* [pmg-devel] [PATCH log-tracker 1/2] add clamd signature found messages to log output
@ 2023-07-19 15:13 Mira Limbeck
2023-07-19 15:13 ` [pmg-devel] [PATCH log-tracker 2/2] tests: add clamd signature found log test Mira Limbeck
2023-08-04 12:09 ` [pmg-devel] [PATCH log-tracker 1/2] add clamd signature found messages to log output Dominik Csapak
0 siblings, 2 replies; 4+ messages in thread
From: Mira Limbeck @ 2023-07-19 15:13 UTC (permalink / raw)
To: pmg-devel
clamd reports found signatures in the log which can be matched by the
same Queue ID pmg-smtp-filter uses. This QID makes it possible to add
those messages to the log output.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
---
src/main.rs | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/main.rs b/src/main.rs
index e55f17b..dbcd7bc 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -777,6 +777,20 @@ fn handle_cleanup_message(msg: &[u8], parser: &mut Parser, complete_line: &[u8])
}
}
+fn handle_clamd_message(msg: &[u8], parser: &mut Parser, complete_line: &[u8]) {
+ let data = match msg.strip_prefix(b"/var/spool/pmg/active/") {
+ Some(data) => data,
+ None => return,
+ };
+ let (qid, _data) = match parse_qid(data, 25) {
+ Some(t) => t,
+ None => return,
+ };
+
+ let fe = get_or_create_fentry(&mut parser.fentries, qid);
+ fe.borrow_mut().log.push((complete_line.into(), parser.lines));
+}
+
#[derive(Default, Debug)]
struct NoqueueEntry {
from: Box<[u8]>,
@@ -1904,6 +1918,8 @@ impl Parser {
handle_smtpd_message(line, self, complete_line);
} else if service == b"postfix/cleanup" {
handle_cleanup_message(line, self, complete_line);
+ } else if service == b"clamd" {
+ handle_clamd_message(line, self, complete_line)
}
}
Ok(())
--
2.39.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pmg-devel] [PATCH log-tracker 2/2] tests: add clamd signature found log test
2023-07-19 15:13 [pmg-devel] [PATCH log-tracker 1/2] add clamd signature found messages to log output Mira Limbeck
@ 2023-07-19 15:13 ` Mira Limbeck
2023-08-04 12:09 ` [pmg-devel] [PATCH log-tracker 1/2] add clamd signature found messages to log output Dominik Csapak
1 sibling, 0 replies; 4+ messages in thread
From: Mira Limbeck @ 2023-07-19 15:13 UTC (permalink / raw)
To: pmg-devel
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
---
...st_input_after_queue_clamd_signature_found | 13 +++++++++
...t_output_after_queue_clamd_signature_found | 29 +++++++++++++++++++
tests/tests_after_queue.rs | 24 +++++++++++++++
3 files changed, 66 insertions(+)
create mode 100644 tests/test_input_after_queue_clamd_signature_found
create mode 100644 tests/test_output_after_queue_clamd_signature_found
diff --git a/tests/test_input_after_queue_clamd_signature_found b/tests/test_input_after_queue_clamd_signature_found
new file mode 100644
index 0000000..72d24eb
--- /dev/null
+++ b/tests/test_input_after_queue_clamd_signature_found
@@ -0,0 +1,13 @@
+2023-07-19T16:04:27.415550+02:00 pmg postfix/smtpd[1165]: connect from pmghost.mydomain.tld[192.168.1.001]
+2023-07-19T16:04:27.415823+02:00 pmg postfix/smtpd[1165]: 65810380099: client=pmghost.mydomain.tld[192.168.1.001]
+2023-07-19T16:04:27.459569+02:00 pmg postfix/cleanup[1169]: 65810380099: message-id=<redacted:msgid>
+2023-07-19T16:04:27.473604+02:00 pmg postfix/qmgr[746]: 65810380099: from=<redacted:return-path@domain.tld>, size=1968, nrcpt=1 (queue active)
+2023-07-19T16:04:27.473656+02:00 pmg postfix/smtpd[1165]: disconnect from pmghost.mydomain.tld[192.168.1.001] ehlo=1 mail=1 rcpt=1 data=1 commands=4
+2023-07-19T16:04:27.519674+02:00 pmg pmg-smtp-filter[783]: 38089764B7ED6B7DE74: new mail message-id=<redacted:msgid>#012
+2023-07-19T16:04:27.528730+02:00 pmg clamd[638]: /var/spool/pmg/active/38089764B7ED6B7DE74: Eicar-Signature FOUND
+2023-07-19T16:04:27.528789+02:00 pmg clamd[638]: /var/spool/pmg/active/38089764B7ED6B7DE74: Eicar-Signature FOUND
+2023-07-19T16:04:27.528963+02:00 pmg pmg-smtp-filter[783]: 38089764B7ED6B7DE74: virus detected: Eicar-Signature (clamav)
+2023-07-19T16:04:27.538824+02:00 pmg pmg-smtp-filter[783]: 38089764B7ED6B7DE74: moved mail for <redacted:recipient@mydomain.tld> to virus quarantine - 3835A764B7ED6B8146A (rule: block all)
+2023-07-19T16:04:27.543650+02:00 pmg pmg-smtp-filter[783]: 38089764B7ED6B7DE74: processing time: 0.023 seconds (0, 0.009, 0)
+2023-07-19T16:04:27.543837+02:00 pmg postfix/lmtp[1170]: 65810380099: to=<redacted:recipient@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.13, delays=0.06/0/0.04/0.03, dsn=2.5.0, status=sent (250 2.5.0 OK (38089764B7ED6B7DE74))
+2023-07-19T16:04:27.543930+02:00 pmg postfix/qmgr[746]: 65810380099: removed
diff --git a/tests/test_output_after_queue_clamd_signature_found b/tests/test_output_after_queue_clamd_signature_found
new file mode 100644
index 0000000..fde5459
--- /dev/null
+++ b/tests/test_output_after_queue_clamd_signature_found
@@ -0,0 +1,29 @@
+# LogReader: 3430
+# Query options
+# Start: 2023-07-19 00:00:00 (1689724800)
+# End: 2023-07-20 00:00:00 (1689811200)
+# End Query Options
+
+QENTRY: 65810380099
+CTIME: 64B8098B
+SIZE: 1968
+CLIENT: pmghost.mydomain.tld[192.168.1.001]
+MSGID: <redacted:msgid>
+TO:64B8098B:65810380099:Q: from <redacted:return-path@domain.tld> to <redacted:recipient@mydomain.tld> (3835A764B7ED6B8146A)
+SMTP:
+L00000001 2023-07-19T16:04:27.415550+02:00 pmg postfix/smtpd[1165]: connect from pmghost.mydomain.tld[192.168.1.001]
+L00000002 2023-07-19T16:04:27.415823+02:00 pmg postfix/smtpd[1165]: 65810380099: client=pmghost.mydomain.tld[192.168.1.001]
+L00000005 2023-07-19T16:04:27.473656+02:00 pmg postfix/smtpd[1165]: disconnect from pmghost.mydomain.tld[192.168.1.001] ehlo=1 mail=1 rcpt=1 data=1 commands=4
+FILTER: 38089764B7ED6B7DE74
+L00000006 2023-07-19T16:04:27.519674+02:00 pmg pmg-smtp-filter[783]: 38089764B7ED6B7DE74: new mail message-id=<redacted:msgid>#012
+L00000007 2023-07-19T16:04:27.528730+02:00 pmg clamd[638]: /var/spool/pmg/active/38089764B7ED6B7DE74: Eicar-Signature FOUND
+L00000008 2023-07-19T16:04:27.528789+02:00 pmg clamd[638]: /var/spool/pmg/active/38089764B7ED6B7DE74: Eicar-Signature FOUND
+L00000009 2023-07-19T16:04:27.528963+02:00 pmg pmg-smtp-filter[783]: 38089764B7ED6B7DE74: virus detected: Eicar-Signature (clamav)
+L0000000A 2023-07-19T16:04:27.538824+02:00 pmg pmg-smtp-filter[783]: 38089764B7ED6B7DE74: moved mail for <redacted:recipient@mydomain.tld> to virus quarantine - 3835A764B7ED6B8146A (rule: block all)
+L0000000B 2023-07-19T16:04:27.543650+02:00 pmg pmg-smtp-filter[783]: 38089764B7ED6B7DE74: processing time: 0.023 seconds (0, 0.009, 0)
+QMGR:
+L00000003 2023-07-19T16:04:27.459569+02:00 pmg postfix/cleanup[1169]: 65810380099: message-id=<redacted:msgid>
+L00000004 2023-07-19T16:04:27.473604+02:00 pmg postfix/qmgr[746]: 65810380099: from=<redacted:return-path@domain.tld>, size=1968, nrcpt=1 (queue active)
+L0000000C 2023-07-19T16:04:27.543837+02:00 pmg postfix/lmtp[1170]: 65810380099: to=<redacted:recipient@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.13, delays=0.06/0/0.04/0.03, dsn=2.5.0, status=sent (250 2.5.0 OK (38089764B7ED6B7DE74))
+L0000000D 2023-07-19T16:04:27.543930+02:00 pmg postfix/qmgr[746]: 65810380099: removed
+
diff --git a/tests/tests_after_queue.rs b/tests/tests_after_queue.rs
index 8e13564..b6e08b3 100644
--- a/tests/tests_after_queue.rs
+++ b/tests/tests_after_queue.rs
@@ -202,3 +202,27 @@ fn after_queue_duplicate_msgid() {
let output_reader = BufReader::new(&output.stdout[..]);
utils::compare_output(output_reader, expected_output);
}
+
+#[test]
+fn after_queue_clamd_signature_found() {
+ let output = Command::new("faketime")
+ .env("TZ", "Europe/Vienna")
+ .arg("2023-07-20 23:59:59")
+ .arg(utils::log_tracker_path())
+ .arg("-vv")
+ .arg("-s")
+ .arg("2023-07-19 00:00:00")
+ .arg("-e")
+ .arg("2023-07-20 00:00:00")
+ .arg("-i")
+ .arg("tests/test_input_after_queue_clamd_signature_found")
+ .output()
+ .expect("failed to execute pmg-log-tracker");
+
+ let expected_file = File::open("tests/test_output_after_queue_clamd_signature_found")
+ .expect("failed to open test_output");
+
+ let expected_output = BufReader::new(&expected_file);
+ let output_reader = BufReader::new(&output.stdout[..]);
+ utils::compare_output(output_reader, expected_output);
+}
--
2.39.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [pmg-devel] [PATCH log-tracker 1/2] add clamd signature found messages to log output
2023-07-19 15:13 [pmg-devel] [PATCH log-tracker 1/2] add clamd signature found messages to log output Mira Limbeck
2023-07-19 15:13 ` [pmg-devel] [PATCH log-tracker 2/2] tests: add clamd signature found log test Mira Limbeck
@ 2023-08-04 12:09 ` Dominik Csapak
2023-09-12 14:18 ` Stoiko Ivanov
1 sibling, 1 reply; 4+ messages in thread
From: Dominik Csapak @ 2023-08-04 12:09 UTC (permalink / raw)
To: Mira Limbeck, pmg-devel
hi,
in general it works and does what is says,
but after looking at the log tracker output, i'm nto sure if it's worth
it. we log the same info directly after that from the pmg-smtp-filter...
otoh, the code is not that big and probably doesn't hurt either
@stoiko, maybe you have some input on that?
in any case, consider both patches
Reviewed-by: Dominik Csapak <d.csapak@proxmox.com>
Tested-by: Dominik Csapak <d.csapak@proxmox.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [pmg-devel] [PATCH log-tracker 1/2] add clamd signature found messages to log output
2023-08-04 12:09 ` [pmg-devel] [PATCH log-tracker 1/2] add clamd signature found messages to log output Dominik Csapak
@ 2023-09-12 14:18 ` Stoiko Ivanov
0 siblings, 0 replies; 4+ messages in thread
From: Stoiko Ivanov @ 2023-09-12 14:18 UTC (permalink / raw)
To: Dominik Csapak; +Cc: Mira Limbeck, pmg-devel
hi,
On Fri, 4 Aug 2023 14:09:32 +0200
Dominik Csapak <d.csapak@proxmox.com> wrote:
> hi,
>
> in general it works and does what is says,
> but after looking at the log tracker output, i'm nto sure if it's worth
> it. we log the same info directly after that from the pmg-smtp-filter...
>
> otoh, the code is not that big and probably doesn't hurt either
>
> @stoiko, maybe you have some input on that?
hm - a bit ambivalent on this:
* on the one hand - having more information, which is useful for most
common setups (only ClamAV is used) might help
* on the other hand - if we have exactly the same information (which virus
was detected, and by which engine one line below I don't see the benefit
of adding more lines)
Currently I'd rather not apply it - but I'm not too set on this either.
>
> in any case, consider both patches
>
> Reviewed-by: Dominik Csapak <d.csapak@proxmox.com>
> Tested-by: Dominik Csapak <d.csapak@proxmox.com>
>
>
>
>
> _______________________________________________
> pmg-devel mailing list
> pmg-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-09-12 14:18 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-19 15:13 [pmg-devel] [PATCH log-tracker 1/2] add clamd signature found messages to log output Mira Limbeck
2023-07-19 15:13 ` [pmg-devel] [PATCH log-tracker 2/2] tests: add clamd signature found log test Mira Limbeck
2023-08-04 12:09 ` [pmg-devel] [PATCH log-tracker 1/2] add clamd signature found messages to log output Dominik Csapak
2023-09-12 14:18 ` Stoiko Ivanov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox