Maillog-virus.pl 20070307

Denis Beauchemin Denis.Beauchemin at USherbrooke.ca
Thu Mar 8 16:21:41 CET 2007 

Hugo van der Kooij a écrit :
> Hi,
>
> I did manage to get the timestamps sorted out a bit. (If someone has a 
> log file of last year they could see if the timestamps are ok on 
> those.) Anything over 11 months old will propably get an inaccurate 
> timestamp.
>
> Download: http://hugo.vanderkooij.org/email/stats/maillog-virus.pl
>
> So I now seem to have a way to get the 3 ingredients I want to collect:
> timestamp; AV tool; infection name.
>
> The next thing is to write a collector to handle these reports, put 
> them in a database and show some nice statistics about them.
>
> That way there is a way to build a insight into current malware 
> activity. At least it could tell what is hot today or what was hot 
> yesterday or last week or ....
>
> And finaly it need to be secured so only participating parties can 
> have their logs analyzed and added to the database so there is at 
> least a reasonable amount of accuracy.
>
> In the end it should resemble the dshield way of doing things by 
> publishing the interchange format so people can write their own 
> collectors.
>
> So please give this script a spin to see if the collecting is nearing 
> accuracy for systems running MailScanner and logging silent virusses 
> including the AV info.
>
> The MailScanner config I use contains:
> Virus Scanning = yes
> Virus Scanners = clamav f-prot mcafee
> Silent Viruses = HTML-IFrame All-Viruses
> Log Silent Viruses = yes
>
> (I also wrote a bit to parse BitDefender for now.)

Hugo,

Seems fine here but I would rather write the date in this format: 
YYYY-MM-DD (such as 2006-03-08 for today).  It's easier to parse and 
quite easy to read also (it's the format I always use).

Many years ago I wrote an add-on to logrotate to rename all log files to 
include the date in the file's name (such as maillog.20061225) so it's 
easy for me to locate a log and know its contents.  I have played with 
RHEL 5 and it has this feature built-in (logrotate-3.7.4-7):

>        dateext
>               Archive  old  versions of log files adding a daily 
> extension like YYYYMMDD instead of
>               simply adding a number.


Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3595 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070308/02dcd90c/smime.bin

More information about the MailScanner mailing list