I'm running Sendmail and clamav-milter on the system on which I'm testing OSSEC and was wondering if anyone has done anything with the maillog clamav output. It would be nice to have a rule to capture and report (active response too) when a virus is sent.
Following is an sample from my maillog: Jun 26 02:37:19 mail sendmail[22575]: l5Q9bJgv022575: Milter (clamav): init success to negotiate Jun 26 02:37:19 mail sendmail[22575]: l5Q9bJgv022575: Milter: connect to filters Jun 26 02:37:19 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav, action=connect, continue Jun 26 02:37:19 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav, action=mail, continue Jun 26 02:37:19 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav, action=rcpt, continue Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575: from=<[EMAIL PROTECTED]>, size=41335, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=[194.176.176.112] Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav, action=header, continue Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav, action=eoh, continue Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav, action=body, continue Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575: Milter add: header: X-Virus-Scanned: ClamAV version 0.90.2, clamav-milter version 0.90.2 on mail.telesoft.com Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575: Milter add: header: X-Virus-Status: Infected with Worm.Mydoom.M Jun 26 02:37:22 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav, reject=554 5.7.1 virus Worm.Mydoom.M detected by ClamAV - http://www.clamav.net Jun 26 02:37:22 mail sendmail[22575]: l5Q9bJgv022575: Milter: data, reject=554 5.7.1 virus Worm.Mydoom.M detected by ClamAV - http://www.clamav.net Jun 26 02:37:22 mail sendmail[22575]: l5Q9bJgv022575: to=<[EMAIL PROTECTED]>, delay=00:00:03, pri=71335, stat=virus Worm.Mydoom.M detected by ClamAV - http://www.clamav.net Thanks.
