# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. interscan_messaging_security_suite_integrated = { plugin_version = "1.4.2" info.1.manufacturer = "TrendMicro" info.1.device = "Interscan Messaging Security Suite (Integrated)" info.1.version.1 = "InterScan 7" # 2006-08-10 - GMF - 1.1beta - Added improved autodetection, and improved carrying over of recipients in multi-key Linux logs. # 2006-08-10 - GMF - 1.2beta - Added support for a new format in virus.log # 2006-11-16 - GMF - 1.3beta - Added support MAIL FROM and RCPT TO message with clt_cmd # 2006-11-28 - GMF - 1.4beta - Added support for lines with two keys, and with something else after them # 2007-09-11 - KBB - 1.4 - Renumbered per new beta policy. # 2010-10-01 - 1.4.1 - MSG - Edited info lines. # 2013-06-28 - 1.4.2 - MSG - Added "Integrated" to info lines. # The name of the log format log.format.format_label = "Interscan Messaging Security Suite Integrated Log Format" log.miscellaneous.log_data_type = "mail_server" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = ` matches_regular_expression(volatile.log_data_line, "^[0-9]+/[0-9]+/[0-9]+ [0-9]+:[0-9]+:[0-9]+ GMT[-+][0-9]+:[0-9]+ ([A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9]-[A-F0-9][A-F0-9][A-F0-9][A-F0-9]-[A-F0-9][A-F0-9][A-F0-9][A-F0-9]-[A-F0-9][A-F0-9][A-F0-9][A-F0-9]-[A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9]| )(A| )") or # e.g. 2006/07/17 00:01:26 GMT+09:00 [709:1] 35814ACB-E0D4-3FE8-95C1-4E70BE580318 Policy matching took <0>ms matches_regular_expression(volatile.log_data_line, "^[0-9]+/[0-9]+/[0-9]+ [0-9]+:[0-9]+:[0-9]+ GMT[-+][0-9]+:[0-9]+ \\\\[[0-9]+:[0-9]+\\\\] [A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9]-[A-F0-9][A-F0-9][A-F0-9][A-F0-9]-[A-F0-9][A-F0-9][A-F0-9][A-F0-9]-[A-F0-9][A-F0-9][A-F0-9][A-F0-9]-[A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9]") or matches_regular_expression(volatile.log_data_line, "^[0-9][0-9][0-9][0-9]/[0-9][0-9]/[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] ([^ ]+) [0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+ [0-9]+ [0-9]+ [0-9]+ [0-9]+ ") ` log.format.autodetect_lines = 5000 # Collected entries will be automatically accepted into the database after 1000 lines without activity. log.format.collected_entry_lifespan = 1000 log.format.discard_expired_entries = false # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # The format of dates and times in this log log.format.date_format = "auto" log.format.time_format = "auto" # Log fields log.fields = { sender = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } # sender recipient = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } # recipient date = "" time = "" subject = "" rule = "" connecting_server_name = "" connecting_server_ip = "" virus_name = "" virus_host_file = "" attachment = "" attachment_extension = "" filter_name = "" action_on_content = "" action_on_message = "" quarantine_area_name = "" filter_type = "" ipfilter_type = "" filter_content = "" content_filter_outcome = "" attachment_outcome = "" s_spam_filter = "" h_spam_filter = "" virus_filter = "" filtered_messages = "" filtered_packets = "" direction = "" policy_name = "" reason = "" entity = "" # IP Filter fields ip_address.type = "host" filter_action = "" filter_code = "" filter_rcode = "" base_code = "" event_type = "" size = "" messages_processed = "" messages_delivered = "" bytes_processed = "" bytes_delivered = "" virus_detected = "" virus_processed = "" virus_delivered = "" content_detected = "" content_processed = "" content_delivered = "" spam_detected = "" spam_processed = "" spam_delivered = "" attachment_detected = "" attachment_processed = "" attachment_delivered = "" policy_violations = "" # inbound_messages = "" # outbound_messages = "" } # log.fields # Declare filter variables log.filter_initialization = ` v.keymap = ''; v.keys_to_ips = ''; node keys_to_ips = 'v.keys_to_ips'; v.recipients_lists = ''; node recipients_lists = 'v.recipients_lists'; node recipients_list; node old_recipients_list; node new_recipients_list; node this_recipient; bool detectedLogFormat = false; bool logFormatIsWindows; ` # Log Parsing Filters log.parsing_filters.parse = ` # Detect whether this is Windows or Linux log format if (!detectedLogFormat) then ( if (matches_regular_expression(current_log_line(), 'clt_cmd : [Mm][Aa][Ii][Ll] [Ff][Rr][Oo][Mm]')) then ( detectedLogFormat = true; logFormatIsWindows = false; ); else if (matches_regular_expression(current_log_line(), 'ACL check OK, connection accepted from peer')) then ( detectedLogFormat = true; logFormatIsWindows = true; ); ); # If this line has two keys like this: # 2006/11/13 00:00:53 GMT+09:00 [9697:1] 49EFEF0A-FFF0-6631-6132-4E5F4CA6621D:clt_cmd : MAIL FROM: SIZE=11538 # remember the key in the keymap. if (matches_regular_expression(current_log_line(), '^([0-9/]+) ([0-9:]+) [^ ]+ \\\\[([0-9:]+)\\\\] ([0-9A-F-]+):')) then ( set_subnode_value('v.keymap', $3, $4); set_collected_field($4, 'date', $1); set_collected_field($4, 'time', $2); # set_collected_field($4, 'connecting_server_ip', node_value(subnode_by_name(keys_to_ips, $3))); ); # Handle ipfilter lines if (matches_regular_expression(current_log_line(), '^([0-9/]+) ([0-9:]+) [^ ]+ ([0-9.]+) ([0-9]+) ([0-9]+) ([0-9]+) ([0-9]+) (.*)$')) then ( v.date = $1; v.time = $2; v.ip_address = $3; set_collected_field('', 'date', v.date); set_collected_field('', 'time', v.time); set_collected_field('', 'ip_address', v.ip_address); # Ignore lines that aren't "blocked" lines # If we ignore these lines, we don't get good results when analyzing only ipfilters logs. v.filter_action = $4; # if (v.filter_action == 1) then ( if (v.filter_action == 0) then v.filter_action = "not blocked" else if (v.filter_action == 1) then v.filter_action = "blocked" else if (v.filter_action == 2) then v.filter_action = "delayed" else if (v.filter_action == 3) then v.filter_action = "whitelisted"; set_collected_field('', 'filter_action', v.filter_action); v.ipfilter_type = $5; if (v.ipfilter_type == 0) then v.ipfilter_type = "Approved List" else if (v.ipfilter_type == 1) then v.ipfilter_type = "RBL Database" else if (v.ipfilter_type == 2) then v.ipfilter_type = "NAS Database" else if (v.ipfilter_type == 100) then v.ipfilter_type = "Blocked List"; set_collected_field('', 'ipfilter_type', v.ipfilter_type); v.filter_code = $6; if (v.filter_code == 0) then v.filter_code = "check successful" else if (v.filter_code == 1) then v.filter_code = "IP address whitelisted" else if (v.filter_code == 2) then v.filter_code = "IP address blacklisted" else if (v.filter_code == 7) then v.filter_code = "check found errors"; set_collected_field('', 'filter_code', v.filter_code); set_collected_field('', 'filter_rcode', $7); set_collected_field('', 'filter_base_code', $8); set_collected_field('', 'filtered_packets', 1); set_collected_field('', 'event_type', 'ip filter'); accept_collected_entry('', false); # ); # show only "blocked" lines ); # ipfilter # The first line has two keys; remember how to map from key1 to key2 in v.keymap else if (matches_regular_expression(current_log_line(), '^([0-9/]+) ([0-9:]+) [^ ]+ \\\\[([0-9:]+)\\\\] ([0-9A-F-]+)$')) then ( set_subnode_value('v.keymap', $3, $4); set_collected_field($4, 'date', $1); set_collected_field($4, 'time', $2); set_collected_field($4, 'connecting_server_ip', node_value(subnode_by_name(keys_to_ips, $3))); ) # If this is an "Accept connection" line, extract the IP address from it, and save it in keys_to_ips, # so we can use it when we get to the double-key line (above). else if (matches_regular_expression(current_log_line(), '^[0-9/]+ [0-9:]+ [^ ]+ \\\\[([0-9:]+)\\\\] Info: Accept connection from client ([0-9]+\\\\.[0-9]+\\\\.[0-9]+\\\\.[0-9]+)\\\\.')) then ( set_subnode_value(keys_to_ips, $1, $2); ) # Handle MAIL FROM lines. Use the key to find the real key in the keymap, but if it isn't there, put this under the specified key; # we'll have to look for a "Scan content" line later to match up the keys. else if (matches_regular_expression(current_log_line(), '^[0-9/]+ [0-9:]+ [^ ]+ \\\\[([0-9:]+)\\\\] ([^:]+)(:|:clt_cmd :) [Mm][Aa][Ii][Ll] [Ff][Rr][Oo][Mm]:(.*)$')) then ( v.key1 = $1; # v.otherkey2 = $2; v.key2 = node_value(subnode_by_name('v.keymap', v.key1)); if (v.key2 eq '') then v.key2 = $1; v.mailfrom = $4; v.mailfrom = replace_all(v.mailfrom, '\\\\r\\\\n', ''); if (matches_regular_expression(v.mailfrom, '^<([^>]*)>(.*)$')) then ( v.sender = $1; if (v.sender eq '') then v.sender = '[none]'; set_collected_field(v.key2, 'sender', v.sender); # set_collected_field(v.otherkey2, 'sender', v.sender); v.mailfrom = $2; if (matches_regular_expression(v.mailfrom, '[Ss][Ii][Zz][Ee]=([0-9]+)')) then ( set_collected_field(v.key2, 'size', $1); # set_collected_field(v.otherkey2, 'size', $1); ) ) ) # Handle RCPT TO lines. Use the key to find the real key in the keymap, but if it isn't there, put this under the specified key; # we'll have to look for a "Scan content" line later to match up the keys. # e.g. 2006/11/13 00:00:03 GMT+09:00 [9697:1] 41CA6CA9-2672-1614-1BAD-3C30F412DF44:clt_cmd : RCPT TO: else if (matches_regular_expression(current_log_line(), '^[0-9/]+ [0-9:]+ [^ ]+ \\\\[([0-9:]+)\\\\] [^:]+(:|:clt_cmd :) [Rr][Cc][Pp][Tt] [Tt][Oo]:(.*)$')) then ( v.key1 = $1; v.key2 = node_value(subnode_by_name('v.keymap', v.key1)); if (v.key2 eq '') then v.key2 = $1; v.recipient = $3; v.recipient = replace_all(v.recipient, '\\\\r\\\\n', ''); if (matches_regular_expression(v.recipient, '<([^>]*)>')) then v.recipient = $1; if (v.recipient eq '') then v.recipient = '[none]'; recipients_list = subnode_by_name(recipients_lists, v.key2); v.recipient = replace_all(v.recipient, '.', '__DOT__'); set_subnode_value(recipients_list, v.recipient, true); # set_collected_field(v.key2, 'recipient', v.rcptto); ); # If this is a Scan content line on Linux, then we can use it to correllate the two key types (in the example below, key1=20331:1: # and key2=7E908F75-9CBB-6813-E93E-FF2884BE253F.DF. If we find this, and we haven't already correllated the keys using an earlier line, # copy the from, to, and size fields from key1 to key2. # e.g., 2005/09/21 20:26:27 GMT-03:00 [20331:1:] >>> Scan content: type: SMTP, file: /tmp/smtp-20331-7E908F75-9CBB-6813-E93E-FF2884BE253F.DF, Size: 4365 # e.g., 2006/07/17 00:01:26 GMT+09:00 [709:1] 35814ACB-E0D4-3FE8-95C2-4E70BD580318 >>> Scan content: type: SMTP, file: /tmp/smtp-709-35814ACB-E0D4-3FE8-95C2-4E70BD580318.DF, Size: 787 else if (matches_regular_expression(current_log_line(), '^[0-9/]+ [0-9:]+ [^ ]+ \\\\[([0-9:]+)\\\\] [^>]*>>> Scan content: type: [^,]+, file: /tmp/smtp-[0-9]+-([^.,]+)[.,]')) then ( v.key1 = $1; v.key2 = node_value(subnode_by_name('v.keymap', v.key1)); if (v.key2 eq '') then ( v.key2 = $2; set_subnode_value('v.keymap', v.key1, v.key2); set_subnode_value('v.keymap', v.key2, v.key1); set_collected_field(v.key2, 'sender', get_collected_field(v.key1, 'sender')); set_collected_field(v.key2, 'to', get_collected_field(v.key1, 'to')); set_collected_field(v.key2, 'size', get_collected_field(v.key1, 'size')); ); ); # Extra the standard headers for yyyy/mm/dd hh:mm:ss GMT*{tab}{key}{tab} lines else if (matches_regular_expression(current_log_line(), '^([0-9]+/[0-9]+/[0-9]+) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) GMT[0-9:+-]* ([A-Za-z0-9-]*) (.*)$') or matches_regular_expression(current_log_line(), '^([0-9]+/[0-9]+/[0-9]+) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) GMT[0-9:+-]* \\\\[[0-9-]+:[0-9-]+\\\\] ([A-Za-z0-9-]*)[ ](.*)$')) then ( v.key = uppercase($3); v.message = $4; set_collected_field(v.key, 'date', $1); set_collected_field(v.key, 'time', $2); if (matches_regular_expression(v.message, '^([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([0-9]*) ([0-9]*) ([^ ]*) ([^ ]*) ([^ ]*)') or matches_regular_expression(v.message, '^([^ ]*) ([^ ]*) "([^"]*)" ([^ ]*) ([^ ]*) ([0-9]*) ([0-9]*) ([^ ]*) ([^ ]*) ([^ ]*)')) then ( v.sender = $1; if (v.sender eq '') then v.sender = '[none]'; set_collected_field(v.key, 'sender', v.sender); v.recipient = $2; if (v.recipient eq '') then v.recipient = '[none]'; set_collected_field(v.key, 'recipient', v.recipient); set_collected_field(v.key, 'subject', $3); set_collected_field(v.key, 'virus_name', $4); set_collected_field(v.key, 'filter_name', $5); set_collected_field(v.key, 'action_on_content', $6); set_collected_field(v.key, 'action_on_message', $7); set_collected_field(v.key, 'quarantine_area_name', $8); set_collected_field(v.key, 'filter_type', $9); set_collected_field(v.key, 'filter_content', $10); set_collected_field(v.key, 'event_type', 'filter messages'); set_collected_field(v.key, 'filtered_messages', 1); accept_collected_entry(v.key, false); ) # Here's an example of data (# stands in for tab) # 2005/02/26 01:51:11 GMT+08:00#DE5DE96F-FBF3-4C8C-AB52-08ADF273B986#weiwang@jlonline.com#"""Weng"" "#Is delivered mail#WORM_BAGLE.AZ#2#3##3#Incoming Policy#Virus else if (matches_regular_expression(v.message, '^([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([0-9]*) ([0-9]*) ([^ ]*) ([0-9]*) ([^ ]*) ([^ ]*)$')) then ( v.sender = $1; if (v.sender eq '') then v.sender = '[none]'; set_collected_field(v.key, 'sender', v.sender); v.recipient = $2; if (v.recipient eq '') then v.recipient = '[none]'; set_collected_field(v.key, 'recipient', v.recipient); set_collected_field(v.key, 'subject', $3); set_collected_field(v.key, 'virus_name', $4); set_collected_field(v.key, 'action_on_content', $5); set_collected_field(v.key, 'action_on_message', $6); set_collected_field(v.key, 'quarantine_area_name', $7); # set_collected_field(v.key, 'policy_name', $8); set_collected_field(v.key, 'filter_name', $9); set_collected_field(v.key, 'event_type', 'filter messages'); set_collected_field(v.key, 'filtered_messages', 1); accept_collected_entry(v.key, false); ) # Here's an example of data (# stands in for tab) # 2006/08/01 06:24:51 GMT+09:00#28374D14-D1D9-1674-AD23-865AAFE1E229#someone-1234@rio.abc.ef.ca#morimer@center.somewhere.ed.fr#Re: message#WORM NETSKY.DAM#2#3##3 else if (matches_regular_expression(v.message, '^([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([0-9]*) ([0-9]*) ([^ ]*) ([0-9]*)$')) then ( v.sender = $1; if (v.sender eq '') then v.sender = '[none]'; set_collected_field(v.key, 'sender', v.sender); v.recipient = $2; if (v.recipient eq '') then v.recipient = '[none]'; set_collected_field(v.key, 'recipient', v.recipient); set_collected_field(v.key, 'subject', $3); set_collected_field(v.key, 'virus_name', $4); set_collected_field(v.key, 'action_on_content', $5); set_collected_field(v.key, 'action_on_message', $6); set_collected_field(v.key, 'quarantine_area_name', $7); set_collected_field(v.key, 'event_type', 'filter messages'); set_collected_field(v.key, 'filtered_messages', 1); accept_collected_entry(v.key, false); ) # Here's an example of data (# stands in for tab) # 2004/12/26 00:00:45 GMT+01:00#4631B2AA-A44C-480B-ACE6-D6A4AFD0B572#angmj23@email.uophx.edu#fipi@swatchgroup.com#Check this out kid!!!#PE_ZAFI.B#2#3##3#Incoming Policy#Virus Filter#121#3#22 else if (matches_regular_expression(v.message, '^([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([0-9]*) ([0-9]*) ([^ ]*) [0-9]* ([^ ]*) ([^ ]*) [0-9]* [0-9]* [0-9]*$')) then ( v.sender = $1; if (v.sender eq '') then v.sender = '[none]'; set_collected_field(v.key, 'sender', v.sender); v.recipient = $2; if (v.recipient eq '') then v.recipient = '[none]'; set_collected_field(v.key, 'recipient', v.recipient); set_collected_field(v.key, 'subject', $3); set_collected_field(v.key, 'virus_name', $4); set_collected_field(v.key, 'action_on_content', $5); set_collected_field(v.key, 'action_on_message', $6); set_collected_field(v.key, 'quarantine_area_name', $7); # set_collected_field(v.key, 'policy_name', $8); set_collected_field(v.key, 'filter_name', $9); set_collected_field(v.key, 'event_type', 'filter messages'); set_collected_field(v.key, 'filtered_messages', 1); accept_collected_entry(v.key, false); ) #### START MULTILINE SECTION # # Another type of entry spans several lines, and includes an initial key line, # MAIL FROM and RCPT TO lines, filter lines # #2005/08/01 00:13:28 GMT-03:00 [12994:1:] 441D0D57-42E8-716D-6DF9-6E11E795FE0D #2005/08/01 00:13:28 GMT-03:00 [12994:1:] clt_cmd : MAIL FROM: SIZE=8348\r\n #2005/08/01 00:13:28 GMT-03:00 [12994:1:] clt_cmd: RCPT TO:\r\n #2005/08/01 00:13:28 GMT-03:00 [12994:1:] >>> Scan content: type: SMTP, file: /tmp/smtp-12994-441D0D57-42E8-716D-6DF9-6E11E795FE0D.DF, Size: 8348 #2005/08/01 00:13:28 GMT-03:00 441D0D57-42E8-716D-6DF9-6E11E795FE0D Policy matching took <0>ms #2005/08/01 00:13:28 GMT-03:00 441D0D57-42E8-716D-6DF9-6E11E795FE0D Matched rule : Filtros de Saida #2005/08/01 00:13:28 GMT-03:00 441D0D57-42E8-716D-6DF9-6E11E795FE0D Get entity filename = no filename #2005/08/01 00:13:28 GMT-03:00 441D0D57-42E8-716D-6DF9-6E11E795FE0D Filter(0x10001, Antivirus Filter) runs successfully, outcome: No_Virus, took <0>ms #2005/08/01 00:13:28 GMT-03:00 441D0D57-42E8-716D-6DF9-6E11E795FE0D Filter(0x30001, Spam Filter) runs successfully, outcome: Passed, took <0>ms #2005/08/01 00:13:28 GMT-03:00 441D0D57-42E8-716D-6DF9-6E11E795FE0D Filter(0x20001, CONTENT FILTER) runs successfully, outcome: Passed, took <10>ms #2005/08/01 00:13:28 GMT-03:00 [12994:1:] Info: ** action: "send original email", function: sendOrgEmail #2005/08/01 00:13:28 GMT-03:00 441D0D57-42E8-716D-6DF9-6E11E795FE0D Final action is Deliver. else if (matches_regular_expression(v.message, '^Received from ([^ ]+) \\\\(\\\\[([0-9.]+)\\\\][^)]*\\\\) by')) then ( set_collected_field(v.key, 'connecting_server_name', $1); set_collected_field(v.key, 'connecting_server_ip', $2); ); else if (matches_regular_expression(v.message, '^Message from: ([^ ]*)')) then ( v.sender = $1; if (matches_regular_expression(v.sender, '^<([^>]*)>')) then v.sender = $1; if (v.sender eq '') then v.sender = '[none]'; set_collected_field(v.key, 'sender', v.sender); ) else if (matches_regular_expression(v.message, '^Message map[^,]*, Subject=<([^>]*)')) then set_collected_field(v.key, 'subject', $1); else if (matches_regular_expression(v.message, '^Message to: (.*) ')) then ( v.recipient = $1; if (matches_regular_expression(v.recipient, '^<([^>]*)>')) then v.recipient = $1; recipients_list = subnode_by_name(recipients_lists, v.key); v.recipient = replace_all(v.recipient, '.', '__DOT__'); set_subnode_value(recipients_list, v.recipient, true); ); # If this line indicates the direction of the mail, add an entry to track # inbound and outbound messages. else if (matches_regular_expression(v.message, '^(Delivering|Forwarding) mail (to|from|for)')) then ( v.direction = $1; if (v.direction eq 'Delivering') then v.direction = 'Outbound'; else if (v.direction eq 'Forwarding') then v.direction = 'Inbound'; set_collected_field(v.key, 'direction', v.direction); ); # direction line else if (matches_regular_expression(v.message, '^Get entity filename = (.*)$')) then ( v.attachment = $1; if (matches_regular_expression(v.attachment, '^(.*) \\\\[[0-9a-f:]+\\\\]')) then v.attachment = $1; if (v.attachment eq 'no filename') then v.attachment = ''; set_collected_field(v.key, 'attachment', v.attachment); if (matches_regular_expression(v.attachment, '\\\\.([^.]+)$')) then set_collected_field(v.key, 'attachment_extension', uppercase($1)); ) else if (matches_regular_expression(v.message, '^Matched rule : (.*)$')) then ( v.rule = $1; if (matches_regular_expression(v.rule, '^([^[]+) \\\\[')) then v.rule = $1; set_collected_field(v.key, 'rule', v.rule); ) else if (matches_regular_expression(v.message, '^([^ ]+) VIRUS FOUND in attached file (.*)')) then ( set_collected_field(v.key, 'virus_name', $1); v.virus_host_file = $2; if (matches_regular_expression(v.virus_host_file, '^([^[]+)\\\\[')) then v.virus_host_file = $1; set_collected_field(v.key, 'virus_host_file', v.virus_host_file); ); else if (matches_regular_expression(v.message, '^Filter.*CONTENT.* runs successfully, outcome: ([^,]*),')) then set_collected_field(v.key, 'content_filter_outcome', $1); else if (matches_regular_expression(v.message, '^Filter.*ATTACHMENT.* runs successfully, outcome: ([^,]*),')) then set_collected_field(v.key, 'attachment_outcome', $1); else if (matches_regular_expression(v.message, 'Filter\\\\([0-9x]+, Antivirus Filter\\\\) [^:]+: ([^,]+),')) then set_collected_field(v.key, 'virus_filter', $1); else if (matches_regular_expression(v.message, 'Filter\\\\(0x(20006), [Ss][Pp][Aa][Mm] [Ff][Ii][Ll][Tt][Ee][Rr]\\\\) [^:]+: ([^,]+),')) then ( if ((get_collected_field(v.key, 's_spam_filter') eq '(empty)') or (get_collected_field(v.key, 's_spam_filter') eq 'Passed')) then ( set_collected_field(v.key, 's_spam_filter', $2); ); ); else if (matches_regular_expression(v.message, 'Filter\\\\(0x(30001), [Ss][Pp][Aa][Mm] [Ff][Ii][Ll][Tt][Ee][Rr]\\\\) [^:]+: ([^,]+),')) then ( if ((get_collected_field(v.key, 'h_spam_filter') eq '(empty)') or (get_collected_field(v.key, 'h_spam_filter') eq 'Passed')) then ( set_collected_field(v.key, 'h_spam_filter', $2); ); ); # Handle subject[] lines else if (matches_regular_expression(v.message, '^subject \\\\[([^]]*)\\\\], (.*)$')) then ( set_collected_field(v.key, 'subject', $1); v.message = $2; if (matches_regular_expression(v.message, '^sender \\\\[([^]]*)\\\\], (.*)$')) then ( set_collected_field(v.key, 'sender', $1); v.message = $2; if (matches_regular_expression(v.message, '^recipient\\\\[([^]]*)\\\\], (.*)$')) then ( set_collected_field(v.key, 'recipient', $1); v.message = $2; if (matches_regular_expression(v.message, '^entity \\\\[([^]]*)\\\\] (.*)$')) then ( set_collected_field(v.key, 'entity', $1); v.message = $2; if (matches_regular_expression(v.message, '^violates policy \\\\[([^]]*)\\\\], (.*)$')) then ( set_collected_field(v.key, 'policy_name', $1); set_collected_field(v.key, 'policy_violations', 1); v.message = $2; if (matches_regular_expression(v.message, '^reason \\\\[([^]]*)\\\\], (.*)$')) then ( set_collected_field(v.key, 'reason', $1); v.message = $2; if (matches_regular_expression(v.message, '^action \\\\[([^]]*)\\\\], (.*)$')) then ( set_collected_field(v.key, 'action', $1); v.message = $2; ); ); ); ); ); accept_collected_entry(v.key, false); ); ); # if subject[] # Get the size else if (logFormatIsWindows and matches_regular_expression(v.message, '^MTA finish, spend <[0-9]+> ms, size=\\\\([0-9]+, ([0-9]+)\\\\) bytes')) then set_collected_field(v.key, 'size', $1); # The "Final action is" lines indicate the action, and complete the session (and contain key2) else if ((logFormatIsWindows and matches_regular_expression(v.message, '^Scan finish')) or (!logFormatIsWindows and matches_regular_expression(v.message, '^Final action is (.*)$')) or (!logFormatIsWindows and matches_regular_expression(v.message, '^(delivery) (success|fail since )'))) then ( # Convert empty attachment to empty string if (get_collected_field(v.key, 'attachment') eq '(empty)') then set_collected_field(v.key, 'attachment', ''); else if (get_collected_field(v.key, 'attachment') eq 'no filename') then set_collected_field(v.key, 'attachment', ''); # Detect h spam message if ((get_collected_field(v.key, 'h_spam_filter') ne '(empty)') and (get_collected_field(v.key, 'h_spam_filter') ne 'Passed')) then set_collected_field(v.key, 'spam_detected', 1); # Detect s spam message if ((get_collected_field(v.key, 's_spam_filter') ne '(empty)') and (get_collected_field(v.key, 's_spam_filter') ne 'Passed')) then set_collected_field(v.key, 'spam_detected', 1); # Detect content filtering if ((get_collected_field(v.key, 'content_filter_outcome') ne '(empty)') and (get_collected_field(v.key, 'content_filter_outcome') ne 'Passed')) then set_collected_field(v.key, 'content_detected', 1); # Detect packet filtering if (get_collected_field(v.key, 'filter_action') eq 'blocked') then ( set_collected_field(v.key, 'filtered_packets', 1); set_collected_field(v.key, 'filter_action', '(blocked)'); ); # Detect attachment filtering if ((get_collected_field(v.key, 'attachment_outcome') ne '(empty)') and (get_collected_field(v.key, 'attachment_outcome') ne 'Passed')) then set_collected_field(v.key, 'attachment_detected', 1); # Detect virus filtering if (get_collected_field(v.key, 'virus_filter') ne '(empty)') then set_collected_field(v.key, 'virus_detected', 1); # Get the recipients list recipients_list = subnode_by_name(recipients_lists, v.key); # If there are no recipients, try the other key if (num_subnodes(recipients_list) == 0) then ( v.key2 = node_value(subnode_by_name('v.keymap', v.key)); if (v.key2 ne '') then recipients_list = subnode_by_name(recipients_lists, v.key2); ); # Add an entry for each recipient foreach this_recipient recipients_list ( v.recipient = node_name(this_recipient); v.recipient = replace_all(v.recipient, '__DOT__', '.'); set_collected_field(v.key, 'recipient', v.recipient); set_collected_field(v.key, 'action', $1); set_collected_field(v.key, 'event_type', 'message'); set_collected_field(v.key, 'messages_processed', 0); set_collected_field(v.key, 'messages_delivered', 1); set_collected_field(v.key, 'bytes_processed', 0); set_collected_field(v.key, 'bytes_delivered', get_collected_field(v.key, 'size')); set_collected_field(v.key, 'virus_processed', 0); set_collected_field(v.key, 'virus_delivered', get_collected_field(v.key, 'virus_detected')); set_collected_field(v.key, 'content_processed', 0); set_collected_field(v.key, 'content_delivered', get_collected_field(v.key, 'content_detected')); set_collected_field(v.key, 'spam_processed', 0); set_collected_field(v.key, 'spam_delivered', get_collected_field(v.key, 'spam_detected')); set_collected_field(v.key, 'attachment_processed', 0); set_collected_field(v.key, 'attachment_delivered', get_collected_field(v.key, 'attachment_detected')); accept_collected_entry(v.key, true); ); # foreach recipient # Free the memory used by recipients list delete_node(recipients_list); # Add an entry for the messages_processed set_collected_field(v.key, 'recipient', ''); set_collected_field(v.key, 'action', $1); set_collected_field(v.key, 'event_type', 'message'); set_collected_field(v.key, 'messages_processed', 1); set_collected_field(v.key, 'messages_delivered', 0); set_collected_field(v.key, 'bytes_processed', get_collected_field(v.key, 'size')); set_collected_field(v.key, 'bytes_delivered', 0); set_collected_field(v.key, 'virus_processed', get_collected_field(v.key, 'virus_detected')); set_collected_field(v.key, 'virus_delivered', 0); set_collected_field(v.key, 'content_processed', get_collected_field(v.key, 'content_detected')); set_collected_field(v.key, 'content_delivered', 0); set_collected_field(v.key, 'spam_processed', get_collected_field(v.key, 'spam_detected')); set_collected_field(v.key, 'spam_delivered', 0); set_collected_field(v.key, 'attachment_processed', get_collected_field(v.key, 'attachment_detected')); set_collected_field(v.key, 'attachment_delivered', 0); # Don't actually accept this yet; wait until 1000 lines have elapsed, so we're sure we've got the last line (including the direction) accept_collected_entry(v.key, false); ); # handle final lines # e.g., mail splited: 4258A2B3-67F6-4E0E-B3BE-F7BD63F858FB [2180:1dbc] else if (matches_regular_expression(v.message, '^mail splited: ([^ ]+)')) then ( v.new_key = uppercase($1); set_collected_field(v.new_key, 'sender', get_collected_field(v.key, 'sender')); set_collected_field(v.new_key, 'recipient', get_collected_field(v.key, 'recipient')); set_collected_field(v.new_key, 'subject', get_collected_field(v.key, 'subject')); set_collected_field(v.new_key, 'connecting_server_name', get_collected_field(v.key, 'connecting_server_name')); set_collected_field(v.new_key, 'connecting_server_ip', get_collected_field(v.key, 'connecting_server_ip')); # set_collected_field(v.new_key, 'direction', get_collected_field(v.key, 'direction')); # Copy the recipients lists new_recipients_list = subnode_by_name(recipients_lists, v.new_key); old_recipients_list = subnode_by_name(recipients_lists, v.key); foreach this_recipient old_recipients_list ( v.recipient = node_name(this_recipient); set_subnode_value(new_recipients_list, v.recipient, true); ); # set_collected_field(v.new_key, '', get_collected_field(v.key, '')); ); # if mail splited ); # End format with yyyy/mm/dd hh:mm:ss#key#message ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" sender = "" recipient = "" subject = "" rule = "" connecting_server_ip = "" connecting_server_name = "" virus_name = "" virus_host_file = "" attachment = "" attachment_extension = "" filter_name = "" action_on_content = "" action_on_message = "" quarantine_area_name = "" filter_type = "" filter_content = "" content_filter_outcome = "" attachment_outcome = "" virus_filter = "" s_spam_filter = "" h_spam_filter = "" ip_address = "" location = "" filter_action = "" ipfilter_type = "" filter_code = "" filter_rcode = "" base_code = "" direction = "" policy_name = "" reason = "" entity = "" } # database.fields database.numerical_fields = { messages_processed = { label = "$lang_stats.field_labels.messages_processed" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages_processed messages_delivered = { label = "$lang_stats.field_labels.messages_delivered" default = true requires_log_field = false type = "int" display_format_type = "integer" } # messages_delivered bytes_processed = { label = "$lang_stats.field_labels.bytes_processed" default = true requires_log_field = true log_field = "bytes_processed" type = "int" integer_bits = 64 display_format_type = "bandwidth" } # bytes_processed bytes_delivered = { label = "$lang_stats.field_labels.bytes_delivered" default = true requires_log_field = true log_field = "bytes_delivered" type = "int" integer_bits = 64 display_format_type = "bandwidth" } # bytes_delivered filtered_messages = { label = "$lang_stats.field_labels.filtered_messages" default = true requires_log_field = true type = "int" display_format_type = "integer" entries_field = true } # filtered_messages filtered_packets = { label = "$lang_stats.field_labels.filtered_packets" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # filtered_packets spam_processed = { label = "$lang_stats.field_labels.spam_processed" default = true requires_log_field = true log_field = "spam_processed" type = "int" display_format_type = "integer" entries_field = true } # spam_processed spam_delivered = { label = "$lang_stats.field_labels.spam_delivered" default = true requires_log_field = true log_field = "spam_delivered" type = "int" display_format_type = "integer" entries_field = true } # spam_delivered virus_processed = { label = "$lang_stats.field_labels.virus_processed" default = true requires_log_field = true log_field = "virus_processed" type = "int" display_format_type = "integer" entries_field = false } # virus_processed virus_delivered = { label = "$lang_stats.field_labels.virus_delivered" default = true requires_log_field = true log_field = "virus_delivered" type = "int" display_format_type = "integer" entries_field = false } # virus_delivered content_processed = { label = "$lang_stats.field_labels.content_processed" default = true requires_log_field = true log_field = "content_processed" type = "int" display_format_type = "integer" entries_field = true } # content_processed content_delivered = { label = "$lang_stats.field_labels.content_delivered" default = true requires_log_field = true log_field = "content_delivered" type = "int" display_format_type = "integer" entries_field = true } # content_delivered attachment_processed = { label = "$lang_stats.field_labels.attachment_processed" default = true requires_log_field = true log_field = "attachment_processed" type = "int" display_format_type = "integer" entries_field = true } # attachment_processed attachment_delivered = { label = "$lang_stats.field_labels.attachment_delivered" default = true requires_log_field = true log_field = "attachment_delivered" type = "int" display_format_type = "integer" entries_field = true } # attachment_delivered # inbound_messages = { # label = "$lang_stats.field_labels.inbound_messages" # default = true # requires_log_field = false # type = "int" # display_format_type = "integer" # entries_field = true # } # inbound_messages ## outbound_messages = { # label = "$lang_stats.field_labels.outbound_messages" # default = true # requires_log_field = false # type = "int" # display_format_type = "integer" # } # outbound_messages policy_violations = { default = true } } # database.numerical_fields log.filters = { } # log.filters create_profile_wizard_options = { date_time_tracking = true # How the reports should be grouped in the report menu manual_reports_menu = true report_groups = { overview.type = "overview" date_time_group = { items = { date_time = { label = "$lang_stats.miscellaneous.years_months_days" graph_field = "malicious_events" only_bottom_level_items = false } days = { label = "$lang_stats.miscellaneous.days" database_field_name = "date_time" graph_field = "malicious_events" } day_of_week = { graph_field = "malicious_events" } hour_of_day = { graph_field = "malicious_events" } } } # date_time_group sender = "" recipient = "" attachments_by_sender = { columns = { 0.field_name = "sender" 1.field_name = "attachment" } subtable = true } subject = "" rule = "" connecting_server_ip = "" connecting_server_name = "" virus_filter = "" virus_name = "" virus_host_file = "" s_spam_filter = "" h_spam_filter = "" filter_name = "" attachment = "" attachment_extension = "" action_on_content = "" action_on_message = "" quarantine_area_name = "" filter_type = "" filter_content = "" direction = "" policy_name = "" reason = "" entity = "" ip_filter = { items = { ip_address = "" location = "" filter_action = "" ipfilter_type = "" filter_code = "" filter_rcode = "" base_code = "" } } log_detail = true single_page_summary = true } # report_groups } # create_profile_wizard_options } # interscan_messaging_security_suite_integrated