## Sagator configuration file. ## (c) 2003-2004 Jan ONDREJ (SAL) ## Debugging level, 0=errors only, 1=return status, init messages, ## 2=smtp server communication, 3=detailed smtp server communication, ## 4=tracebacks, 5=smtp client communication ## Do not use debug level higher than 9! DEBUG_LEVEL=3 ## Where is new root path. For example '/var/spool/vscan' CHROOT='/var/spool/vscan' ## Logfile (use logfile in chroot to allow rotating) LOGFILE=CHROOT+'/var/log/sagator/sagator.log' ## User and group, under which this program runs. USER,GROUP='vscan','vscan' ## SMTP server host and port. You must define this smtp server ## in postfix without filtering. SMTP_SERVER=('127.0.0.1',26) ## Scanners and services from scanners import * from srv import * DROP='(worm|@mm|Sobig|Klez|Bugbear|Gibe|Swen|Mimail|Sober|Bagle|Mydoom|Novarg|Lirva)' # MESSAGE REPORT TEMPLATES ##################################################################### MY_REPORT_EXE='''\ From: $FROM To: $TO Subject: ALERT, Windows executable file found! ALERT, Windows executable file found! --------------------------------------------------------------------- Status: $STATUS, as: $QNAME --------------------------------------------------------------------- Scanner: $SCANNER_NAME, $SCANNER_OUTPUT --------------------------------------------------------------------- HEADER OF MESSAGE: $MSG_HEADER --------------------------------------------------------------------- SMTP COMMUNICATION: $SMTP_COMM --------------------------------------------------------------------- ''' ##################################################################### MY_REPORT_VIR='''\ From: $FROM To: $TO Subject: ALERT, Virus "$VIRNAME" found! ALERT, Virus found! --------------------------------------------------------------------- Status: $STATUS, as: $QNAME --------------------------------------------------------------------- Scanner: $SCANNER_NAME, $SCANNER_OUTPUT --------------------------------------------------------------------- HEADER OF MESSAGE: $MSG_HEADER --------------------------------------------------------------------- SMTP COMMUNICATION: $SMTP_COMM --------------------------------------------------------------------- ''' ##################################################################### MY_REPORT_SPAM='''\ From: $FROM To: $TO Subject: ALERT, Spam message found! ALERT, Spam message found! --------------------------------------------------------------------- Status: $STATUS, as: $QNAME --------------------------------------------------------------------- Scanner: $SCANNER_NAME, $SCANNER_OUTPUT --------------------------------------------------------------------- HEADER OF MESSAGE: $MSG_HEADER --------------------------------------------------------------------- SMTP COMMUNICATION: $SMTP_COMM --------------------------------------------------------------------- ''' ##################################################################### # Logging template, long but handy when you want to report or observe something MY_LOG_FORMAT="level='$LEVEL', virname='$VIRNAME', size='$SIZE', sender='$SENDER', recipients='$RECIPIENTS', sagator='$VERSION', scanner='$SCANNER_NAME', qname='$QNAME'\n" ## Now you can define SCANNERS array. This array contains definitions ## for all scanners used in sagator and it's scripts. ## You can define other array names for different services. ## SCANNERS array for sgscan must have this name. SCANNERS=[ log(3,MY_LOG_FORMAT, ## In general, there's no need to send directly attached windows executables. ## This captures most viruses, and zip-ing exe files saves traffic too! status("WindowsExecutable", report(['support@localhost'],MY_REPORT_EXE, quarantine('/tmp/quarantine/exe/%Y%m','', drop(DROP, parsemail( attach_name('(\.exe|\.com|\.vxd|\.dll|\.cpl|\.scr|\.pif|\.lnk|\.bat|\.vbs|\.js)$'), file_type({'exe': 'Executable'}) ) ## if you want to be sure no messages will fail (in case file_type() fails, ## add '| const(0)' after the previous right bracket ) ) ) ), ## check for viruses with clamd and quarantine them in new dir every month. ## The directory /tmp/quarantine/vir is in the chroot jail and should be ## writable by the user 'vscan'. status("Virus", report(['support@localhost'],MY_REPORT_VIR, quarantine('/tmp/quarantine/vir/%Y%m','', drop(DROP, clamd(['localhost',3310]) ) ) ) ), ## filter all spam with spamassassind, quarantine by month, report the accident ## to 'support' and forward them to 'admin' to take a look (if he has free time to...). status("Spam", report(['support@localhost'],MY_REPORT_SPAM, quarantine('/tmp/quarantine/spam/%Y%m','', deliver_to(['admin@localhost'], drop('.', # drop all spams, do not deliver to users (use sqback if needed) spamassassind(['localhost',783]) ) ) ) ) ) ) ] ## In this section you need to define services, which will be started ## by SAGATOR. You need at least one service to start. An SMTP gateway ## or a command can communicate with SAGATOR over this/these services. SRV=[ ## Statistics collector ## This service can be used to collect statistics data and an program ## (like MRTG) can use these data to show nice graphs. By default ## leave this service running, because there is a script in sagator, ## which using this service. collector('127.0.0.1',28), ## SMTP daemon (for postfix, ...) ## This service can be used by postfix or any other SMTP daemon. ## You need to configure your SMTPd to send all viruses over ## this SMTPd. It sends clean emails back to SMTPd defined above ## (by SMTP_SERVER variable). smtpd(SCANNERS,'127.0.0.1',27) ## Milter daemon ## This service can be used by sendmail's milter. Leave it commented, ## if you don't use sendmail SMTP. #milter(SCANNERS,"sagator","inet:3333@127.0.0.1") ## Standard input filter ## Over this service you can use sagator as STDIN -> STDOUT filter. ## Configure avfilter(SCANNERS) and run sagator: ## sagator --nodaemon < email ## and you will obtain modified email on standard output. #avfilter(SCANNERS) ]