Mailing List Archive: ClamAV: users

clamstats script

Index | Next | Previous | View Threaded

cpollock at earthlink

May 24, 2006, 3:49 PM

Post #1 of 16 (6031 views)
Permalink

clamstats script

I've downloaded a script that is supposed to output stats on virus's that
clamav detects. Needless to say its not working correctly and I'm
soliciting some help since I know nothing about perl. I'm sort of getting
output however it doesn't show any virus's detected. I'd attach the script
but I don't know how the listowner is about attachments. If some kind soul
would like to take a look at it I'll email it to them or if its permissable
to attach it here I'll do that.

Output from command /usr/local/bin/clamstats.pl ..

ClamAV Statistics
cpollock

--------------------------------------------------------
clamd last started Sat May 20 16:07:28 2006
--------------------------------------------------------
Statistics since
Last Database Update Wed May 24 16:13:29 2006
--------------------------------------------------------
Total viruses detected 0
Total Database Signatures 56,471
--------------------------------------------------------
1 FreshClam errors, last on Thu May 11 01:11:40 2006: Can't query
current.cvd.clamav.net

0 Virus Types Detected
------------------------------------------

0 File Extensions Used
--------------------------

By Date ( . = 1 viruses )
--------------------------

By Hour ( . = 1 viruses )
--------------------------

By Month ( . = 1 viruses )
-------------------------

By Year ( . = 1 viruses )
--------------------------

Thanks

Chris

--
Chris
Registered Linux User 283774 http://counter.li.org
17:44:43 up 10 days, 5:44, 1 user, load average: 0.06, 0.09, 0.14
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk

rickm at ummm-beer

May 24, 2006, 3:54 PM

Post #2 of 16 (5869 views)
Permalink

Re: clamstats script [In reply to]

Chris wrote:
> I've downloaded a script that is supposed to output stats on virus's that
> clamav detects. Needless to say its not working correctly and I'm
> soliciting some help since I know nothing about perl. I'm sort of getting
> output however it doesn't show any virus's detected. I'd attach the script
> but I don't know how the listowner is about attachments. If some kind soul
> would like to take a look at it I'll email it to them or if its permissable
> to attach it here I'll do that.
>

What mailer are you running ?

I developed this http://newmail.axess.com/virus/

But it's only currently for Qmail/simscan (until someone wants to write
a backend for another scanner).

Regards,

Rick

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

cpollock at earthlink

May 24, 2006, 4:56 PM

Post #3 of 16 (5880 views)
Permalink

Re: clamstats script [In reply to]

On Wednesday 24 May 2006 5:54 pm, Rick Macdougall wrote:
> Chris wrote:
> > I've downloaded a script that is supposed to output stats on virus's
> > that clamav detects. Needless to say its not working correctly and I'm
> > soliciting some help since I know nothing about perl. I'm sort of
> > getting output however it doesn't show any virus's detected. I'd
> > attach the script but I don't know how the listowner is about
> > attachments. If some kind soul would like to take a look at it I'll
> > email it to them or if its permissable to attach it here I'll do that.
>
> What mailer are you running ?
>
> I developed this http://newmail.axess.com/virus/
>
> But it's only currently for Qmail/simscan (until someone wants to write
> a backend for another scanner).
>
> Regards,
>
> Rick
>

Kmail, however, its called via a plug-in for Spamassassin.

--
Chris
Registered Linux User 283774 http://counter.li.org
18:52:40 up 10 days, 6:52, 1 user, load average: 0.41, 0.27, 0.15
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk

rickm at ummm-beer

May 24, 2006, 5:05 PM

Post #4 of 16 (5878 views)
Permalink

Re: clamstats script [In reply to]

Chris wrote:
> On Wednesday 24 May 2006 5:54 pm, Rick Macdougall wrote:
>> I developed this http://newmail.axess.com/virus/
>>
>> But it's only currently for Qmail/simscan (until someone wants to write
>> a backend for another scanner).
>>
>>
>
> Kmail, however, its called via a plug-in for Spamassassin.

I believe kmail is an email client not an MTU, what is your MTU (ie
sendmail, exim, qmail, postfix etc)

As well, SpamAssassin finds spam, not viruses.

Regards,

RIck
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

cpollock at earthlink

May 24, 2006, 5:15 PM

Post #5 of 16 (5872 views)
Permalink

Re: clamstats script [In reply to]

On Wednesday 24 May 2006 7:05 pm, Rick Macdougall wrote:
> Chris wrote:
> > On Wednesday 24 May 2006 5:54 pm, Rick Macdougall wrote:
> >> I developed this http://newmail.axess.com/virus/
> >>
> >> But it's only currently for Qmail/simscan (until someone wants to
> >> write a backend for another scanner).
> >
> > Kmail, however, its called via a plug-in for Spamassassin.
>
> I believe kmail is an email client not an MTU, what is your MTU (ie
> sendmail, exim, qmail, postfix etc)
>
> As well, SpamAssassin finds spam, not viruses.
>
> Regards,

My mistake, mail is picked up via fetchmail, run through procmail where
spamassasin is called. There is a clamav plugin for SA:

loadplugin ClamAV clamav.pm
full CLAMAV eval:check_clamav()
describe CLAMAV Clam AntiVirus detected a virus
score CLAMAV 10.00

Which I'm using. There is a clamd.log and a freshclam.log
in /var/log/clamav. Clamav is detecting virus's:

Wed May 24 18:33:49 2006 -> Accepted connection on port 1451, fd 8
Wed May 24 18:33:49 2006 -> stream:
Html.Phishing.Bank.Gen503.Sanesecurity.06042004 FOUND
Wed May 24 18:33:52 2006 -> Accepted connection on port 1995, fd 8
Wed May 24 18:33:52 2006 -> stream:
Html.Phishing.Bank.Gen503.Sanesecurity.06042004 FOUND
Wed May 24 18:50:26 2006 -> SelfCheck: Database status OK.
Wed May 24 18:50:26 2006 -> Accepted connection on port 1141, fd 8
Wed May 24 18:50:26 2006 -> stream: Html.Phishing.Bank.Sanesecurity.06032100
FOUND

One thing that was pointed out to me by someone else who looked at the
script, but doesn't run clamv is this:

I'm really not that familar with clamav log files, but the script is looking
for
patterns in the log that it is not finding. This regular expression test on
line 96
is never true:

if (/(\w+)\s(\w+)\s{1,2}(\d{1,2})\s(\d+:\d+:\d+)\s(\d+).
+mdefang-(\w+)\/Work\/msg-\d+-\d+\.(\w+):\s+(.+)\sFOUND/) { �

so it never picks up anything.

Why it's looking for these specific strings, I don't know. because I don't
know clamav

Chris

--
Chris
Registered Linux User 283774 http://counter.li.org
19:09:36 up 10 days, 7:09, 1 user, load average: 0.33, 0.31, 0.23
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk

clamlist at gmail

May 25, 2006, 12:53 AM

Post #6 of 16 (5870 views)
Permalink

Re: clamstats script [In reply to]

> I developed this http://newmail.axess.com/virus/

I had install it into a FC4 box, I see the layout of the webpage but no
statistics.

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

steve at lobefin

May 25, 2006, 2:11 AM

Post #7 of 16 (5873 views)
Permalink

Re: clamstats script [In reply to]

On Wed, May 24, 2006 at 07:15:03PM -0500, Chris said:

(mail reformatted so I can see the regex next to the log line)

> I'm really not that familar with clamav log files, but the script is
> looking for patterns in the log that it is not finding. This regular
> expression test on line 96 is never true:
>
> if (/(\w+)\s(\w+)\s{1,2}(\d{1,2})\s(\d+:\d+:\d+)\s(\d+).+mdefang-(\w+)\/Work\/msg-\d+-\d+\.(\w+):\s+(.+)\sFOUND/) { �
>
> Wed May 24 18:33:49 2006 -> stream: Html.Phishing.Bank.Gen503.Sanesecurity.06042004 FOUND

I have roughly lined up the regex with the pattern it matches - do you
see where it breaks down? It looks to me like this was written for a
mime defang log, not a clamav log.

I think
^\w{3}\s\w{3}\s{1,2}\d{1,2}\s(\d+:){2}\d{2}\s\d{4}\s->\sstream:\s(\w\.\d-)+\sFOUND$

or so is more what you want. You may need to poke it a bit to make it
work - this is just off the top of my head.

Hope that helps,
--
--------------------------------------------------------------------------
| Stephen Gran | A quarrel is quickly settled when |
| steve[at]lobefin.net | deserted by one party; there is no |
| http://www.lobefin.net/~steve | battle unless there be two. -- Seneca |
--------------------------------------------------------------------------

Attachments:

signature.asc (0.18 KB)

rickm at ummm-beer

May 25, 2006, 5:39 AM

Post #8 of 16 (5868 views)
Permalink

Re: clamstats script [In reply to]

ClamAV List wrote:
>
>> I developed this http://newmail.axess.com/virus/
>
> I had install it into a FC4 box, I see the layout of the webpage but no
> statistics.
> _______________________________________________
> http://lurker.clamav.net/list/clamav-users.html

Hi,

Are you running qmail/simscan ?

Are you running the virusscan program ?

Did you read the README ?

Regards,

Rick

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

jk at nerdworks

May 25, 2006, 12:07 PM

Post #9 of 16 (5859 views)
Permalink

Re: clamstats script [In reply to]

<snip>

> I developed this http://newmail.axess.com/virus/

Do you mind sharing it?

Regards
Joran Kvalvaag

> But it's only currently for Qmail/simscan (until someone wants to write
> a backend for another scanner).

> Regards,

> Rick
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

rickm at ummm-beer

May 25, 2006, 7:07 PM

Post #10 of 16 (5860 views)
Permalink

Re: clamstats script [In reply to]

J Kvalvaag wrote:
> <snip>
>
>> I developed this http://newmail.axess.com/virus/
>
> Do you mind sharing it?
>
> Regards
> Joran Kvalvaag

Hi,

You can find it at http://www.limelyte.com under Software, it's called
virusstats.

Regards,

Rick

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

cpollock at earthlink

Jun 4, 2006, 12:10 PM

Post #11 of 16 (5721 views)
Permalink

clamstats script [In reply to]

With a lot of help from various sources including the author the script
almost works. I've uploaded it here:

http://ez-files.net/download.php?file=0f603e13

along with the html output as it is now:

http://ez-files.net/download.php?file=67835219

which is obtained by running:

clamstats.pl --html > (/folder/outputfile.html)

It seems to read the freshclam.log correctly and posts the correct stats,
however, for some unknown reason it appears to not be reading the clamd.log
at all. At least its not posting any virus statistics. Can anyone see what
the problem may be?

Thanks for any and all help
If you can't d/l the files I'll be glad to just send them direct.

Chris

--
Chris
Registered Linux User 283774 http://counter.li.org
14:03:42 up 21 days, 2:03, 1 user, load average: 0.55, 0.42, 0.20
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk

steve at lobefin

Jun 4, 2006, 12:37 PM

Post #12 of 16 (5724 views)
Permalink

Re: clamstats script [In reply to]

On Sun, Jun 04, 2006 at 02:10:16PM -0500, Chris said:
> It seems to read the freshclam.log correctly and posts the correct stats,
> however, for some unknown reason it appears to not be reading the clamd.log
> at all. At least its not posting any virus statistics. Can anyone see what
> the problem may be?
>
> Thanks for any and all help
> If you can't d/l the files I'll be glad to just send them direct.

You're regexes (at least in the version I downloaded) are multi-line.
This is almost always not what you meant to do. Mush them all into one
long line, and if you need whitespace, use the \s matcher explicitly
instead of accidentally. It matches for me once I do the above (and
take out the word 'stream' since I use SCAN rather than STREAM on this
machine).

Take care,
--
--------------------------------------------------------------------------
| Stephen Gran | I am very fond of the company of |
| steve[at]lobefin.net | ladies. I like their beauty, I like |
| http://www.lobefin.net/~steve | their delicacy, I like their vivacity, |
| | and I like their silence. -- Samuel |
| | Johnson |
--------------------------------------------------------------------------

Attachments:

signature.asc (0.18 KB)

cpollock at earthlink

Jun 4, 2006, 1:25 PM

Post #13 of 16 (5724 views)
Permalink

Re: clamstats script [In reply to]

On Sunday 04 June 2006 2:37 pm, Stephen Gran wrote:
> On Sun, Jun 04, 2006 at 02:10:16PM -0500, Chris said:
> > It seems to read the freshclam.log correctly and posts the correct
> > stats, however, for some unknown reason it appears to not be reading
> > the clamd.log at all. At least its not posting any virus statistics.
> > Can anyone see what the problem may be?
> >
> > Thanks for any and all help
> > If you can't d/l the files I'll be glad to just send them direct.
>
> You're regexes (at least in the version I downloaded) are multi-line.
> This is almost always not what you meant to do. Mush them all into one
> long line, and if you need whitespace, use the \s matcher explicitly
> instead of accidentally. It matches for me once I do the above (and
> take out the word 'stream' since I use SCAN rather than STREAM on this
> machine).
>
> Take care,

When looking at the script with gedit and line breaks off, they're all on
the same line. Removing stream didn't make any difference, at least it
didn't produce any errors. According to my clamd.log stream is used:

Sun Jun 4 08:43:35 2006 -> Accepted connection on port 1512, fd 8
Sun Jun 4 08:43:35 2006 -> stream:
Html.Phishing.Ivt.Gen014.Sanesecurity.06041413 FOUND

Shouldn't the script be picking these up?

Unless I'm way off base here.

--
Chris
Registered Linux User 283774 http://counter.li.org
15:21:48 up 21 days, 3:22, 1 user, load average: 0.21, 0.50, 1.11
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk

steve at lobefin

Jun 4, 2006, 4:27 PM

Post #14 of 16 (5712 views)
Permalink

Re: clamstats script [In reply to]

On Sun, Jun 04, 2006 at 03:25:53PM -0500, Chris said:
> On Sunday 04 June 2006 2:37 pm, Stephen Gran wrote:
> > You're regexes (at least in the version I downloaded) are multi-line.
>
> When looking at the script with gedit and line breaks off, they're all on
> the same line.

This is what I see:

if (/(\w+)\s(\w+)\s{1,2}(\d{1,2})\s(\d+:\d+:\d+)\s(\d)$
.+mdefang-(\w+)\/Work\/msg-\d+-\d+\.(\w+):\s+(.+)\sFOUND/ ) {$
^I^I$dow = $1;$
^I^I$month = $2;$
^I^I$day = $3;$
^I^I$time = $4;$
^I^I$year = $5;$
$id = $6;$
$ext = $7;$
$virus = $8;$
} elsif (/(\w+)\s(\w+)\s{1,2}(\d{1,2})\s(\d+:\d+:\d+)\s(\d)$
.+stream:\s(.+)\sFOUND/ ) {$

If you don't have the line break before stream or mdefang, I don't know
what to tell you. Besides that, they worked for me and should for most
of the log arrangements I know (well, I don't know mimedefang
particularly, but you're not reading that log).
--
--------------------------------------------------------------------------
| Stephen Gran | In Blythe, California, a city ordinance |
| steve[at]lobefin.net | declares that a person must own at |
| http://www.lobefin.net/~steve | least two cows before he can wear |
| | cowboy boots in public. |
--------------------------------------------------------------------------

Attachments:

signature.asc (0.18 KB)

cpollock at earthlink

Jun 4, 2006, 4:52 PM

Post #15 of 16 (5719 views)
Permalink

Re: clamstats script [In reply to]

On Sunday 04 June 2006 6:27 pm, Stephen Gran wrote:
> On Sun, Jun 04, 2006 at 03:25:53PM -0500, Chris said:
> > On Sunday 04 June 2006 2:37 pm, Stephen Gran wrote:
> > > You're regexes (at least in the version I downloaded) are multi-line.
> >
> > When looking at the script with gedit and line breaks off, they're all
> > on the same line.
>
> This is what I see:
>
> if (/(\w+)\s(\w+)\s{1,2}(\d{1,2})\s(\d+:\d+:\d+)\s(\d)$
> .+mdefang-(\w+)\/Work\/msg-\d+-\d+\.(\w+):\s+(.+)\sFOUND/ ) {$
> ^I^I$dow = $1;$
> ^I^I$month = $2;$
> ^I^I$day = $3;$
> ^I^I$time = $4;$
> ^I^I$year = $5;$
> $id = $6;$
> $ext = $7;$
> $virus = $8;$
> } elsif (/(\w+)\s(\w+)\s{1,2}(\d{1,2})\s(\d+:\d+:\d+)\s(\d)$
> .+stream:\s(.+)\sFOUND/ ) {$
>
> If you don't have the line break before stream or mdefang, I don't know
> what to tell you. Besides that, they worked for me and should for most
> of the log arrangements I know (well, I don't know mimedefang
> particularly, but you're not reading that log).

Well, I'll be, you were absolutely right Stephen, I should have been using
another editor I guess. I took the .+stream and put it up after the (\d)
and it works perfectly! The fix was right in front of my eyes all the
time. Thank you so very much.

Chris

--
Chris
Registered Linux User 283774 http://counter.li.org
18:48:37 up 21 days, 6:48, 1 user, load average: 0.87, 0.39, 0.19
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk

njh at bandsman

Jun 5, 2006, 3:49 AM

Post #16 of 16 (5722 views)
Permalink

Re: clamstats script [In reply to]

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com