Skip to content

Sophos Pure Message

Description

Constructor: Sophos

Product: Pure Message

Log type: mx

Theoretical injector performance

11638 EPS

Log sample

1
pmx-milter: 2017-02-02T02:36:09 q=58928D09_6221_4422_1 f=<addr1@oemservices.aero> t=<addr2@asia.thalesgroup.com> t=<addr3@asia.thalesgroup.com> t=<addr4@asia.thalesgroup.com> att=?q?image005.png,_image006.png,_image007.png,_image008.png,_image009.png,_00002688-58125.pdf,_2930922.pdf pmx_action=keep,-,-,addr2@asia.thalesgroup.com,addr5@asia.thalesgroup.com pmx_action=keep,-,-,addr3@asia.thalesgroup.com,addr3@asia.thalesgroup.com pmx_action=keep,-,-,addr4@asia.thalesgroup.com,addr4@asia.thalesgroup.com fur=11.1.11.111 at=2,175564,application/pdf at=1,357552,multipart/mixed at=5,92030,image/png at=1,88237,multipart/alternative at=1,181348,multipart/related at=1,77707,text/html at=1,10204,text/plain i Size=362956 s=?q?RE:_RO_FOR_SN1582 r=fake.corp.thales tm=0.05 a=a/eom 
1
pmx-milter: 2017-02-02T02:57:43 q=58929217_14008_4649_1 f=<addr@prune.corp.thales> t=<addr6@thalesgroup.com> t=<fake@thalesgroup.com> t=<fake2@thalesgroup.com> pmx_action=keep,-,-,addr1@thalesgroup.com,addr2@thalesgroup.com pmx_action=keep,-,-,addr3@thalesgroup.com,addr4@thalesgroup.com pmx_action=keep,-,-,addr5@thalesgroup.com,addr5@thalesgroup.com irt1=y fur=1.11.1.11 at=1,3708,text/plain i Size=5524 s=?q?SPG=5FAPR=5FTCS_-_PRDSPAG_-_Traitement_Import_des_APR_(_ID63_) r=fake.corp.thales tm=0.01 a=a/eom
1
pmx-milter: 2017-02-03T01:38:46 q=5893D116_28690_14873_1 f=<schlemiel@oncrystal.com> t=<andrew.morgan@thalesgroup.com> att=null pmx_action=keep,-,-,andrew.morgan@thalesgroup.com,andrew.morgan@thalesgroup.com irt1=y fur=10.33.233.92 at=1,17806,multipart/alternative at=1,12182,text/html at=1,5336,text/plain i Size=24384 s=?q?[SPAM_:_80%]_Long-lost_Navajo_remedy_restores_hearing_in_14_days r=thsbbfiav12p.corp.thales tm=0.01 a=a/eom
1
pmx-milter: 2019-02-15T02:59:03 q=5C661CE6_23240_12945_1 f=<john.doe@ksnc.net> t=<john.doe@thalesgroup.com> att=?q?NAVIOS_DEDICATIONreceipt=5FEC114419.doc pmx_reason=Virus Virus g=john.doe@thalesgroup.com|test-thalesgroup-com at=1,2475049,multipart/mixed at=1,2474094,application/msword at=1,522,text/plain h=PHISH_SPEAR1_X3 h=PHISH_SPEAR1_X4 h=FROM_NAME_ALLCAPS h=INVOICE_ATTACHMENT h=MULTIPLE_RCPTS h=PHISH_SPEAR_CONTENT_X3 h=PHISH_SPEAR_CONTENT_X4 h=HTML_00_01 h=HTML_00_10 h=BODYTEXTP_SIZE_3000_LESS h=BODY_SIZE_10000_PLUS h=DKIM_SIGNATURE h=DOC_ATTACHED h=LOCALE_CHINESE h=NO_URI_HTTPS h=OFFICE_ATTACHED h=RATWARE_LC_DIGITS_HELO h=RDNS_GENERIC_POOLED h=RDNS_SUSP h=RDNS_SUSP_GENERIC h=SPF_SOFTFAIL h=TO_UNDISCLOSED_RECIPIENTS h=WEBMAIL_SOURCE h=WEBMAIL_USER_AGENT h=__ANY_URI h=__ATTACHMENT_SIZE_100K_PLUS h=__BOUNCE_CHALLENGE_SUBJ h=__BOUNCE_NDR_SUBJ_EXEMPT h=__CHAR_CHINESE_UTF8 h=__CT h=__CTYPE_HAS_BOUNDARY h=__CTYPE_MULTIPART h=__CTYPE_MULTIPART_MIXED h=__DOC_ATTACHED1 h=__DOC_ATTACHED2 h=__FRAUD_ANTIABUSE h=__FRAUD_COMMON h=__FRAUD_CONTACT_NUM h=__FRAUD_MONEY_CURRENCY h=__FRAUD_MONEY_CURRENCY_POUND h=__FRAUD_PAPERWORK h=__HAS_ATTACHMENT h=__HAS_ATTACHMENT1 h=__HAS_ATTACHMENT2 h=__HAS_FROM h=__HAS_MSGID h=__HIGHBITS h=__INVOICE_MULTILINGUAL h=__LINES_OF_YELLING h=__MIME_TEXT_P h=__MIME_TEXT_P1 h=__MIME_TEXT_P2 h=__MIME_VERSION h=__MSGID_32HEX h=__MULTI_FROM h=__NO_HTML_TAG_RAW h=__PHISH_SPEAR_STRUCTURE_1 h=__PHISH_SPEAR_SUBJECT h=__PHISH_SPEAR_SUBJECT_CAPS h=__PHISH_SPEAR_SUBJ_ALERT h=__PHISH_SPEAR_SUBJ_PREDICATE h=__SANE_MSGID h=__SUBJECT_ALLCAPS h=__SUBJECT_NOLC h=__SUBJ_ALPHA_NEGATE h=__SUBJ_REPLY h=__TO_MALFORMED_3 h=__URI_NO_WWW h=__URI_NS h=__USER_AGENT s=?q?RE:_UPDATED_A.NOTICE_//--ARRIVAL_NOTICE__//_MV:_NAVIOS_DEDICATION_V.004S_<ACTIVE_CARGO> pmx_action=discard,Virus,test-thalesgroup-com,john.doe@thalesgroup.com,john.doe@thalesgroup.com vs p=0.512 fur=162.144.100.85 Size=2477962 v=CXmail/RtfObf-B v=Troj/RtfExp-EV r=162.144.100.85 tm=0.93 a=d/eom

Parsing strategy

1 - First, we use grok() to check and remove headers. The header has the following pattern :

1
pmx-milter: 2017-02-02T02:57:43 

2 - Then, we use the [kv()] operator.

1
q=58929217_14008_4649_1 f=<addr@prune.corp.thales> t=<addr6@thalesgroup.com> t=<fake@thalesgroup.com> t=<fake2@thalesgroup.com> ...

Note: in addition to [kv()], we use [.multiKeys()] to store different value of the same key in an array and [.disableEscaping()] to accelerate processing as we don\'t need escaping.

Fields normalization

Normalized field value / initial field
[type]
[action] a
[app][name] extracted from header
[alarm][name] [app][name] + a
[obs][ts] first timestramp
[init][host][ip] fur
[init][host][name] r
[target][usr][mail] t (as array, sanitized)
[init][usr][mail] f (sanitzed)
[mx][subject] s (as array, sanitized)
[session][id] q
[session][duration] tm (x1000)
[session][out][byte] Size
[session][file][name] att (as array, sanitized)
[session][file][type] extracted from \'at\' key (as array)
[av][virus_name] v