If you provide samples we can help.
On Sun, Jan 8, 2012 at 11:46 PM, Andy Cockroft (andic) <[email protected]> wrote: > Hi > > Has anyone tried to analyse the attack via the Exchange SMTP service? > > This results in thousands of 529 event entries, but with no IP address logged > - just usernames > > I have manually trolled through SMTPSVC1 daily logs, and it becomes evident > that these can be identified by multiple QUIT commands - and citing the > sourceIP > > Has anyone written a monitor / decoder for this Logfile so as to extract the > offending IP address and ban them automatically? > > If not I'll have to invent the first wheel > > Andy > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Monday, 9 January 2012 5:29 p.m. > To: [email protected] > Subject: Re: [ossec-list] multiple agents on a single server > > On Sun, Jan 8, 2012 at 11:18 PM, Jeff Jennings <[email protected]> > wrote: >> sure - I have multiple ip addresses on one server with different >> websites running on each of the ip addresses. >> > > OSSEC (mostly) monitors logs. It doesn't care much about your IP addresses. > You can configure 1 instance to look at the log files of each website. > >> -----Original Message----- From: dan (ddp) >> Sent: Sunday, January 08, 2012 11:05 PM >> To: [email protected] >> Subject: Re: [ossec-list] multiple agents on a single server >> >> >> On Sun, Jan 8, 2012 at 9:49 PM, Jeff Jennings >> <[email protected]> wrote: >>> >>> I ran across these instructions on how to install multiple agents on >>> a single server since I need to monitor multiple IP's >>> >>> >>> http://www.immutablesecurity.com/index.php/2010/10/22/2woo-day-6-runn >>> ing-multiple-instances-on-one-box/comment-page-1/#comment-1043 >>> I posted my problem in the comment area on this guy's page but I >>> guess he did not like the question and deleted my comment. >>> >>> In any event - his page refers to the following: >>> >>> Now, go into the <remote> section of ossec.conf in each remote >>> instance and configure the <local_ip> option to point to the correct >>> IP. Make sure each instance points to a unique IP. >>> >>> I can't find any section in the ossec-conf file on my agent servers >>> to place what is referred to above. >>> >>> ANY IDEAS? >>> >> >> I think the <remote> section is only available on the manager. >> >> I don't understand why you're installing multiple copies on a single >> agent though, your explanation made no sense. Any chance you could >> elaborate? >> >>> In addition his instructions go on to supply a startup script which >>> fails as follows, but I think it's failing because the additional >>> instances on the agents are not bound to specific Ip addresses. >>> >>> Can anyone give me some help here> >>> >>> >>> >>> >>> ossec-agentd not running... >>> ossec-execd not running... >>> [root@marine init.d]# ./ossec.sh start Starting OSSEC at /var/ossec6: >>> 2012/01/08 17:44:33 ossec-syscheckd(1702): >>> INFO: No directory provided for syscheck to monitor. >> >> ^^^^ >> syscheck isn't configured? >> >>> /var/ossec6/bin/ossec-control: line 138: 8627 Segmentation fault >> >> >> Not being configured shouldn't cause a segfault in syscheck. What >> version are you using? >> >>> ${DIR}/bin/${i} >>> [FAILED] >>> Starting OSSEC at /var/ossec: [ OK ] >>> Starting OSSEC at /var/ossec2: 2012/01/08 17:44:35 ossec-syscheckd(1702): >>> INFO: No directory provided for syscheck to monitor. >>> /var/ossec2/bin/ossec-control: line 138: 8691 Segmentation fault >>> ${DIR}/bin/${i} >>> [FAILED] >>> Starting OSSEC at /var/ossec3: 2012/01/08 17:44:35 ossec-syscheckd(1702): >>> INFO: No directory provided for syscheck to monitor. >>> /var/ossec3/bin/ossec-control: line 138: 8720 Segmentation fault >>> ${DIR}/bin/${i} >>> [FAILED] >>> Starting OSSEC at /var/ossec4: 2012/01/08 17:44:36 ossec-syscheckd(1702): >>> INFO: No directory provided for syscheck to monitor. >>> /var/ossec4/bin/ossec-control: line 138: 8749 Segmentation fault >>> ${DIR}/bin/${i} >>> [FAILED] >>> Starting OSSEC at /var/ossec5: 2012/01/08 17:44:36 ossec-syscheckd(1702): >>> INFO: No directory provided for syscheck to monitor. >>> /var/ossec5/bin/ossec-control: line 138: 8778 Segmentation fault >>> ${DIR}/bin/${i} >>> [FAILED] >>> Starting OSSEC at /var/ossec6: 2012/01/08 17:44:36 ossec-syscheckd(1702): >>> INFO: No directory provided for syscheck to monitor. >>> /var/ossec6/bin/ossec-control: line 138: 8813 Segmentation fault >>> ${DIR}/bin/${i} >>> [FAILED] >>> [root@marine init.d]# >> >>
