mailgraph patch to support nod32 av engine!
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
mailgraph patch to support nod32 av engine!
by Alex-340
::
Rate this Message:
Hello mailgraph users,
Below comes a mini howto regarding how to add nod32 support to mailgraph. 1. add this lines to your nod32 configuration file (nod32.cfg). I am running nod32ls-2.70-9 installed on Centos5/Rhel5 server. [global] # log to syslog (this is a must, default is no) syslog_enabled = yes # log to /var/log/maillog (a must too, because default is 3 which is not good because will log to /var/log/messages) syslog_facility = 2 2. Apply patch to mailgraph (is attached to this email and also comes inline below): [alex@ltm scripts]$ cat mailgraph-1.14_nod32.patch --- mailgraph.pl.orig 2007-08-29 12:06:01.000000000 +0300 +++ mailgraph.pl 2007-09-15 12:15:00.000000000 +0300 @@ -730,6 +730,12 @@ # event($time, 'badh'); # } } + elsif($prog eq 'nod32d') { + # Nod32 antivirus + if($text =~ / (action="contained infected files")/) { + event($time, 'virus'); + } + } elsif($prog eq 'vagatefwd') { # Vexira antivirus (old) if($text =~ /^VIRUS/) { [alex@ltm scripts]$ [root@mx mailgraph]# tar xvzf mailgraph-1.14.tar.gz [root@mx mailgraph]# cd mailgraph-1.14 [root@mx mailgraph-1.14]# patch -p0 < ../mailgraph-1.14_nod32.patch patching file mailgraph.pl [root@mx mailgraph-1.14]# 3. Replace in mailgraph-init: #old line MAIL_LOG=/var/log/syslog #new line MAIL_LOG=/var/log/maillog and optional but recommended: #old line case "$1" in 'start') echo "Starting mail statistics grapher: mailgraph"; nice -19 $MAILGRAPH_PL -l $MAIL_LOG -d \ --daemon-pid=$PID_FILE --daemon-rrd=$RRD_DIR ;; #new line case "$1" in 'start') echo "Starting mail statistics grapher: mailgraph"; nice -19 $MAILGRAPH_PL -l $MAIL_LOG -d \ --daemon-pid=$PID_FILE --daemon-rrd=$RRD_DIR --ignore-localhost ;; 4. start mailgraph :-) And for reference, here comes a snippet from my /var/log/maillog when nod32 is configured as above: #clean message Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0200]: Connection open attempt Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0200]: Connection open success Sep 14 18:00:01 mx postfix/smtpd[7625]: connect from mx.foo.ro[127.0.0.1] Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0201]: Connection reset attempt Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0201]: Connection reset success Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0201]: Connection reset attempt Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0201]: Connection reset success Sep 14 18:00:01 mx postfix/smtpd[7625]: 778E41D9039E:foo.ro client=mx.foo.ro[127.0.0.1] Sep 14 18:00:01 mx nod32d[7509]: summary[1d550103]: vdb=10789, agent=smtp, msgid=<20070914150001.669591D9039F@...>, object="email message", name="mail", virus="is OK", action="", info="", lines=0 Sep 14 18:00:01 mx nod32smtp[7516]: summary[1d5c0201]: action="accepted" Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0201]: Connection reset attempt Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0201]: Connection reset success Sep 14 18:00:01 mx postfix/smtpd[7625]: disconnect from mx.foo.ro[127.0.0.1] Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0201]: Connection close attempt Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0201]: Connection close success #infected message Sep 14 17:53:27 mx nod32smtp[7516]: note[1d5c0200]: Connection open attempt Sep 14 17:53:27 mx nod32smtp[7516]: note[1d5c0200]: Connection open success Sep 14 17:53:27 mx postfix/smtpd[7551]: connect from mx.foo.ro[127.0.0.1] Sep 14 17:53:27 mx nod32smtp[7516]: note[1d5c0201]: Connection reset attempt Sep 14 17:53:27 mx nod32smtp[7516]: note[1d5c0201]: Connection reset success Sep 14 17:53:27 mx nod32smtp[7516]: note[1d5c0201]: Connection reset attempt Sep 14 17:53:27 mx nod32smtp[7516]: note[1d5c0201]: Connection reset success Sep 14 17:53:27 mx postfix/smtpd[7551]: E89811D9039F: client=mx.foo.ro[127.0.0.1] Sep 14 17:53:27 mx nod32d[7509]: summary[1d550102]: vdb=10789, agent=smtp, msgid=<20070914145055.AEC0E83120@...>, object="email message", name="mail", virus="Eicar test file", action="contained infected files", info="", lines=3 Sep 14 17:53:27 mx nod32d[7509]: summary[1d550102]: vdb=10789, agent=smtp, msgid=<20070914145055.AEC0E83120@...>, object="archive", name="mail -> MIME -> eicarcom2.zip", virus="Eicar test file", action="deleted", info="" Sep 14 17:53:27 mx nod32d[7509]: summary[1d550102]: vdb=10789, agent=smtp, msgid=<20070914145055.AEC0E83120@...>, object="archive", name="mail -> MIME -> eicarcom2.zip -> ZIP -> eicar_com.zip", virus="Eicar test file", action="error while deleting - operation unavailable for this type of object - was a part of the deleted object", info="" Sep 14 17:53:27 mx nod32d[7509]: summary[1d550102]: vdb=10789, agent=smtp, msgid=<20070914145055.AEC0E83120@...>, object="file", name="mail -> MIME -> eicarcom2.zip -> ZIP -> eicar_com.zip -> ZIP -> eicar.com", virus="Eicar test file", action="error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object", info="" Sep 14 17:53:27 mx nod32smtp[7516]: summary[1d5c0201]: action="accepted" Sep 14 17:53:27 mx nod32smtp[7516]: note[1d5c0201]: Connection reset attempt Sep 14 17:53:27 mx nod32smtp[7516]: note[1d5c0201]: Connection reset success Sep 14 17:53:28 mx postfix/smtpd[7551]: disconnect from mx.foo.ro[127.0.0.1] Sep 14 17:53:28 mx nod32smtp[7516]: note[1d5c0201]: Connection close attempt Sep 14 17:53:28 mx nod32smtp[7516]: note[1d5c0201]: Connection close success Regards, Alexandru Suchici -- Alex linuxro@... -- http://www.fastmail.fm - Access your email from home and the web -- Attached file removed by Ecartis and put at URL below -- -- Type: text/x-patch -- Size: 405 bytes -- URL : http://lists.ee.ethz.ch/p/mailgraph-1.14_nod32.patch -- Unsubscribe mailto:mailgraph-request@...?subject=unsubscribe Help mailto:mailgraph-request@...?subject=help Archive http://lists.ee.ethz.ch/mailgraph WebAdmin http://lists.ee.ethz.ch/lsg2.cgi |
| Free embeddable forum powered by Nabble | Forum Help |
