[Clamav-users] Stream logging patch

Fri, 01 Jun 2007 08:11:02 -0700 

Hi all,
In my setup I have several mail-relay and wanted to use a dedicated server running clamd to scan viruses for all my mail-relays. For this purpose, I am using a program called clamd-stream-client on each mail-relay to check for viruses, all pointing to my clamd server. This gives me the option to simply add another server whenever the clamd server starts getting into trouble cpu/ram/etc., or for backup/failover situations. 


When using clamd to scan streams, logging is _extremely_ basic. This did 
not allow me to get statistics of which mail-relay was the one placing 
the greatest demand on the clamd server, so after looking at the code, I 
modified the logging so that the ip address of the calling client is 
also displayed in the logs, making it easier to determine who is 
actually using the server. I have included a patch for 0.90.3, which 
also works for 0.90.2.



Since I started logging the ip addresses of all stream clients, I have 
only found that my mail-relays are using it, but can now easily spot if 
there are unauthorized accesses. Hope this helps


--
Jorge Valdes
[EMAIL PROTECTED]



diff -rub clamav-0.90.3-orig/clamd/scanner.c clamav-0.90.3/clamd/scanner.c
--- clamav-0.90.3-orig/clamd/scanner.c       2007-04-16 10:52:14.000000000 -0600
+++ clamav-0.90.3/clamd/scanner.c       2007-02-27 18:43:46.000000000 -0600
@@ -416,8 +416,6 @@
        const char *virname;
        char buff[FILEBUFF];
        struct sockaddr_in server;
+       struct sockaddr_in peer;
+       socklen_t addrlen;
        struct hostent he;
        struct cfgstruct *cpt;
        char *tmpname;
@@ -499,22 +497,21 @@
            return -1;
     }
 
-    if((acceptd = accept(sockfd, NULL, NULL)) == -1) {
+    addrlen = sizeof(peer);
+    if((acceptd = accept(sockfd, (struct sockaddr *)&peer, &addrlen)) == -1) {
        close(sockfd);
        mdprintf(odesc, "accept() ERROR\n");
        logg("!ScanStream %d: accept() failed.\n", port);
        return -1;
     }
 
-    logg("*Accepted connection on port %d, fd %d\n", port, acceptd);
+    logg("*Accepted connection from %s on port %d, fd %d\n", 
inet_ntoa(peer.sin_addr), port, acceptd);
 
     if ((tmpname = cli_gentempdesc(NULL, &tmpd)) == NULL) {
        shutdown(sockfd, 2);
        close(sockfd);
        close(acceptd);
        mdprintf(odesc, "tempfile() failed. ERROR\n");
-       logg("!ScanStream %d: Can't create temporary file.\n", port);
+       logg("!ScanStream %s %d: Can't create temporary file.\n", 
inet_ntoa(peer.sin_addr), port);
        return -1;
     }
 
@@ -533,7 +530,7 @@
            closesocket(sockfd);
            closesocket(acceptd);
            mdprintf(odesc, "Temporary file -> write ERROR\n");
-           logg("!ScanStream %d: Can't write to temporary file.\n", port);
+           logg("!ScanStream %s %d: Can't write to temporary file.\n", 
inet_ntoa(peer.sin_addr), port);
            close(tmpd);
            if(!cfgopt(copt, "LeaveTemporaryFiles")->enabled)
                unlink(tmpname);
@@ -545,7 +542,7 @@
            btread = (maxsize - size); /* only read up to max */
 
            if(btread <= 0) {
-               logg("^ScanStream %d: Size limit reached (max: %d)\n", port, 
maxsize);
+               logg("^ScanStream %s %d: Size limit reached (max: %d)\n", 
inet_ntoa(peer.sin_addr), port, maxsize);
                break; /* Scan what we have */
            }
        }
@@ -554,11 +551,11 @@
     switch(retval) {
        case 0: /* timeout */
            mdprintf(odesc, "read timeout ERROR\n");
+           logg("!ScanStream %s %d: read timeout.\n", 
inet_ntoa(peer.sin_addr), port);
-           logg("!ScanStream %d: read timeout.\n", port);
            break;
        case -1:
            mdprintf(odesc, "read poll ERROR\n");
+           logg("!ScanStream %s %d: read poll failed.\n", 
inet_ntoa(peer.sin_addr), port);
-           logg("!ScanStream %d: read poll failed.\n", port);
            break;
     }
 
@@ -578,17 +575,17 @@
 
     if(ret == CL_VIRUS) {
        mdprintf(odesc, "stream: %s FOUND\n", virname);
+       logg("stream %s %d: %s FOUND\n", inet_ntoa(peer.sin_addr), port, 
virname);
-       logg("stream %d: %s FOUND\n", port, virname);
        virusaction("stream", virname, copt);
     } else if(ret != CL_CLEAN) {
        if(retval == 1) {
            mdprintf(odesc, "stream: %s ERROR\n", cl_strerror(ret));
+           logg("stream %s %d: %s ERROR\n", inet_ntoa(peer.sin_addr), port, 
cl_strerror(ret));
-           logg("stream %d: %s ERROR\n", port, cl_strerror(ret));
        }
     } else {
        mdprintf(odesc, "stream: OK\n");
         if(logok)
+           logg("stream %s %d: OK\n", inet_ntoa(peer.sin_addr), port); 
-           logg("stream %d: OK\n", port); 
     }
 
     return ret;

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html














    











					Reply via email to