1
Jan
2010

Tool: aviraparser.rb

So a while back I downloaded and setup the Avira Professional Beta for linux, it is a really good product for finding malware. This product has two downsides 1) it does not work on powerpc and 2) the logs are in a lame text format. So I needed was a way to parse all the endless logs from the binaries I have collected to see if anything was interesting enough to go ahead and RE the malicious code. So here is a simple script that will parse the raw Avira logs and write the results to screen for easy viewing. The version I use in production is built into a rails app and to complex too post here. Sorry.

aviraparser.rb

#!/usr/bin/env ruby
#Jacob Hammack
#http://www.hammackj.com
#Ruby parser for the output of the Avira Professional for linux results

#This script assumes filenames are the sha1 hash of the file
#to change this 

f = File.new(ARGV[0])

f.each { |line| 
  lines = line.split(':')

  date = lines[0]
  time = lines[1]
  time1 = lines[2]
  av = lines[3]
  type = lines[4]
  result = lines[5]
  results = Array.new

  printf "Date: %s:%s:%s\n", date, time, time1
  printf "AntiVirus: %s\n", av

  if type =~ /WARNING .*\/([0-9a-fA-F]{40})(.*)/
    type = $1
    result = $2
    result[0] = ' '
    result.strip!
    printf "Filename: %s\n", type
    printf "Result: %s\n", result
  elsif type =~ /ALERT .*\/([0-9a-fA-F]{40})/
    type = $1
    printf "filename: %s\n", type
    result.scan(/(.*);(.*);(.*)/) { |s, c, d|
      printf "Shortname: %s\n", s
      printf "Category: %s\n", c
      printf "Description: %s\n", d        
    }
  end

  puts "\n"
}

output

[hammackj@fajitas:~/Desktop]$ ./avguparser.rb filescan-20090615.log

Date: 2009-06-15 13:41:25 hoss avscan[21821]
AntiVirus:  AVGU

Date: 2009-06-15 13:41:40 hoss avscan[21821]
AntiVirus:  AVGU
filename: 00A66A90C0B2ECC0DEB975BE1F47526FD598D4A0
Shortname:  TR/Agent.225280.I 
Category:  trojan 
Description:  Is the Trojan horse TR/Agent.225280.I

Date: 2009-06-15 13:41:41 hoss avscan[21821]
AntiVirus:  AVGU
filename: 00B224187CE4C7E378E954DB76D1AF86DDF1403B
Shortname:  ADSPY/Mywebsearch.AN.2 
Category:  adware 
Description:  Contains detection pattern of the Ad- or Spyware ADSPY/Mywebsearch.AN.2

hammackj@fajitas:~/Desktop]$

 

Posted by hammackj

no comments


Trackbacks

Use the following link to trackback from your own site:
http://www.hammackj.com/trackbacks?article_id=17

 

Comments

Leave a response

Leave a comment