[pmg-devel] [PATCH log-tracker 1/2] add clamd signature found messages to log output

[pmg-devel] [PATCH log-tracker 1/2] add clamd signature found messages to log output

[Mira Limbeck]

clamd reports found signatures in the log which can be matched by the
same Queue ID pmg-smtp-filter uses. This QID makes it possible to add
those messages to the log output.

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
---
 src/main.rs | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/main.rs b/src/main.rs
index e55f17b..dbcd7bc 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -777,6 +777,20 @@ fn handle_cleanup_message(msg: &[u8], parser: &mut Parser, complete_line: &[u8])
     }
 }
 
+fn handle_clamd_message(msg: &[u8], parser: &mut Parser, complete_line: &[u8]) {
+    let data = match msg.strip_prefix(b"/var/spool/pmg/active/") {
+        Some(data) => data,
+        None => return,
+    };
+    let (qid, _data) = match parse_qid(data, 25) {
+        Some(t) => t,
+        None => return,
+    };
+
+    let fe = get_or_create_fentry(&mut parser.fentries, qid);
+    fe.borrow_mut().log.push((complete_line.into(), parser.lines));
+}
+
 #[derive(Default, Debug)]
 struct NoqueueEntry {
     from: Box<[u8]>,
@@ -1904,6 +1918,8 @@ impl Parser {
                 handle_smtpd_message(line, self, complete_line);
             } else if service == b"postfix/cleanup" {
                 handle_cleanup_message(line, self, complete_line);
+            } else if service == b"clamd" {
+                handle_clamd_message(line, self, complete_line)
             }
         }
         Ok(())
-- 
2.39.2

[pmg-devel] [PATCH log-tracker 2/2] tests: add clamd signature found log test

[Mira Limbeck]

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
---
 ...st_input_after_queue_clamd_signature_found | 13 +++++++++
 ...t_output_after_queue_clamd_signature_found | 29 +++++++++++++++++++
 tests/tests_after_queue.rs                    | 24 +++++++++++++++
 3 files changed, 66 insertions(+)
 create mode 100644 tests/test_input_after_queue_clamd_signature_found
 create mode 100644 tests/test_output_after_queue_clamd_signature_found

diff --git a/tests/test_input_after_queue_clamd_signature_found b/tests/test_input_after_queue_clamd_signature_found
new file mode 100644
index 0000000..72d24eb
--- /dev/null
+++ b/tests/test_input_after_queue_clamd_signature_found
@@ -0,0 +1,13 @@
+2023-07-19T16:04:27.415550+02:00 pmg postfix/smtpd[1165]: connect from pmghost.mydomain.tld[192.168.1.001]
+2023-07-19T16:04:27.415823+02:00 pmg postfix/smtpd[1165]: 65810380099: client=pmghost.mydomain.tld[192.168.1.001]
+2023-07-19T16:04:27.459569+02:00 pmg postfix/cleanup[1169]: 65810380099: message-id=<redacted:msgid>
+2023-07-19T16:04:27.473604+02:00 pmg postfix/qmgr[746]: 65810380099: from=<redacted:return-path@domain.tld>, size=1968, nrcpt=1 (queue active)
+2023-07-19T16:04:27.473656+02:00 pmg postfix/smtpd[1165]: disconnect from pmghost.mydomain.tld[192.168.1.001] ehlo=1 mail=1 rcpt=1 data=1 commands=4
+2023-07-19T16:04:27.519674+02:00 pmg pmg-smtp-filter[783]: 38089764B7ED6B7DE74: new mail message-id=<redacted:msgid>#012
+2023-07-19T16:04:27.528730+02:00 pmg clamd[638]: /var/spool/pmg/active/38089764B7ED6B7DE74: Eicar-Signature FOUND
+2023-07-19T16:04:27.528789+02:00 pmg clamd[638]: /var/spool/pmg/active/38089764B7ED6B7DE74: Eicar-Signature FOUND
+2023-07-19T16:04:27.528963+02:00 pmg pmg-smtp-filter[783]: 38089764B7ED6B7DE74: virus detected: Eicar-Signature (clamav)
+2023-07-19T16:04:27.538824+02:00 pmg pmg-smtp-filter[783]: 38089764B7ED6B7DE74: moved mail for <redacted:recipient@mydomain.tld> to virus quarantine - 3835A764B7ED6B8146A (rule: block all)
+2023-07-19T16:04:27.543650+02:00 pmg pmg-smtp-filter[783]: 38089764B7ED6B7DE74: processing time: 0.023 seconds (0, 0.009, 0)
+2023-07-19T16:04:27.543837+02:00 pmg postfix/lmtp[1170]: 65810380099: to=<redacted:recipient@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.13, delays=0.06/0/0.04/0.03, dsn=2.5.0, status=sent (250 2.5.0 OK (38089764B7ED6B7DE74))
+2023-07-19T16:04:27.543930+02:00 pmg postfix/qmgr[746]: 65810380099: removed
diff --git a/tests/test_output_after_queue_clamd_signature_found b/tests/test_output_after_queue_clamd_signature_found
new file mode 100644
index 0000000..fde5459
--- /dev/null
+++ b/tests/test_output_after_queue_clamd_signature_found
@@ -0,0 +1,29 @@
+# LogReader: 3430
+# Query options
+# Start: 2023-07-19 00:00:00 (1689724800)
+# End: 2023-07-20 00:00:00 (1689811200)
+# End Query Options
+
+QENTRY: 65810380099
+CTIME: 64B8098B
+SIZE: 1968
+CLIENT: pmghost.mydomain.tld[192.168.1.001]
+MSGID: <redacted:msgid>
+TO:64B8098B:65810380099:Q: from <redacted:return-path@domain.tld> to <redacted:recipient@mydomain.tld> (3835A764B7ED6B8146A)
+SMTP:
+L00000001 2023-07-19T16:04:27.415550+02:00 pmg postfix/smtpd[1165]: connect from pmghost.mydomain.tld[192.168.1.001]
+L00000002 2023-07-19T16:04:27.415823+02:00 pmg postfix/smtpd[1165]: 65810380099: client=pmghost.mydomain.tld[192.168.1.001]
+L00000005 2023-07-19T16:04:27.473656+02:00 pmg postfix/smtpd[1165]: disconnect from pmghost.mydomain.tld[192.168.1.001] ehlo=1 mail=1 rcpt=1 data=1 commands=4
+FILTER: 38089764B7ED6B7DE74
+L00000006 2023-07-19T16:04:27.519674+02:00 pmg pmg-smtp-filter[783]: 38089764B7ED6B7DE74: new mail message-id=<redacted:msgid>#012
+L00000007 2023-07-19T16:04:27.528730+02:00 pmg clamd[638]: /var/spool/pmg/active/38089764B7ED6B7DE74: Eicar-Signature FOUND
+L00000008 2023-07-19T16:04:27.528789+02:00 pmg clamd[638]: /var/spool/pmg/active/38089764B7ED6B7DE74: Eicar-Signature FOUND
+L00000009 2023-07-19T16:04:27.528963+02:00 pmg pmg-smtp-filter[783]: 38089764B7ED6B7DE74: virus detected: Eicar-Signature (clamav)
+L0000000A 2023-07-19T16:04:27.538824+02:00 pmg pmg-smtp-filter[783]: 38089764B7ED6B7DE74: moved mail for <redacted:recipient@mydomain.tld> to virus quarantine - 3835A764B7ED6B8146A (rule: block all)
+L0000000B 2023-07-19T16:04:27.543650+02:00 pmg pmg-smtp-filter[783]: 38089764B7ED6B7DE74: processing time: 0.023 seconds (0, 0.009, 0)
+QMGR:
+L00000003 2023-07-19T16:04:27.459569+02:00 pmg postfix/cleanup[1169]: 65810380099: message-id=<redacted:msgid>
+L00000004 2023-07-19T16:04:27.473604+02:00 pmg postfix/qmgr[746]: 65810380099: from=<redacted:return-path@domain.tld>, size=1968, nrcpt=1 (queue active)
+L0000000C 2023-07-19T16:04:27.543837+02:00 pmg postfix/lmtp[1170]: 65810380099: to=<redacted:recipient@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.13, delays=0.06/0/0.04/0.03, dsn=2.5.0, status=sent (250 2.5.0 OK (38089764B7ED6B7DE74))
+L0000000D 2023-07-19T16:04:27.543930+02:00 pmg postfix/qmgr[746]: 65810380099: removed
+
diff --git a/tests/tests_after_queue.rs b/tests/tests_after_queue.rs
index 8e13564..b6e08b3 100644
--- a/tests/tests_after_queue.rs
+++ b/tests/tests_after_queue.rs
@@ -202,3 +202,27 @@ fn after_queue_duplicate_msgid() {
     let output_reader = BufReader::new(&output.stdout[..]);
     utils::compare_output(output_reader, expected_output);
 }
+
+#[test]
+fn after_queue_clamd_signature_found() {
+    let output = Command::new("faketime")
+        .env("TZ", "Europe/Vienna")
+        .arg("2023-07-20 23:59:59")
+        .arg(utils::log_tracker_path())
+        .arg("-vv")
+        .arg("-s")
+        .arg("2023-07-19 00:00:00")
+        .arg("-e")
+        .arg("2023-07-20 00:00:00")
+        .arg("-i")
+        .arg("tests/test_input_after_queue_clamd_signature_found")
+        .output()
+        .expect("failed to execute pmg-log-tracker");
+
+    let expected_file = File::open("tests/test_output_after_queue_clamd_signature_found")
+        .expect("failed to open test_output");
+
+    let expected_output = BufReader::new(&expected_file);
+    let output_reader = BufReader::new(&output.stdout[..]);
+    utils::compare_output(output_reader, expected_output);
+}
-- 
2.39.2

Re: [pmg-devel] [PATCH log-tracker 1/2] add clamd signature found messages to log output

[Dominik Csapak]

hi,

in general it works and does what is says,
but after looking at the log tracker output, i'm nto sure if it's worth
it. we log the same info directly after that from the pmg-smtp-filter...

otoh, the code is not that big and probably doesn't hurt either

@stoiko, maybe you have some input on that?

in any case, consider both patches

Reviewed-by: Dominik Csapak <d.csapak@proxmox.com>
Tested-by: Dominik Csapak <d.csapak@proxmox.com>

Re: [pmg-devel] [PATCH log-tracker 1/2] add clamd signature found messages to log output

[Stoiko Ivanov]

hi,


On Fri, 4 Aug 2023 14:09:32 +0200
Dominik Csapak <d.csapak@proxmox.com> wrote:

> hi,
> 
> in general it works and does what is says,
> but after looking at the log tracker output, i'm nto sure if it's worth
> it. we log the same info directly after that from the pmg-smtp-filter...
> 
> otoh, the code is not that big and probably doesn't hurt either
> 
> @stoiko, maybe you have some input on that?
hm - a bit ambivalent on this:
* on the one hand - having more information, which is useful for most
  common setups (only ClamAV is used) might help
* on the other hand - if we have exactly the same information (which virus
  was detected, and by which engine one line below I don't see the benefit
  of adding more lines)

Currently I'd rather not apply it - but I'm not too set on this either.


> 
> in any case, consider both patches
> 
> Reviewed-by: Dominik Csapak <d.csapak@proxmox.com>
> Tested-by: Dominik Csapak <d.csapak@proxmox.com>
> 
> 
> 
> 
> _______________________________________________
> pmg-devel mailing list
> pmg-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
> 
>