# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. inter_scan_viruswall = { plugin_version = "1.1.1" # 2006-07-18 - GMF - Added support for http messages; cleaned up. # 2010-12-29 - 1.0.1 - MSG - Edited info lines. info.1.manfacturer = "Trend Micro" info.1.device = "InterScan Viruswall" info.1.version.1 = "" # The name of the log format log.format.format_label = "InterScan Viruswall Log Format" log.miscellaneous.log_data_type = "generic" log.miscellaneous.log_format_type = "network_device" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^[0-9]+/[0-9]+/[0-9]+ [0-9]+:[0-9]+:[0-9]+ (I[sS][cC][aA][nN]-|http)" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" service = "" source_ip.type = "host" operation = "" url = { type = "page" hierarchy_dividers = "/?" left_to_right = true leading_divider = "true" } # url protocol = "" sender = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = "false" } # sender recipient = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = "false" } # sender nrcpts = "" http_events = "" messages_delivered = "" size = "" } # log.fields log.parsing_filters.parse = ` if (matches_regular_expression(current_log_line(), '^([0-9]+/[0-9]+/[0-9]+) ([0-9]+:[0-9]+:[0-9]+) (.*)$')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); v.message = $3; # Handle ISCAN lines if (matches_regular_expression(v.message, '^I[Ss][Cc][Aa][Nn]-([a-z0-9]+)\\\\[[0-9]+\\\\]: (.*)$')) then ( set_collected_field('', 'service', $3); v.message = $2; if (matches_regular_expression(v.message, '^([0-9.]+)->([A-Z]*) (http://[^ ]+) ([A-Z]+/[0-9.]+)$')) then ( set_collected_field('', 'source_ip', $1); set_collected_field('', 'operation', $2); set_collected_field('', 'url', $3); set_collected_field('', 'protocol', $4); set_collected_field('', 'http_events', 1); accept_collected_entry('', false); ); else if (matches_regular_expression(v.message, '^([0-9.]+) ([A-Z]*) (http://.*)$')) then ( set_collected_field('', 'source_ip', $1); set_collected_field('', 'operation', $2); set_collected_field('', 'url', $3); set_collected_field('', 'http_events', 1); accept_collected_entry('', false); ); else if (matches_regular_expression(v.message, '^Message from: <([^>]*)>')) then ( set_collected_field('', 'sender', $1); set_collected_field('', 'messages_delivered', 1); accept_collected_entry('', false); ); else if (matches_regular_expression(v.message, '^Message to: <([^>]*)>')) then ( set_collected_field('', 'recipient', $1); set_collected_field('', 'messages_delivered', 1); accept_collected_entry('', false); ); ); # Handle smtp lines # e.g., 07/16/2006 00:01:03 smtp[4104]: smtp[32]: msgid from 61.32.17.234 : size=15499, sender=bounce-value-89434930@echo.sporklust.com, nrcpts=1 else if (matches_regular_expression(v.message, '^(smtp)\\\\[([0-9]+)\\\\]: smtp\\\\[[0-9]+\\\\]: (.*)$')) then ( v.key = $2; set_collected_field(v.key, 'date', get_collected_field('', 'date')); set_collected_field(v.key, 'time', get_collected_field('', 'time')); set_collected_field('', 'service', $1); v.message = $3; if (matches_regular_expression(v.message, '^msgid <([^>]+)> from ([^ ]+) : size=([0-9]+), sender=([^,]+), nrcpts=([0-9]+)')) then ( set_collected_field(v.key, 'msgid', $1); set_collected_field(v.key, 'source_ip', $2); set_collected_field(v.key, 'size', $3); set_collected_field(v.key, 'sender', $4); set_collected_field(v.key, 'nrcpts', $5); ); if (matches_regular_expression(v.message, '^mail delivered from ([^ ]+) to ([^ ]+)')) then ( v.recipient = $2; set_collected_field(v.key, 'sender', $1); if (matches_regular_expression(v.recipient, '^<(.*)>$')) then v.recipient = $1; set_collected_field(v.key, 'recipient', v.recipient); set_collected_field(v.key, 'messages_delivered', 1); accept_collected_entry(v.key, false); ); ); # if smtp # Handle http lines # e.g., 07/16/2006 00:01:03 http[4081]: connection from 23.33.12.123, "POST http://desktop.somewhere.com.au/dir/abc/filename.txt HTTP/1.0" else if (matches_regular_expression(v.message, '^(http)\\\\[[0-9]+\\\\]: connection from ([^,]+), "([A-Z]+) ([^ ]+) ([^"]+)"$')) then ( set_collected_field('', 'service', $1); set_collected_field('', 'source_ip', $2); set_collected_field('', 'operation', $3); set_collected_field('', 'url', $4); set_collected_field('', 'protocol', $5); set_collected_field('', 'http_events', 1); accept_collected_entry('', false); ); ); ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" source_ip = "" domain_description = "" location = "" url = "" file_type = "" worm = "" protocol = "" operation = "" service = "" sender = "" recipient = "" } # database.fields database.numerical_fields = { http_events = "" messages_delivered = "" unique_source_ips = { log_field = "source_ip" type = "unique" } # unique_source_ips nrcpts = "" size = { type = "float" display_format_type = "bandwidth" } } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" content_group = { url = true worm = true file_type = true } users_group = { source_ip = true domain_description = true location = true sender = true recipient = true } other_group = { protocol = true operation = true service = true } } # report_groups } # create_profile_wizard_options } # inter_scan_viruswall