Not sure if I'm reinventing the wheel but I wrote a perl script that
will report on:
1: Unique virus's and the total times they were seen.
2: Hosts by IP address who sent over 10 virus's.
3: Per host breakdown of which virus's were sent along with the count.
4: Per host breakdown of which recipients were sent virus's along with
the count.
5: Per host breakdown of which senders were sent virus's along with the
count.
Brett
#!/usr/bin/perl -w
# Released under the GPL
# Populate a complex data structure with message id's, ip address's, and virus names.
# Count the number of times a virus was sent in descending order
# Count the number of times an IP address sent a virus in descending order
# Count the number of recipient address's on a per IP basis in descending order
# Count the number of possibly spoofed address's on a per IP basis in descending order
print "Shows a count of each virus type:\n";
open(FILE, "/var/log/maillog");
while(<FILE>) {
if (/(\d|\D)+sendmail\[(\d)+\]:\s((\w)+):(\d|\D)+\[(\d+\.\d+\.\d+\.\d+)\]/) {
$ip_addr = $6;
$message_id = $3;
unless ( $ip_addr eq "127.0.0.1" ) {
$email->{$message_id}->{ip_addr} = $ip_addr;
}
}
elsif (/(\d|\D)+clamav-milter\[(\d)+\]:\s((\w)+):\sstream:\s(\d|\D+)\svirus from \<((\d|\D)+)\> to \<((\d|\D)+)\>/) {
$message_id = $3;
$virus = $5;
$sender = $6;
$recipient = $8;
$email->{$message_id}->{virus} = $virus;
$email->{$message_id}->{sender} = $sender;
$email->{$message_id}->{recipient} = $recipient;
}
}
close(FILE);
foreach $message_id ( keys %{ $email } ) {
if ( $email->{$message_id}->{virus} ) {
$virus = $email->{$message_id}->{virus};
$ip_addr = $email->{$message_id}->{ip_addr};
$recipient = $email->{$message_id}->{recipient};
$sender = $email->{$message_id}->{sender};
#Counts total number of times a virus was sent
$ip_addr{$virus}++;
#Counts total number of virus's sent by IP address
$virus{$ip_addr}++;
#Counts total number of unique virus's per IP address
$email->{$ip_addr}->{virus}->{$virus}++;
#Counts total number of unique senders per IP address
$email->{$ip_addr}->{sender}->{$sender}++;
#Counts total number of unique recipients per IP address
$email->{$ip_addr}->{recipient}->{$recipient}++;
}
}
sub hashValueDescendingVirus {
$email->{$ip_addr}->{virus}->{$b} <=> $email->{$ip_addr}->{virus}->{$a};
}
sub hashValueDescendingRecipient {
$email->{$ip_addr}->{recipient}->{$b} <=> $email->{$ip_addr}->{recipient}->{$a};
}
sub hashValueDescendingSender {
$email->{$ip_addr}->{sender}->{$b} <=> $email->{$ip_addr}->{sender}->{$a};
}
sub hashValueDescendingNum {
$ip_addr{$b} <=> $ip_addr{$a};
}
sub hashValueDescendingIp {
$virus{$b} <=> $virus{$a};
}
foreach $virus (sort hashValueDescendingNum (keys(%ip_addr))) {
print "Count is $ip_addr{$virus} for $virus\n";
}
print "\nShows uniques hosts with a virus count over 10:\n";
foreach $ip_addr (sort hashValueDescendingIp (keys(%virus))) {
if ($virus{"$ip_addr"} >= "10") {
print "\n$ip_addr sent the following virus's a total of $virus{$ip_addr} times: \n";
foreach $Virus (sort hashValueDescendingVirus (keys( %{ $email->{$ip_addr}->{virus} } ))) {
print "$Virus was transmitted $email->{$ip_addr}->{virus}->{$Virus} times.\n";
}
print "\n";
foreach $Recipient (sort hashValueDescendingRecipient (keys( %{ $email->{$ip_addr}->{recipient} } ))) {
print "Stopped virus for $Recipient $email->{$ip_addr}->{recipient}->{$Recipient} times.\n";
}
print "\n";
#Uncomment if you want to the Sender reporting for a specific host.
#if ($ip_addr eq "207.156.7.1") {
foreach $Sender (sort hashValueDescendingSender (keys( %{ $email->{$ip_addr}->{sender} } ))) {
print "Possibly spoofed address $Sender was seen $email->{$ip_addr}->{sender}->{$Sender} times.\n";
}
#}
}
}
