## Sagator configuration file. ## (c) 2003-2004 Jan ONDREJ (SAL) ## Debugging level, 0=errors only, 1=return status, init messages, ## 2=smtp server communication, 3=detailed smtp server communication, ## 4=tracebacks, 5=smtp client communication ## Do not use debug level higher than 9! DEBUG_LEVEL=3 ## Where is new root path. For example '/var/spool/vscan' CHROOT='/var/spool/vscan' ## Logfile (use logfile in chroot to allow rotating) LOGFILE=CHROOT+'/var/log/sagator/sagator.log' ## User and group, under which this program runs. USER,GROUP='vscan','vscan' ## SMTP server host and port. You must define this smtp server ## in postfix without filtering. SMTP_SERVER=('127.0.0.1',26) ## Scanners and services from scanners import * from srv import * # MESSAGE REPORT TEMPLATES ##################################################################### MY_REPORT_EXE='''\ From: %(FROM)s To: %(TO)s Subject: ALERT, Windows executable file found! ALERT, Windows executable file found! --------------------------------------------------------------------- Status: %(STATUS)s, as: %(QNAME)s --------------------------------------------------------------------- Scanner: %(SCANNER_NAME)s, %(SCANNER_OUTPUT)s --------------------------------------------------------------------- HEADER OF MESSAGE: %(MSG_HEADER)s --------------------------------------------------------------------- SMTP COMMUNICATION: %(SMTP_COMM)s --------------------------------------------------------------------- ''' ##################################################################### MY_REPORT_VIR='''\ From: %(FROM)s To: %(TO)s Subject: ALERT, Virus "%(VIRNAME)s" found! ALERT, Virus found! --------------------------------------------------------------------- Status: %(STATUS)s, as: %(QNAME)s --------------------------------------------------------------------- Scanner: %(SCANNER_NAME)s, %(SCANNER_OUTPUT)s --------------------------------------------------------------------- HEADER OF MESSAGE: %(MSG_HEADER)s --------------------------------------------------------------------- SMTP COMMUNICATION: %(SMTP_COMM)s --------------------------------------------------------------------- ''' ##################################################################### MY_REPORT_SPAM='''\ From: %(FROM)s To: %(TO)s Subject: ALERT, Spam message found! ALERT, Spam message found! --------------------------------------------------------------------- Status: %(STATUS)s, as: %(QNAME)s --------------------------------------------------------------------- Scanner: %(SCANNER_NAME)s, %(SCANNER_OUTPUT)s --------------------------------------------------------------------- HEADER OF MESSAGE: %(MSG_HEADER)s --------------------------------------------------------------------- SMTP COMMUNICATION: %(SMTP_COMM)s --------------------------------------------------------------------- ''' ##################################################################### # Logging template, long but handy when you want to report or observe something MY_LOG_FORMAT="level='%(LEVEL)s', virname='%(VIRNAME)s', size='%(SIZE)s', sender='%(SENDER)s', recipients='%(RECIPIENTS)s', sagator='%(VERSION)s', scanner='%(SCANNER_NAME)s', qname='%(QNAME)'\n" ## Now you can define SCANNERS array. This array contains definitions ## for all scanners used in sagator and it's scripts. ## You can define other array names for different services. ## SCANNERS array for sgscan must have this name. SCANNERS=[ log(3,MY_LOG_FORMAT, ## In general, there's no need to send directly attached windows executables. ## This captures most viruses, and zip-ing exe files saves traffic too! status("WindowsExecutable", report(['support@localhost'],MY_REPORT_EXE, quarantine('/tmp/quarantine/exe/%Y%m','', drop(drop.DEFAULT, parsemail( attach_name('(\.exe|\.com|\.vxd|\.dll|\.cpl|\.scr|\.pif|\.lnk|\.bat|\.vbs|\.js)$'), file_type({'exe': 'Executable'}) ) ## if you want to be sure no messages will fail (in case file_type() fails, ## add '| const(0)' after the previous right bracket ) ) ) ), ## check for viruses with clamd and quarantine them in new dir every month. ## The directory /tmp/quarantine/vir is in the chroot jail and should be ## writable by the user 'vscan'. status("Virus", report(['support@localhost'],MY_REPORT_VIR, quarantine('/tmp/quarantine/vir/%Y%m','', drop(drop.DEFAULT, clamd(['localhost',3310]) ) ) ) ), ## filter all spam with spamassassind, quarantine by month, report the accident ## to 'support' and forward them to 'admin' to take a look (if he has free time to...). status("Spam", report(['support@localhost'],MY_REPORT_SPAM, quarantine('/tmp/quarantine/spam/%Y%m','', deliver_to(['admin@localhost'], drop('.', # drop all spams, do not deliver to users (use sqback if needed) spamassassind(['localhost',783]) ) ) ) ) ) ) ] ## In this section you need to define services, which will be started ## by SAGATOR. You need at least one service to start. An SMTP gateway ## or a command can communicate with SAGATOR over this/these services. SRV=[ ## Statistics collector ## This service can be used to collect statistics data and an program ## (like MRTG) can use these data to show nice graphs. By default ## leave this service running, because there is a script in sagator, ## which using this service. collector('127.0.0.1',28), ## SMTP daemon (for postfix, ...) ## This service can be used by postfix or any other SMTP daemon. ## You need to configure your SMTPd to send all viruses over ## this SMTPd. It sends clean emails back to SMTPd defined above ## (by SMTP_SERVER variable). smtpd(SCANNERS,'127.0.0.1',27) ## Milter daemon ## This service can be used by sendmail's milter. Leave it commented, ## if you don't use sendmail SMTP. #milter(SCANNERS,"sagator","inet:3333@127.0.0.1") ## Standard input filter ## Over this service you can use sagator as STDIN -> STDOUT filter. ## Configure avfilter(SCANNERS) and run sagator: ## sagator --nodaemon < email ## and you will obtain modified email on standard output. #avfilter(SCANNERS) ]