-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Scott,
I think you could use something like this (modeled on 3103 and 3152
in sendmail_rules.xml) in local_rules.xml to get an alert (you may
need to play with the levels, etc. depending on your configuration):
<rule id="100103" level="8">
<if_sid>3101</if_sid>
<match>reject=554 5.7.1</match>
<!--
if 554 is too broad try this instead:
<match>detected by ClamAV</match>
- -->
<description>Rejected by ClamAV </description>
<description>(55x: Requested action not taken).</description>
<group>virus,</group>
</rule>
<rule id="100152" level="8" frequency="6" timeframe="120">
<if_matched_sid>100103</if_matched_sid>
<same_source_ip />
<description>Multiple attempts to send </description>
<description>virus infected e-mail. </description>
<group>multiple_virus,</group>
</rule>
I've not tried this, just thinking at the keyboard. I'm not sure
the multiple will work since I don't see any source addresses in the
logs you sent.
I'll let someone better qualified answer about active response.
-David
[EMAIL PROTECTED] wrote:
>
> I'm running Sendmail and clamav-milter on the system on which I'm testing
> OSSEC and was wondering if anyone has done anything with the maillog
> clamav output. It would be nice to have a rule to capture and report
> (active response too) when a virus is sent.
>
> Following is an sample from my maillog:
>
> Jun 26 02:37:19 mail sendmail[22575]: l5Q9bJgv022575: Milter (clamav):
> init success to negotiate
> Jun 26 02:37:19 mail sendmail[22575]: l5Q9bJgv022575: Milter: connect to
> filters
> Jun 26 02:37:19 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav,
> action=connect, continue
> Jun 26 02:37:19 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav,
> action=mail, continue
> Jun 26 02:37:19 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav,
> action=rcpt, continue
> Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575:
> from=<[EMAIL PROTECTED]>, size=41335, class=0, nrcpts=1,
> msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA,
> relay=[194.176.176.112]
> Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav,
> action=header, continue
> Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav,
> action=eoh, continue
> Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav,
> action=body, continue
> Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575: Milter add: header:
> X-Virus-Scanned: ClamAV version 0.90.2, clamav-milter version 0.90.2 on
> mail.telesoft.com
> Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575: Milter add: header:
> X-Virus-Status: Infected with Worm.Mydoom.M
> Jun 26 02:37:22 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav,
> reject=554 5.7.1 virus Worm.Mydoom.M detected by ClamAV -
> http://www.clamav.net
> Jun 26 02:37:22 mail sendmail[22575]: l5Q9bJgv022575: Milter: data,
> reject=554 5.7.1 virus Worm.Mydoom.M detected by ClamAV -
> http://www.clamav.net
> Jun 26 02:37:22 mail sendmail[22575]: l5Q9bJgv022575:
> to=<[EMAIL PROTECTED]>, delay=00:00:03, pri=71335, stat=virus
> Worm.Mydoom.M detected by ClamAV - http://www.clamav.net
>
> Thanks.
>
- --
_______________________________________________
GPG (http://www.gnupg.org/) key available from:
http://www.kayakero.net/per/david/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGgxv4CzuSgviBh00RAjRAAJ9CG5gKXrndbSVV0OfojdwiPpDTyQCfQcvx
l/Z/qoi5rkisYG2E0KuD1Q8=
=EgBn
-----END PGP SIGNATURE-----
