# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. trend_micro_interscan_messaging_security_suite_emanager = { plugin_version = "1.0.1" # ????-??-?? - ??? - 1.0 - Initial implementation. # 2010-01-22 - KBB - 1.0.1 - Moved initialization of v.keymap node to fix node not found bug. info.1.manufacturer = "Trend Micro" info.1.device = "Trend Micro InterScan Messaging Security Suite (IMSS) eManager" info.1.version.1 = "3.52" # The name of the log format log.format.format_label = "Trend Micro InterScan Messaging Security Suite (IMSS) eManager Log Format" log.miscellaneous.log_data_type = "mail_server" log.miscellaneous.log_format_type = "network_device" # The log is in this format if any of the first 500 lines match this regular expression log.format.autodetect_regular_expression = "^[0-9][0-9][0-9][0-9]/[0-9][0-9]/[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [^ ]+ [0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F]-[0-9A-F][0-9A-F][0-9A-F][0-9A-F]-[0-9A-F][0-9A-F][0-9A-F][0-9A-F]-[0-9A-F][0-9A-F][0-9A-F][0-9A-F]-[0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F][0-9A-F] [^ ]*" log.format.autodetect_lines = "500" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Entries are called messages statistics.miscellaneous.entry_name = "messages" # Log fields log.fields = { date = "" time = "" sender = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } recipient = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } entity = "" reason = "" subject = "" policy_name = "" filter_name = "" action_on_content = "" action_on_message = "" quarantine_area_name = "" filter_type = "" filter_content = "" spam_filter_outcome = "" antivirus_filter_outcome = "" content_filter_outcome = "" virus_name = "" action = "" size = "" } # log.fields # # Log Parsing Filters log.parsing_filters = { parse = ` v.keymap = ''; if (matches_regular_expression(current_log_line(), '^([0-9/]+) ([0-9:]+) [^ ]+ [A-F0-9-]+ ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([0-9]+) ([0-9]+) ([^ ]*) ([^ ]+) ([^ ]+)')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); set_collected_field('', 'sender', $3); set_collected_field('', 'recipient', $4); set_collected_field('', 'subject', $5); set_collected_field('', 'policy_name', $6); set_collected_field('', 'filter_name', $7); set_collected_field('', 'action_on_content', $8); set_collected_field('', 'action_on_message', $9); set_collected_field('', 'quarantine_area_name', $10); set_collected_field('', 'filter_type', $11); set_collected_field('', 'filter_content', $12); accept_collected_entry('', false); ) # Here's an example of data (# stands in for tab) # 2005/02/26 01:51:11 GMT+08:00#DE5DE96F-FBF3-4C8C-AB52-08ADF273B986#weiwang@jlonline.com#"""Weng"" "#Is delivered mail#WORM_BAGLE.AZ#2#3##3#Incoming Policy#Virus else if (matches_regular_expression(current_log_line(), '^([0-9/]+) ([0-9:]+) [^ ]+ [A-F0-9-]+ ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([0-9]+) ([0-9]+) ([^ ]*) ([0-9]*) ([^ ]*) ([^ ]*)$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); set_collected_field('', 'sender', $3); set_collected_field('', 'recipient', $4); set_collected_field('', 'subject', $5); set_collected_field('', 'virus_name', $6); set_collected_field('', 'action_on_content', $7); set_collected_field('', 'action_on_message', $8); set_collected_field('', 'quarantine_area_name', $9); set_collected_field('', 'policy_name', $11); set_collected_field('', 'filter_name', $12); accept_collected_entry('', false); ) # Here's an example of data (# stands in for tab) # 2004/12/26 00:00:45 GMT+01:00#4631B2AA-A44C-480B-ACE6-D6A4AFD0B572#angmj23@email.uophx.edu#fipi@swatchgroup.com#Check this out kid!!!#PE_ZAFI.B#2#3##3#Incoming Policy#Virus Filter#121#3#22 else if (matches_regular_expression(current_log_line(), '^([0-9/]+) ([0-9:]+) [^ ]+ [A-F0-9-]+ ([^ ]+) ([^ ]+) ([^ ]+) ([^ ]+) ([0-9]+) ([0-9]+) ([^ ]*) [0-9]* ([^ ]+) ([^ ]+) [0-9]* [0-9]* [0-9]*$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); set_collected_field('', 'sender', $3); set_collected_field('', 'recipient', $4); set_collected_field('', 'subject', $5); set_collected_field('', 'virus_name', $6); set_collected_field('', 'action_on_content', $7); set_collected_field('', 'action_on_message', $8); set_collected_field('', 'quarantine_area_name', $9); set_collected_field('', 'policy_name', $10); set_collected_field('', 'filter_name', $11); accept_collected_entry('', false); ) # Example: (tabs are #): 2005/05/11 00:01:07 GMT+02:00#[16297:1] 43B2BCFF-6E8E-5DFA-E07E-080D35E1AA73 subject [Tadalafil Soft Tabs - Great results!], sender [jfoley_7@toty.joensuu.fi], recipient[metropolis@luxair.lu], entity [MAILBODY:CONTENT] violates policy [Incoming Policy], reason [Custom Spam Filter],... else if (matches_regular_expression(current_log_line(), '^([0-9/]+) ([0-9:]+) [^ ]+ \\\\[[0-9]+:[0-9]+\\\\] [A-F0-9-]+ subject \\\\[([^]]+)\\\\], sender \\\\[([^]]+)\\\\], recipient *\\\\[([^]]+)\\\\], entity \\\\[([^]]+)\\\\] violates policy \\\\[([^]]+)\\\\], reason \\\\[([^]]+)\\\\],')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); set_collected_field('', 'subject', $3); set_collected_field('', 'sender', $4); set_collected_field('', 'recipient', $5); set_collected_field('', 'entity', $6); set_collected_field('', 'policy_name', $7); set_collected_field('', 'reason', $8); accept_collected_entry('', false); ) #### START MULTILINE SECTION # # Another type of entry spans several lines, and includes an initial key line, # MAIL FROM and RCPT TO lines, filter lines # #2005/08/01 00:13:28 GMT-03:00 [12994:1:] 441D0D57-42E8-716D-6DF9-6E11E795FE0D #2005/08/01 00:13:28 GMT-03:00 [12994:1:] clt_cmd : MAIL FROM: SIZE=8348\r\n #2005/08/01 00:13:28 GMT-03:00 [12994:1:] clt_cmd: RCPT TO:\r\n #2005/08/01 00:13:28 GMT-03:00 [12994:1:] >>> Scan content: type: SMTP, file: /tmp/smtp-12994-441D0D57-42E8-716D-6DF9-6E11E795FE0D.DF, Size: 8348 #2005/08/01 00:13:28 GMT-03:00 441D0D57-42E8-716D-6DF9-6E11E795FE0D Policy matching took <0>ms #2005/08/01 00:13:28 GMT-03:00 441D0D57-42E8-716D-6DF9-6E11E795FE0D Matched rule : Filtros de Saida #2005/08/01 00:13:28 GMT-03:00 441D0D57-42E8-716D-6DF9-6E11E795FE0D Get entity filename = no filename #2005/08/01 00:13:28 GMT-03:00 441D0D57-42E8-716D-6DF9-6E11E795FE0D Filter(0x10001, Antivirus Filter) runs successfully, outcome: No_Virus, took <0>ms #2005/08/01 00:13:28 GMT-03:00 441D0D57-42E8-716D-6DF9-6E11E795FE0D Filter(0x30001, Spam Filter) runs successfully, outcome: Passed, took <0>ms #2005/08/01 00:13:28 GMT-03:00 441D0D57-42E8-716D-6DF9-6E11E795FE0D Filter(0x20001, CONTENT FILTER) runs successfully, outcome: Passed, took <10>ms #2005/08/01 00:13:28 GMT-03:00 [12994:1:] Info: ** action: "send original email", function: sendOrgEmail #2005/08/01 00:13:28 GMT-03:00 441D0D57-42E8-716D-6DF9-6E11E795FE0D Final action is Deliver. # The first line has two keys; remember how to map from key1 to key2 in v.keymap else if (matches_regular_expression(current_log_line(), '^([0-9/]+) ([0-9:]+) [^ ]+ \\\\[([0-9:]+)\\\\] ([0-9A-F-]+)$')) then ( set_subnode_value('v.keymap', $3, $4); set_collected_field($4, 'date', $1); set_collected_field($4, 'time', $2); ) # Handle MAIL FROM lines else if (matches_regular_expression(current_log_line(), '^[0-9/]+ [0-9:]+ [^ ]+ \\\\[([0-9:]+)\\\\] [^:]+: [Mm][Aa][Ii][Ll] [Ff][Rr][Oo][Mm]:(.*)$')) then ( v.key1 = $1; v.key2 = node_value(subnode_by_name('v.keymap', v.key1)); v.mailfrom = $2; v.mailfrom = replace_all(v.mailfrom, '\\\\r\\\\n', ''); if (matches_regular_expression(v.mailfrom, '^<([^>]*)>(.*)$')) then ( set_collected_field(v.key2, 'sender', $1); v.mailfrom = $2; if (matches_regular_expression(v.mailfrom, '[Ss][Ii][Zz][Ee]=([0-9]+)')) then ( set_collected_field(v.key2, 'size', $1); ) ) ) # Handle RCPT TO lines else if (matches_regular_expression(current_log_line(), '^[0-9/]+ [0-9:]+ [^ ]+ \\\\[([0-9:]+)\\\\] [^:]+: [Rr][Cc][Pp][Tt] [Tt][Oo]:(.*)$')) then ( v.key1 = $1; v.key2 = node_value(subnode_by_name('v.keymap', v.key1)); v.rcptto = $2; v.rcptto = replace_all(v.rcptto, '\\\\r\\\\n', ''); if (matches_regular_expression(v.rcptto, '<([^>]*)>')) then v.rcptto = $1; set_collected_field(v.key2, 'recipient', v.rcptto); ) # Handle Antivirus filter lines else if (matches_regular_expression(current_log_line(), '^[0-9/]+ [0-9:]+ [^ ]+ ([0-9A-Z-]+) Filter.*Antivirus.* runs successfully, outcome: (.*)$')) then ( set_collected_field($1, 'antivirus_filter_outcome', $2); ) # Handle Spam filter lines else if (matches_regular_expression(current_log_line(), '^[0-9/]+ [0-9:]+ [^ ]+ ([0-9A-Z-]+) Filter.*Spam.* runs successfully, outcome: (.*)$')) then ( set_collected_field($1, 'spam_filter_outcome', $2); ) # Handle CONTENT filter lines else if (matches_regular_expression(current_log_line(), '^[0-9/]+ [0-9:]+ [^ ]+ ([0-9A-Z-]+) Filter.*CONTENT.* runs successfully, outcome: (.*)$')) then ( set_collected_field($1, 'content_filter_outcome', $2); ) # The "Final action is" lines indicate the action, and complete the session (and contain key2) else if (matches_regular_expression(current_log_line(), '^[0-9/]+ [0-9:]+ [^ ]+ ([0-9A-F-]+) Final action is (.*)$')) then ( set_collected_field($1, 'action', $2); accept_collected_entry($1, false); ) #### END MULTILINE SECTION ` } # log.parsing_filters # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" sender = "" recipient = "" subject = "" entity = "" reason = "" policy_name = "" filter_name = "" virus_name = "" action_on_content = "" action_on_message = "" quarantine_area_name = "" filter_type = "" filter_content = "" spam_filter_outcome = "" antivirus_filter_outcome = "" content_filter_outcome = "" action = "" } # database.fields database.numerical_fields = { messages = { label = "$lang_stats.field_labels.messages" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages size = { label = "$lang_stats.field_labels.size" default = false log_field = "size" requires_log_field = true type = "float" display_format_type = "size" } } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'messages = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { date_time_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" sender = true recipient = true subject = true policy_name = true filter_name = true virus_name = true entity = true reason = true action_on_content = true action_on_message = true quarantine_area_name = true filter_type = true filter_content = true spam_filter_outcome = true antivirus_filter_outcome = true content_filter_outcome = true action = true } # report_groups } # create_profile_wizard_options } # trend_micro_interscan_messaging_security_suite_emanager