[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] OSSEC and ClamAV

To: ossec-list@xxxxxxxxx
Subject: [ossec-list] OSSEC and ClamAV
From: scott@xxxxxxxxxxx
Date: Wed, 27 Jun 2007 15:38:11 -0700 (MST)
Content-transfer-encoding: 8bit
Importance: Normal


I'm running Sendmail and clamav-milter on the system on which I'm testing
OSSEC and was wondering if anyone has done anything with the maillog
clamav output.  It would be nice to have a rule to capture and report
(active response too) when a virus is sent.

Following is an sample from my maillog:

Jun 26 02:37:19 mail sendmail[22575]: l5Q9bJgv022575: Milter (clamav):
init success to negotiate
Jun 26 02:37:19 mail sendmail[22575]: l5Q9bJgv022575: Milter: connect to
filters
Jun 26 02:37:19 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav,
action=connect, continue
Jun 26 02:37:19 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav,
action=mail, continue
Jun 26 02:37:19 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav,
action=rcpt, continue
Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575:
from=<MAILER-DAEMON@xxxxxxxxxxxx>, size=41335, class=0, nrcpts=1,
msgid=<200706260937.l5Q9bJgv022575@xxxxxxxxxxxx>, proto=ESMTP, daemon=MTA,
relay=[194.176.176.112]
Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav,
action=header, continue
Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav,
action=eoh, continue
Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav,
action=body, continue
Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575: Milter add: header:
X-Virus-Scanned: ClamAV version 0.90.2, clamav-milter version 0.90.2 on
mail.telesoft.com
Jun 26 02:37:21 mail sendmail[22575]: l5Q9bJgv022575: Milter add: header:
X-Virus-Status: Infected with Worm.Mydoom.M
Jun 26 02:37:22 mail sendmail[22575]: l5Q9bJgv022575: milter=clamav,
reject=554 5.7.1 virus Worm.Mydoom.M detected by ClamAV -
http://www.clamav.net
Jun 26 02:37:22 mail sendmail[22575]: l5Q9bJgv022575: Milter: data,
reject=554 5.7.1 virus Worm.Mydoom.M detected by ClamAV -
http://www.clamav.net
Jun 26 02:37:22 mail sendmail[22575]: l5Q9bJgv022575:
to=<scott@xxxxxxxxxxxx>, delay=00:00:03, pri=71335, stat=virus
Worm.Mydoom.M detected by ClamAV - http://www.clamav.net

Thanks.

Follow-Ups:
- [ossec-list] Re: OSSEC and ClamAV
  - From: David Williams

Prev by Date: [ossec-list] Re: OSSEC Server Crashing on Solaris 9
Next by Date: [ossec-list] Re: OSSEC Server Crashing on Solaris 9
Previous by thread: [ossec-list] Re: Wierd Windows Agent Error
Next by thread: [ossec-list] Re: OSSEC and ClamAV
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.