From 819c1df0ae4321b3a34324418a830f31bcbddecf Mon Sep 17 00:00:00 2001 From: arjen Date: Sat, 4 Jun 2005 07:13:30 +0000 Subject: [PATCH] Added log analysis for spam and abuse in sendmail log entries. --- src/gcm_daemon/classes/gnucomo.process_log.php | 259 ++++++++++++++++--------- 1 file changed, 164 insertions(+), 95 deletions(-) diff --git a/src/gcm_daemon/classes/gnucomo.process_log.php b/src/gcm_daemon/classes/gnucomo.process_log.php index 2dec2de..78a8d9d 100644 --- a/src/gcm_daemon/classes/gnucomo.process_log.php +++ b/src/gcm_daemon/classes/gnucomo.process_log.php @@ -145,112 +145,181 @@ function linux_daemon_sendmail() $local_logline_array = explode (" ", $local_log_string); $local_sql_1 = "INSERT INTO log_adv_daemon_email"; //BASIC STATEMENT - $local_sql_2 = "logid, detailed_table, service, internal_messageid "; //FIELDS + $local_sql_2 = "logid, detailed_table, service"; //FIELDS $local_sql_3 = "'".$dbms->db_result_row[0]."', 'log_adv_daemon_email', 'sendmail'"; //VALUES - $local_sql_3 .= ", '".substr (trim($local_logline_array[5]), 0 - ,strlen(trim($local_logline_array[5])) -1)."'"; - $local_len = 0; - $local_id = 0; + $message_id = trim($local_logline_array[5], " \t:"); - for ($i = 6; $i <= ( count($local_logline_array) - 1); $i++) + if ($message_id == 'NOQUEUE') { + // This is an error rather than a real message id. + + $local_sql_2 .= ", event"; + $local_sql_3 .= ", '". $message_id ."'"; + + // Try to find the source IP address in the 6th or 7th word. + + $source_ip = strstr($local_logline_array[6], "["); + if ($source_ip) + { + $end = strpos($source_ip, "]"); + $source_ip = substr($source_ip, 1, $end - 1); + } + else + { + $source_ip = strstr($local_logline_array[7], "["); + if ($source_ip) + { + $end = strpos($source_ip, "]"); + $source_ip = substr($source_ip, 1, $end - 1); + } + } - //Get rid of the nasty comma's at the end - if ( substr($local_logline_array[$i], strlen($local_logline_array[$i])-1, 1) == "," ) - { - $local_dummylength = strlen($local_logline_array[$i]) -1; - $local_dummy = substr ($local_logline_array[$i], 0,$local_dummylength ); - $local_logline_array[$i] = trim($local_dummy); - } + if ($source_ip) + { + // We found a source IP address - if (substr($local_logline_array[$i],0,1) == '[' && strstr($local_sql_2, "source_ip") == false) - { - $local_dummy = trim($local_logline_array[$i]); $local_sql_2 .= ", source_ip"; - $local_sql_3 .= ", '".substr($local_dummy, 1, strlen($local_dummy)-2)."'"; - } - else if (strstr($local_logline_array[$i], "=")) - { - - $local_element = explode("=", $local_logline_array[$i]); - - switch (strtolower($local_element[0])) + $local_sql_3 .= ", '". $source_ip ."'"; + } + else + { + echo "Sendmail error NOQUEUE but no source IP found. logid = " .$dbms->db_result_row[0] . "\n"; + } + } + else + { + $local_sql_2 .= ", internal_messageid"; + $local_sql_3 .= ", '". $message_id ."'"; + $local_len = 0; + $local_id = 0; + + for ($i = 6; $i <= ( count($local_logline_array) - 1); $i++) + { + + //Get rid of the nasty comma's at the end + if ( substr($local_logline_array[$i], strlen($local_logline_array[$i])-1, 1) == "," ) { - case "from": - $local_sql_2 .= ", from_email"; - $local_sql_3 .= ", '". addslashes($local_element[1]) ."'"; - break; - - case "size": - $local_sql_2 .= ", size"; - $local_sql_3 .= ", '".$local_element[1]."'"; - break; - - case "delay": - $local_sql_2 .= ", delay"; - $local_sql_3 .= ", '".ereg_replace("\+", " ", $local_element[1])."'"; - break; - - case "xdelay": - $local_sql_2 .= ", xdelay"; - $local_sql_3 .= ", '".ereg_replace("\+", " ", $local_element[1])."'"; - break; - - case "mailer": - $local_sql_2 .= ", mailer"; - $local_sql_3 .= ", '".$local_element[1]."'"; - break; - - case "dsn": - $local_sql_2 .= ", dsn"; - $local_sql_3 .= ", '".$local_element[1]."'"; - break; - - case "msgid": - $local_sql_2 .= ", external_messageid"; - if (substr($local_element[1],0,1) == '<') - { - $local_sql_3 .= ", '"; - $local_sql_3 .= substr($local_element[1],1,(strlen($local_element[1])-2)); - $local_sql_3 .= "'"; - } - else + $local_dummylength = strlen($local_logline_array[$i]) -1; + $local_dummy = substr ($local_logline_array[$i], 0,$local_dummylength ); + $local_logline_array[$i] = trim($local_dummy); + } + + if (substr($local_logline_array[$i],0,1) == '[' && strstr($local_sql_2, "source_ip") == false) + { + $local_dummy = trim($local_logline_array[$i], " []:"); + $local_sql_2 .= ", source_ip"; + $local_sql_3 .= ", '$local_dummy'"; + } + else if (strstr($local_logline_array[$i], "=")) + { + + $local_element = explode("=", $local_logline_array[$i]); + + switch (strtolower($local_element[0])) { + case "from": + $local_sql_2 .= ", from_email"; + $local_sql_3 .= ", '". addslashes($local_element[1]) ."'"; + break; + + case "relay": + $local_sql_2 .= ", relay"; + $local_sql_3 .= ", '". addslashes(trim($local_element[1], " []")) ."'"; + break; + + case "size": + $local_sql_2 .= ", size"; $local_sql_3 .= ", '".$local_element[1]."'"; + break; + + case "delay": + $local_sql_2 .= ", delay"; + $local_sql_3 .= ", '".ereg_replace("\+", " ", $local_element[1])."'"; + break; + + case "xdelay": + $local_sql_2 .= ", xdelay"; + $local_sql_3 .= ", '".ereg_replace("\+", " ", $local_element[1])."'"; + break; + + case "mailer": + $local_sql_2 .= ", mailer"; + $local_sql_3 .= ", '".$local_element[1]."'"; + break; + + case "dsn": + $local_sql_2 .= ", dsn"; + $local_sql_3 .= ", '".$local_element[1]."'"; + break; + + case "msgid": + $local_sql_2 .= ", external_messageid"; + if (substr($local_element[1],0,1) == '<') + { + $local_sql_3 .= ", '"; + $local_sql_3 .= substr($local_element[1],1,(strlen($local_element[1])-2)); + $local_sql_3 .= "'"; + } + else + { + $local_sql_3 .= ", '".$local_element[1]."'"; + } + break; + + //As of this point we only deal with Status + case "stat": + $local_sql_2 .= ", status"; + $local_sql_3 .= ", '".$local_element[1]."'"; + + $local_pos = strrpos (strtolower($local_logline_array[$i]), "stat="); + $local_len = strlen($local_logline_array[$i]) - $local_pos - 6; + $local_sql_2 .= ", status_details"; + $local_sql_3 .= ", '".substr($local_logline_array[$i], $local_pos + 5, $local_len) . "'"; + break; + + case "status": + $local_sql_2 .= ", status"; + $local_sql_3 .= ", '".$local_element[1]."'"; + + $local_pos = strrpos (strtolower($local_logline_array[$i]), "status="); + $local_len = strlen($local_logline_array[$i]) - $local_pos - 8; + $local_sql_2 .= ", status_details"; + $local_sql_3 .= ", '".substr($local_logline_array[$i], $local_pos + 7, $local_len) . "'"; + break; + + case "reject": + if ($local_element[1] == "550") + { + $local_sql_2 .= ", event"; + $local_sql_3 .= ", 'SPAM'"; + } + else if ($local_element[1] == "553") + { + $local_sql_2 .= ", event"; + $local_sql_3 .= ", 'Blocked SPAM'"; + } + else + { + echo "Unknown reject code in sendmail log: " . $local_element[1] . + ", logid = " .$dbms->db_result_row[0] . "\n"; + } + break; + + case "POSSIBLE": + echo "POSSIBLE ATTACK special report: $local_log_string\n"; + break; + + default: + if (substr(strtolower($local_element[0]),0,1) == "[") + { + $local_sql_2 .= ", destination_ip"; + $local_sql_3 .= ", '". substr($local_element[1], 1, strlen($local_element[1]) - 2)."'"; + } + break; } - break; - - //As of this point we only deal with Status - case "stat": - $local_sql_2 .= ", status"; - $local_sql_3 .= ", '".$local_element[1]."'"; - - $local_pos = strrpos (strtolower($local_logline_array[$i]), "stat="); - $local_len = strlen($local_logline_array[$i]) - $local_pos - 6; - $local_sql_2 .= ", status_details"; - $local_sql_3 .= ", '".substr($local_logline_array[$i], $local_pos + 5, $local_len) . "'"; - break; - - case "status": - $local_sql_2 .= ", status"; - $local_sql_3 .= ", '".$local_element[1]."'"; - - $local_pos = strrpos (strtolower($local_logline_array[$i]), "status="); - $local_len = strlen($local_logline_array[$i]) - $local_pos - 8; - $local_sql_2 .= ", status_details"; - $local_sql_3 .= ", '".substr($local_logline_array[$i], $local_pos + 7, $local_len) . "'"; - break; - - default: - if (substr(strtolower($local_element[0]),0,1) == "[") - { - $local_sql_2 .= ", destination_ip"; - $local_sql_3 .= ", '". substr($local_element[1], 1, strlen($local_element[1]) - 2)."'"; - } - break; } - } + } } //Now that the data is complete create the SQL-statement @@ -279,7 +348,7 @@ function linux_kernel_network() $local_logline_array = explode (" ", $local_log_string); $local_sql_1 = "INSERT INTO log_adv_kernel_network"; //BASIC STATEMENT $local_sql_2 = "logid, detailed_table"; //FIELDS - $local_sql_3 = "'".$dbms->db_result_row[0]."', 'kernel_network'"; //VALUES + $local_sql_3 = "'".$dbms->db_result_row[0]."', 'log_adv_kernel_network'"; //VALUES $local_len = 0; $local_id = 0; $local_tos = "F"; -- 2.11.0