Hello mailgraph users,
Below comes a mini howto regarding how to add nod32 support to
mailgraph.
1. add this lines to your nod32 configuration file (nod32.cfg). I am
running nod32ls-2.70-9 installed on Centos5/Rhel5 server.
[global]
# log to syslog (this is a must, default is no)
syslog_enabled = yes
# log to /var/log/maillog (a must too, because default is 3 which is not
good
because will log to /var/log/messages)
syslog_facility = 2
2. Apply patch to mailgraph (is attached to this email and also comes
inline
below):
[alex{at}ltm scripts]$ cat mailgraph-1.14_nod32.patch
--- mailgraph.pl.orig 2007-08-29 12:06:01.000000000 +0300
+++ mailgraph.pl 2007-09-15 12:15:00.000000000 +0300
@@ -730,6 +730,12 @@
# event($time, 'badh');
# }
}
+ elsif($prog eq 'nod32d') {
+ # Nod32 antivirus
+ if($text =~ / (action="contained infected files")/) {
+ event($time, 'virus');
+ }
+ }
elsif($prog eq 'vagatefwd') {
# Vexira antivirus (old)
if($text =~ /^VIRUS/) {
[alex{at}ltm scripts]$
[root{at}mx mailgraph]# tar xvzf mailgraph-1.14.tar.gz
[root{at}mx mailgraph]# cd mailgraph-1.14
[root{at}mx mailgraph-1.14]# patch -p0 < ../mailgraph-1.14_nod32.patch
patching file mailgraph.pl
[root{at}mx mailgraph-1.14]#
3. Replace in mailgraph-init:
#old line
MAIL_LOG=/var/log/syslog
#new line
MAIL_LOG=/var/log/maillog
and optional but recommended:
#old line
case "$1" in
'start')
echo "Starting mail statistics grapher: mailgraph";
nice -19 $MAILGRAPH_PL -l $MAIL_LOG -d \
--daemon-pid=$PID_FILE --daemon-rrd=$RRD_DIR
;;
#new line
case "$1" in
'start')
echo "Starting mail statistics grapher: mailgraph";
nice -19 $MAILGRAPH_PL -l $MAIL_LOG -d \
--daemon-pid=$PID_FILE --daemon-rrd=$RRD_DIR
--ignore-localhost
;;
4. start mailgraph :-)
And for reference, here comes a snippet from my /var/log/maillog when
nod32 is
configured as above:
#clean message
Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0200]: Connection open
attempt
Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0200]: Connection open
success
Sep 14 18:00:01 mx postfix/smtpd[7625]: connect from
mx.foo.ro[127.0.0.1]
Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0201]: Connection reset
attempt
Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0201]: Connection reset
success
Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0201]: Connection reset
attempt
Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0201]: Connection reset
success
Sep 14 18:00:01 mx postfix/smtpd[7625]: 778E41D9039E:foo.ro
client=mx.foo.ro[127.0.0.1]
Sep 14 18:00:01 mx nod32d[7509]: summary[1d550103]: vdb=10789,
agent=smtp,
msgid=<20070914150001{dot}669591D9039F{at}mx{dot}foo{dot}ro>, object="email message",
name="mail", virus="is OK", action="", info="", lines=0
Sep 14 18:00:01 mx nod32smtp[7516]: summary[1d5c0201]: action="accepted"
Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0201]: Connection reset
attempt
Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0201]: Connection reset
success
Sep 14 18:00:01 mx postfix/smtpd[7625]: disconnect from
mx.foo.ro[127.0.0.1]
Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0201]: Connection close
attempt
Sep 14 18:00:01 mx nod32smtp[7516]: note[1d5c0201]: Connection close
success
#infected message
Sep 14 17:53:27 mx nod32smtp[7516]: note[1d5c0200]: Connection open
attempt
Sep 14 17:53:27 mx nod32smtp[7516]: note[1d5c0200]: Connection open
success
Sep 14 17:53:27 mx postfix/smtpd[7551]: connect from
mx.foo.ro[127.0.0.1]
Sep 14 17:53:27 mx nod32smtp[7516]: note[1d5c0201]: Connection reset
attempt
Sep 14 17:53:27 mx nod32smtp[7516]: note[1d5c0201]: Connection reset
success
Sep 14 17:53:27 mx nod32smtp[7516]: note[1d5c0201]: Connection reset
attempt
Sep 14 17:53:27 mx nod32smtp[7516]: note[1d5c0201]: Connection reset
success
Sep 14 17:53:27 mx postfix/smtpd[7551]: E89811D9039F:
client=mx.foo.ro[127.0.0.1]
Sep 14 17:53:27 mx nod32d[7509]: summary[1d550102]: vdb=10789,
agent=smtp,
msgid=<20070914145055{dot}AEC0E83120{at}mail{dot}bar{dot}com>, object="email message",
name="mail", virus="Eicar test file", action="contained infected files",
info="", lines=3
Sep 14 17:53:27 mx nod32d[7509]: summary[1d550102]: vdb=10789,
agent=smtp,
msgid=<20070914145055{dot}AEC0E83120{at}mail{dot}bar{dot}com>, object="archive",
name="mail
-> MIME -> eicarcom2.zip", virus="Eicar test file", action="deleted",
info=""
Sep 14 17:53:27 mx nod32d[7509]: summary[1d550102]: vdb=10789,
agent=smtp,
msgid=<20070914145055{dot}AEC0E83120{at}mail{dot}bar{dot}com>, object="archive",
name="mail
-> MIME -> eicarcom2.zip -> ZIP -> eicar_com.zip", virus="Eicar test
file",
action="error while deleting - operation unavailable for this type of
object
- was a part of the deleted object", info=""
Sep 14 17:53:27 mx nod32d[7509]: summary[1d550102]: vdb=10789,
agent=smtp,
msgid=<20070914145055{dot}AEC0E83120{at}mail{dot}bar{dot}com>, object="file",
name="mail ->
MIME -> eicarcom2.zip -> ZIP -> eicar_com.zip -> ZIP -> eicar.com",
virus="Eicar test file", action="error while cleaning - operation
unavailable
for this type of object - error while deleting - operation unavailable
for
this type of object - was a part of the deleted object", info=""
Sep 14 17:53:27 mx nod32smtp[7516]: summary[1d5c0201]: action="accepted"
Sep 14 17:53:27 mx nod32smtp[7516]: note[1d5c0201]: Connection reset
attempt
Sep 14 17:53:27 mx nod32smtp[7516]: note[1d5c0201]: Connection reset
success
Sep 14 17:53:28 mx postfix/smtpd[7551]: disconnect from
mx.foo.ro[127.0.0.1]
Sep 14 17:53:28 mx nod32smtp[7516]: note[1d5c0201]: Connection close
attempt
Sep 14 17:53:28 mx nod32smtp[7516]: note[1d5c0201]: Connection close
success
Regards,
Alexandru Suchici
--
Alex
linuxro{at}fastmail{dot}fm
--
http://www.fastmail.fm - Access your email from home and the web
-- Attached file removed by Ecartis and put at URL below --
-- Type: text/x-patch
-- Size: 405 bytes
-- URL : http://lists.ee.ethz.ch/p/mailgraph-1.14_nod32.patch
--
Unsubscribe mailto:mailgraph-request@list.ee.ethz.ch?subject=unsubscribe
Help mailto:mailgraph-request@list.ee.ethz.ch?subject=help
Archive http://lists.ee.ethz.ch/mailgraph
WebAdmin http://lists.ee.ethz.ch/lsg2.cgi
|