? The reason I'm asking is because I'm using a script to go through the log file and count all of the big virus senders but it takes forever to run since I'm having to loop through my maillog file to find the message id "i79K3CfR009900" with the ip address. So I see this Aug 9 16:03:14 ns2b clamav-milter[9851]: i79K3CfR009900: stream: Trojan.JS.RunMeIntercepted virus from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]> But would like to see something similar to this...(if possible) Aug 9 16:03:14 ns2b clamav-milter[9851]: i79K3CfR009900: stream: Trojan.JS.RunMeIntercepted virus from <[EMAIL PROTECTED]> at 4.4.103.77 to <[EMAIL PROTECTED]> Thanks, Brett --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
