#!/usr/bin/perl # Populate a complex data structure with message id's, ip address's, and virus names. This is necesary since the ip address and virus name are on separate lines but have the same message id. # Count the number of times a virus was sent in descending order # Count the number of times an IP address sent a virus in descending order # Show each unique virus that was sent for each IP address. use warnings; use diagnostics; use strict; my $email; my $ip_addr; my %ip_addr; my $virus; my %virus; my $Virus; my $sender; my $Sender; my $recipient; my $Recipient; my $message_id; print "Shows a count of each virus type:\n"; open(FILE, "/var/log/maillog"); while() { if (/(?:\d|\D)+sendmail\[(?:\d)+\]:\s((?:\w)+):(?:\d|\D)+\[(\d+\.\d+\.\d+\.\d+)\]/) { $message_id = $1; $ip_addr = $2; unless ( $ip_addr eq "127.0.0.1" ) { $email->{$message_id}{ip_addr} = $ip_addr; } } elsif (/(?:\d|\D)+clamav-milter\[(?:\d)+\]:\s((?:\w)+):\sstream:\s(\d|\D+)\svirus from \<((?:\d|\D)+)\> to \<((?:\d|\D)+)\>/) { $message_id = $1; $virus = $2; $sender = $3; $recipient = $4; $email->{$message_id}{virus} = $virus; $email->{$message_id}{sender} = $sender; $email->{$message_id}{recipient} = $recipient; } } close(FILE); foreach $message_id ( keys %{ $email } ) { if ( $email->{$message_id}{virus} ) { $virus = $email->{$message_id}{virus}; $ip_addr = $email->{$message_id}{ip_addr}; $recipient = $email->{$message_id}{recipient}; $sender = $email->{$message_id}{sender}; #Counts total number of times a virus was sent $ip_addr{$virus}++; #Counts total number of virus's sent by IP address $virus{$ip_addr}++; #Counts total number of unique virus's per IP address $email->{$ip_addr}->{virus}{$virus}++; #Counts total number of unique senders per IP address $email->{$ip_addr}->{sender}{$sender}++; } } sub hashValueDescendingVirus { $email->{$ip_addr}{virus}{$b} <=> $email->{$ip_addr}{virus}{$a}; } sub hashValueDescendingRecipient { $email->{$ip_addr}{recipient}{$b} <=> $email->{$ip_addr}{recipient}{$a}; } sub hashValueDescendingSender { $email->{$ip_addr}{sender}{$b} <=> $email->{$ip_addr}{sender}{$a}; } sub hashValueDescendingNum { $ip_addr{$b} <=> $ip_addr{$a}; } sub hashValueDescendingIp { $virus{$b} <=> $virus{$a}; } foreach $virus (sort hashValueDescendingNum (keys(%ip_addr))) { print "Count is $ip_addr{$virus} for $virus\n"; } print "\nShows uniques hosts with a virus count over 10:\n"; foreach $ip_addr (sort hashValueDescendingIp (keys(%virus))) { if ($virus{"$ip_addr"} >= "10") { print "\n$ip_addr sent the following virus's a total of $virus{$ip_addr} times: \n"; foreach $Virus (sort hashValueDescendingVirus (keys( %{ $email->{$ip_addr}{virus} } ))) { print "$Virus was transmitted $email->{$ip_addr}{virus}{$Virus} times.\n"; } print "\n"; if ($ip_addr eq "207.156.7.1") { foreach $Sender (sort hashValueDescendingSender (keys( %{ $email->{$ip_addr}{sender} } ))) { print "Possibly spoofed address $Sender was seen $email->{$ip_addr}{sender}{$Sender} times.\n"; } } } }