# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. interscan_security_suite = { plugin_version = "1.0.1" # Initial creation - 1.0 # 2011-01-07 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "TrendMicro" info.1.device = "Interscan Messaging Security Suite" info.1.version.1 = "" # The name of the log format log.format.format_label = "Interscan Messaging Security Suite Log Format" log.miscellaneous.log_data_type = "mail_server" log.miscellaneous.log_format_type = "mail_server" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^[0-9]+/[0-9]+/[0-9]+ [0-9]+:[0-9]+:[0-9]+ GMT[-+][0-9]+:[0-9]+ ([A-F0-9-]{36}| )(<< |>> |ACL check |InterScan SMTP main service is ready to process email|#### ScanStubThread|Scan Queue Size| )" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # The format of dates and times in this log log.format.date_format = "yyyy/mm/dd" log.format.time_format = "h:mm:ss GMT" # Entries are called messages statistics.miscellaneous.entry_name = "messages" # Log fields log.fields = { date = { label = "$lang_stats.field_labels.date" type = "date" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # date time = { label = "$lang_stats.field_labels.time" type = "time" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # time from = { label = "$lang_stats.field_labels.from" type = "flat" index = 0 subindex = 0 } # from to = { label = "$lang_stats.field_labels.to" type = "flat" index = 0 subindex = 0 } # to subject = { label = "$lang_stats.field_labels.subject" type = "flat" index = 0 subindex = 0 } # subject rule = { label = "$lang_stats.field_labels.rule" type = "flat" index = 0 subindex = 0 } # rule connecting_server_name = { label = "$lang_stats.field_labels.connecting_server_name" type = "flat" index = 0 subindex = 0 } # connecting_server_name connecting_server_ip = { label = "$lang_stats.field_labels.connecting_server_ip" type = "flat" index = 0 subindex = 0 } # connecting_server_ip virus_filter = { label = "$lang_stats.field_labels.virus_filter" type = "flat" index = 0 subindex = 0 } # virus_filter virus_name = { label = "$lang_stats.field_labels.virus_name" type = "flat" index = 0 subindex = 0 } # virus_name virus_host_file = { label = "$lang_stats.field_labels.virus_host_file" type = "flat" index = 0 subindex = 0 } # virus_host_file size = { label = "$lang_stats.field_labels.size" type = "size" index = 0 subindex = 0 } # size s_spam_filter = { label = "$lang_stats.field_labels.s_spam_filter" type = "flat" index = 0 subindex = 0 } # s_spam_filter h_spam_filter = { label = "$lang_stats.field_labels.h_spam_filter" type = "flat" index = 0 subindex = 0 } # h_spam_filter spam_detected = { label = "$lang_stats.field_labels.spam_detected" type = "flat" index = 0 subindex = 0 } # spam_detected virus_detected = { label = "$lang_stats.field_labels.virus_detected" type = "flat" index = 0 subindex = 0 } # virus_detected # debug = { # label = "debug" # type = "flat" # index = 0 # subindex = 0 # } # debug } # log.fields # Log Parsing Filters log.parsing_filters = { parse = { label = "log parsing filter" comment = "This filter parses each log line and accepts elements of each line to create one 'virtual' log line" value = " if (matches_regular_expression(current_log_line(), '^([0-9]+/[0-9]+/[0-9]+) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9] GMT)[0-9:+-]* ([A-Za-z0-9-]*) (.*)$')) then ( v.key = $3; v.message = $4; set_collected_field(v.key, 'date', $1); set_collected_field(v.key, 'time', $2); if (matches_regular_expression(v.message, 'Received from ([^ ]+) \\\\(\\\\[([0-9.]+)\\\\]\\\\) by')) then ( set_collected_field(v.key, 'connecting_server_name', $1); set_collected_field(v.key, 'connecting_server_ip', $2); ); else if (matches_regular_expression(v.message, 'Message from: <([^>]*)>')) then ( set_collected_field(v.key, 'from', $1); ); else if (matches_regular_expression(v.message, 'Message map[^,]*, Subject=<([^>]*)>, ')) then ( set_collected_field(v.key, 'subject', $1); ); else if (matches_regular_expression(v.message, 'Message to: <([^>]*)> ')) then ( if (get_collected_field(v.key, 'to') eq '(empty)') then (v.to = $1) else (v.to = $1 . ' | ' . get_collected_field(v.key, 'to')); set_collected_field(v.key, 'to', replace_all(v.to, '<', '')); ); else if (matches_regular_expression(v.message, 'Matched rule : ([^[]+) \\\\[')) then ( set_collected_field(v.key, 'rule', $1); ); else if (contains(v.message, 'Encrypted message')) then ( set_collected_field(v.key, 'rule', 'Encrypted'); ); else if (contains(v.message, 'mail splited:')) then ( set_collected_field(v.key, 'rule', 'Mail split'); ); else if (matches_regular_expression(v.message, '([^ ]+) VIRUS FOUND in attached file ([^[]+)\\\\[')) then ( set_collected_field(v.key, 'virus_name', $1); set_collected_field(v.key, 'virus_host_file', $2); ); else if (matches_regular_expression(v.message, 'Filter\\\\([0-9x]+, Antivirus Filter\\\\) [^:]+: ([^,]+),')) then set_collected_field(v.key, 'virus_filter', $1); else if (matches_regular_expression(v.message, 'Filter\\\\(0x(20006), [Ss][Pp][Aa][Mm] [Ff][Ii][Ll][Tt][Ee][Rr]\\\\) [^:]+: ([^,]+),')) then ( if ((get_collected_field(v.key, 's_spam_filter') eq '(empty)') or (get_collected_field(v.key, 's_spam_filter') eq 'Passed')) then ( set_collected_field(v.key, 's_spam_filter', $2); ); ); else if (matches_regular_expression(v.message, 'Filter\\\\(0x(30001), [Ss][Pp][Aa][Mm] [Ff][Ii][Ll][Tt][Ee][Rr]\\\\) [^:]+: ([^,]+),')) then ( if ((get_collected_field(v.key, 'h_spam_filter') eq '(empty)') or (get_collected_field(v.key, 'h_spam_filter') eq 'Passed')) then ( set_collected_field(v.key, 'h_spam_filter', $2); ); ); else if (matches_regular_expression(v.message, 'MTA finish, spend <[0-9]+> ms, size=\\\\([0-9]+, [0-9]+\\\\) bytes, ([0-9]+) messages')) then ( set_collected_field(v.key, 'messages', $1); ); else if (matches_regular_expression(v.message, 'Scan finish, scan took <[0-9]+> ms, message took <[0-9]+> ms, total <[0-9]+> ms, size=\\\\([0-9]+, ([0-9]+)\\\\) bytes ')) then ( set_collected_field(v.key, 'size', $1); if (get_collected_field(v.key, 'messages') eq '(empty)') then set_collected_field(v.key, 'messages', '1'); if (get_collected_field(v.key, 'from') eq '(empty)') then set_collected_field(v.key, 'from', 'none specified'); if (get_collected_field(v.key, 'to') eq '(empty)') then set_collected_field(v.key, 'to', 'none specified'); if (get_collected_field(v.key, 'subject') eq '(empty)') then set_collected_field(v.key, 'subject', 'none specified'); accept_collected_entry(v.key, false); ); ); " } # parse } # log.parsing_filters # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day from = { label = "$lang_stats.field_labels.from" log_field = "from" type = "string" suppress_top = 0 suppress_bottom = 2 } # from to = { label = "$lang_stats.field_labels.to" log_field = "to" type = "string" suppress_top = 0 suppress_bottom = 2 } # to subject = { label = "$lang_stats.field_labels.subject" log_field = "subject" type = "string" suppress_top = 0 suppress_bottom = 2 } # subject rule = { label = "$lang_stats.field_labels.rule" log_field = "rule" type = "string" suppress_top = 0 suppress_bottom = 2 } # rule connecting_server_ip = { label = "$lang_stats.field_labels.connecting_server_ip" log_field = "connecting_server_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # connecting_server_ip connecting_server_name = { label = "$lang_stats.field_labels.connecting_server_name" log_field = "connecting_server_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # connecting_server_name virus_name = { label = "$lang_stats.field_labels.virus_name" log_field = "virus_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # virus_name virus_host_file = { label = "$lang_stats.field_labels.virus_host_file" log_field = "virus_host_file" type = "string" suppress_top = 0 suppress_bottom = 2 } # virus_host_file virus_filter = { label = "$lang_stats.field_labels.virus_filter" log_field = "virus_filter" type = "string" suppress_top = 0 suppress_bottom = 2 } # virus_filter s_spam_filter = { label = "$lang_stats.field_labels.s_spam_filter" log_field = "s_spam_filter" type = "string" suppress_top = 0 suppress_bottom = 2 } # spam_filter h_spam_filter = { label = "$lang_stats.field_labels.h_spam_filter" log_field = "h_spam_filter" type = "string" suppress_top = 0 suppress_bottom = 2 } # spam_filter # debug = { # label = "debug" # log_field = "debug" # type = "string" # suppress_top = 0 # suppress_bottom = 2 # } # debug } # database.fields database.numerical_fields = { messages = { label = "$lang_stats.field_labels.messages" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # messages size = { label = "$lang_stats.field_labels.size" default = false requires_log_field = true log_field = "size" type = "int" integer_bits = 64 display_format_type = "bandwidth" } # size spam_detected = { label = "$lang_stats.field_labels.spam_detected" default = false requires_log_field = true log_field = "spam_detected" type = "int" display_format_type = "integer" entries_field = false } # spam_detected virus_detected = { label = "$lang_stats.field_labels.virus_detected" default = false requires_log_field = true log_field = "virus_detected" type = "int" display_format_type = "integer" entries_field = false } # virus_detected } # database.numerical_fields log.filters = { remove_empty = { label = "Convert (empty) entries to (passed) in the spam and virus filters to enable the spam/virus counter to work correctly" comment = "remove_empty" value = "if (h_spam_filter eq '(empty)') then h_spam_filter = 'Passed'; if (s_spam_filter eq '(empty)') then s_spam_filter = 'Passed'; if (virus_filter eq '(empty)') then virus_filter = 'No_Virus';" } # remove_empty spam_detected_entry = { label = 'Spam Detected Count' comment = 'This filter counts the spam emails' value = "if (h_spam_filter eq 'Passed') and (s_spam_filter eq 'Passed') then spam_detected = 0; else spam_detected = 1;" } # spam_detected_entry virus_detected_entry = { label = 'Virus Detected Count' comment = 'This filter counts the Virus emails' value = "if (virus_filter eq 'No_Virus') then virus_detected = 0; else virus_detected = 1;" } # virus_detected_entry remove_s_spam_passed_entry = { label = 'Set Passed to (passed)' comment = 'This filter sets Passed values in s_spam_filter field to (passed) to remove it from the analysis, this must occur *after* the spam counter has run' value = "if (s_spam_filter eq 'Passed') then s_spam_filter = '(passed)';" } # remove_s_spam_passed_entry remove_h_spam_passed_entry = { label = 'Set Passed to (passed)' comment = 'This filter sets Passed values in h_spam_filter field to (passed) to remove it from the analysis, this must occur *after* the spam counter has run' value = "if (h_spam_filter eq 'Passed') then h_spam_filter = '(passed)';" } # remove_h_spam_passed_entry remove_no_virus_entry = { label = 'Set No_Virus to (No_Virus)' comment = 'This filter sets No_Virus values in virus_filter field to (No_Virus) to remove it from the analysis, this must occur *after* the virus counter has run' value = "if (virus_filter eq 'No_Virus') then virus_filter = '(no_virus)';" } # remove_no_virus_entry } # log.filters create_profile_wizard_options = { date_time_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" from = true to = true subject = true rule = true connecting_server_ip = true connecting_server_name = true virus_name = true virus_host_file = true virus_filter = true s_spam_filter = true h_spam_filter = true } # report_groups } # create_profile_wizard_options not_supported = { visitors = true sessions = true pageviews = true individualhosts = true } # not_supported } # interscan_security_suite