[sanesecurity] Re: brassbandportal.co.uk honey-pot
- From: "Anthony Cartmell" <ajcartmell@xxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Fri, 24 Apr 2009 17:13:51 +0100
Is "stream" something meangingful to the regexp, or a string to match? I
don't have "stream" appearing in my log messages, I'm running Perl
5.10.0, and my email scanning is done using MailScanner.
No, the name "stream" is the pseudo-name of the file when clam gets its
input via STDIN:
cat virus-Y9SiSJNCDw0t | clamdscan --no-summary -
stream: Email.Trojan-92 FOUND
Ah. When using MailScanner the log lines look like this:
Fri Apr 24 16:59:06 2009 ->
/var/spool/MailScanner/incoming/2679/n3OFwGAh016326.header:
Sanesecurity.Hdr.9429.UNOFFICIAL FOUND
If we can assume that the signature name _never_ contains a colon (ISTR
that's the case?) then Francis' idea would be more generally applicable.
I'd actually remove the start-of-line anchor, and use something like:
} elsif (($virus) = ($log =~ /: (.+) FOUND/ )) {
or, perhaps slightly more robust in the case of directory names including
FOUND on Windows boxes with a drive letter and colon:
} elsif (($virus) = ($log =~ /: ([^:]+) FOUND$/ )) {
} elsif (($virus) = ($log =~ /: (.+) FOUND$/ )) {
Makes sure that the FOUND is at the end of the line. First one might be
more robust, I'm not sure if .+ is reliably non-greedy (although Francis'
test says it isn't for him)...
Would that work?
Cheers!
Anthony
--
www.fonant.com - Quality web sites
Other related posts:
