Running those through ossec-logtest gives me a bunch of 3800s, not 529:
**Phase 1: Completed pre-decoding.
full event: '2012-01-08 04:02:23 222.35.140.244 jzebnk.com
SMTPSVC1 ASERVER 192.168.1.2 0 EHLO - +jzebnk.com 250 0 304 15 0 SMTP
- - - -'
hostname: 'ix'
program_name: '(null)'
log: '2012-01-08 04:02:23 222.35.140.244 jzebnk.com SMTPSVC1
ASERVER 192.168.1.2 0 EHLO - +jzebnk.com 250 0 304 15 0 SMTP - - - -'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
srcip: '222.35.140.244'
action: 'EHLO'
id: '250'
**Phase 3: Completed filtering (rules).
Rule id: '3800'
Level: '0'
Description: 'Grouping of Exchange rules.'
**Phase 1: Completed pre-decoding.
full event: '2012-01-08 04:02:50 222.35.140.244 jzebnk.com
SMTPSVC1 ASERVER 192.168.1.2 0 QUIT - jzebnk.com 240 26891 76 10 5484
SMTP - - - -'
hostname: 'ix'
program_name: '(null)'
log: '2012-01-08 04:02:50 222.35.140.244 jzebnk.com SMTPSVC1
ASERVER 192.168.1.2 0 QUIT - jzebnk.com 240 26891 76 10 5484 SMTP - -
- -'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
srcip: '222.35.140.244'
action: 'QUIT'
id: '240'
**Phase 3: Completed filtering (rules).
Rule id: '3800'
Level: '0'
Description: 'Grouping of Exchange rules.'
On Tue, Jan 10, 2012 at 7:58 PM, Andy Cockroft (andic)
<an...@andic.co.nz> wrote:
> Hi Dan
>
> Below are a typical few entries - the log file is typically 1/2 Mb per day
> when these events are occurring - otherwise less than 50K per day
>
> A useless 529 event log is raised just after each "QUIT"
>
> Under the SMPT logging properties, all extended options are enabled
>
> I have manually banned this offending IP for now, but who knows when it will
> re-emerge from another source
>
> Any help appreciated
>
> Andy
>
> 2012-01-08 04:02:23 222.35.140.244 jzebnk.com SMTPSVC1 ASERVER 192.168.1.2 0
> EHLO - +jzebnk.com 250 0 304 15 0 SMTP - - - -
> 2012-01-08 04:02:50 222.35.140.244 jzebnk.com SMTPSVC1 ASERVER 192.168.1.2 0
> QUIT - jzebnk.com 240 26891 76 10 5484 SMTP - - - -
> 2012-01-08 04:02:53 222.35.140.244 zqkjhp.com SMTPSVC1 ASERVER 192.168.1.2 0
> EHLO - +zqkjhp.com 250 0 304 15 0 SMTP - - - -
> 2012-01-08 04:03:19 222.35.140.244 zqkjhp.com SMTPSVC1 ASERVER 192.168.1.2 0
> QUIT - zqkjhp.com 240 26890 76 10 5484 SMTP - - - -
> 2012-01-08 04:03:22 222.35.140.244 xmgemovn.com SMTPSVC1 ASERVER 192.168.1.2
> 0 EHLO - +xmgemovn.com 250 0 304 17 0 SMTP - - - -
> 2012-01-08 04:03:49 222.35.140.244 xmgemovn.com SMTPSVC1 ASERVER 192.168.1.2
> 0 QUIT - xmgemovn.com 240 26938 76 10 5500 SMTP - - - -
> 2012-01-08 04:03:51 222.35.140.244 knpivkp.com SMTPSVC1 ASERVER 192.168.1.2 0
> EHLO - +knpivkp.com 250 0 304 16 0 SMTP - - - -
> 2012-01-08 04:04:18 222.35.140.244 knpivkp.com SMTPSVC1 ASERVER 192.168.1.2 0
> QUIT - knpivkp.com 240 27000 76 10 5515 SMTP - - - -
> 2012-01-08 04:04:21 222.35.140.244 qzrespbcv.com SMTPSVC1 ASERVER 192.168.1.2
> 0 EHLO - +qzrespbcv.com 250 0 304 18 0 SMTP - - - -
> 2012-01-08 04:04:48 222.35.140.244 qzrespbcv.com SMTPSVC1 ASERVER 192.168.1.2
> 0 QUIT - qzrespbcv.com 240 27188 76 10 5719 SMTP - - - -
> 2012-01-08 04:04:51 222.35.140.244 cqdbqxjlg.com SMTPSVC1 ASERVER 192.168.1.2
> 0 EHLO - +cqdbqxjlg.com 250 0 304 18 0 SMTP - - - -
> 2012-01-08 04:05:21 222.35.140.244 cqdbqxjlg.com SMTPSVC1 ASERVER 192.168.1.2
> 0 QUIT - cqdbqxjlg.com 240 30937 76 10 5953 SMTP - - - -
> 2012-01-08 04:05:24 222.35.140.244 kgttmy.com SMTPSVC1 ASERVER 192.168.1.2 0
> EHLO - +kgttmy.com 250 0 304 15 0 SMTP - - - -
> 2012-01-08 04:05:52 222.35.140.244 kgttmy.com SMTPSVC1 ASERVER 192.168.1.2 0
> QUIT - kgttmy.com 240 27765 76 10 5656 SMTP - - - -
> 2012-01-08 04:05:54 222.35.140.244 nvqpxaom.com SMTPSVC1 ASERVER 192.168.1.2
> 0 EHLO - +nvqpxaom.com 250 0 304 17 0 SMTP - - - -
> 2012-01-08 04:06:22 222.35.140.244 nvqpxaom.com SMTPSVC1 ASERVER 192.168.1.2
> 0 QUIT - nvqpxaom.com 240 27719 76 10 5766 SMTP - - - -
> 2012-01-08 04:06:24 222.35.140.244 ucvmxoz.com SMTPSVC1 ASERVER 192.168.1.2 0
> EHLO - +ucvmxoz.com 250 0 304 16 0 SMTP - - - -
> 2012-01-08 04:06:52 222.35.140.244 ucvmxoz.com SMTPSVC1 ASERVER 192.168.1.2 0
> QUIT - ucvmxoz.com 240 27860 76 10 5985 SMTP - - - -
> 2012-01-08 04:06:55 222.35.140.244 qebrvgye.com SMTPSVC1 ASERVER 192.168.1.2
> 0 EHLO - +qebrvgye.com 250 0 304 17 0 SMTP - - - -
> 2012-01-08 04:07:23 222.35.140.244 qebrvgye.com SMTPSVC1 ASERVER 192.168.1.2
> 0 QUIT - qebrvgye.com 240 28812 76 10 5812 SMTP - - - -
> 2012-01-08 04:07:26 222.35.140.244 bwwhgkm.com SMTPSVC1 ASERVER 192.168.1.2 0
> EHLO - +bwwhgkm.com 250 0 304 16 0 SMTP - - - -
> 2012-01-08 04:07:54 222.35.140.244 bwwhgkm.com SMTPSVC1 ASERVER 192.168.1.2 0
> QUIT - bwwhgkm.com 240 28578 76 10 6078 SMTP - - - -
> 2012-01-08 04:07:57 222.35.140.244 naylnwu.com SMTPSVC1 ASERVER 192.168.1.2 0
> EHLO - +naylnwu.com 250 0 304 16 0 SMTP - - - -
> 2012-01-08 04:08:25 222.35.140.244 naylnwu.com SMTPSVC1 ASERVER 192.168.1.2 0
> QUIT - naylnwu.com 240 27906 76 10 5813 SMTP - - - -
> 2012-01-08 04:08:27 222.35.140.244 nyspjkqjc.com SMTPSVC1 ASERVER 192.168.1.2
> 0 EHLO - +nyspjkqjc.com 250 0 304 18 0 SMTP - - - -
> 2012-01-08 04:08:56 222.35.140.244 nyspjkqjc.com SMTPSVC1 ASERVER 192.168.1.2
> 0 QUIT - nyspjkqjc.com 240 28812 76 10 5797 SMTP - - - -
> 2012-01-08 04:08:59 222.35.140.244 agctbgmd.com SMTPSVC1 ASERVER 192.168.1.2
> 0 EHLO - +agctbgmd.com 250 0 304 17 0 SMTP - - - -
> 2012-01-08 04:09:26 222.35.140.244 agctbgmd.com SMTPSVC1 ASERVER 192.168.1.2
> 0 QUIT - agctbgmd.com 240 27937 76 10 5796 SMTP - - - -
> 2012-01-08 04:09:29 222.35.140.244 lbfncar.com SMTPSVC1 ASERVER 192.168.1.2 0
> EHLO - +lbfncar.com 250 0 304 16 0 SMTP - - - -
> 2012-01-08 04:09:56 222.35.140.244 lbfncar.com SMTPSVC1 ASERVER 192.168.1.2 0
> QUIT - lbfncar.com 240 27469 76 10 5563 SMTP - - - -
> 2012-01-08 04:09:59 222.35.140.244 enujug.com SMTPSVC1 ASERVER 192.168.1.2 0
> EHLO - +enujug.com 250 0 304 15 0 SMTP - - - -
> 2012-01-08 04:10:26 222.35.140.244 enujug.com SMTPSVC1 ASERVER 192.168.1.2 0
> QUIT - enujug.com 240 27265 76 10 5515 SMTP - - - -
> 2012-01-08 04:10:29 222.35.140.244 xitytti.com SMTPSVC1 ASERVER 192.168.1.2 0
> EHLO - +xitytti.com 250 0 304 16 0 SMTP - - - -
> 2012-01-08 04:10:56 222.35.140.244 xitytti.com SMTPSVC1 ASERVER 192.168.1.2 0
> QUIT - xitytti.com 240 27078 76 10 5656 SMTP - - - -
> 2012-01-08 04:10:58 222.35.140.244 bbzmxhlg.com SMTPSVC1 ASERVER 192.168.1.2
> 0 EHLO - +bbzmxhlg.com 250 0 304 17 16 SMTP - - - -
> 2012-01-08 04:11:25 222.35.140.244 bbzmxhlg.com SMTPSVC1 ASERVER 192.168.1.2
> 0 QUIT - bbzmxhlg.com 240 26921 76 10 5515 SMTP - - - -
> 2012-01-08 04:11:28 222.35.140.244 diandasbz.com SMTPSVC1 ASERVER 192.168.1.2
> 0 EHLO - +diandasbz.com 250 0 304 18 0 SMTP - - - -
> 2012-01-08 04:11:54 222.35.140.244 diandasbz.com SMTPSVC1 ASERVER 192.168.1.2
> 0 QUIT - diandasbz.com 240 26844 76 10 5500 SMTP - - - -
> 2012-01-08 04:11:57 222.35.140.244 afdccelyh.com SMTPSVC1 ASERVER 192.168.1.2
> 0 EHLO - +afdccelyh.com 250 0 304 18 0 SMTP - - - -
> 2012-01-08 04:12:24 222.35.140.244 afdccelyh.com SMTPSVC1 ASERVER 192.168.1.2
> 0 QUIT - afdccelyh.com 240 26828 76 10 5485 SMTP - - - -
> 2012-01-08 04:12:26 222.35.140.244 mfgcmi.com SMTPSVC1 ASERVER 192.168.1.2 0
> EHLO - +mfgcmi.com 250 0 304 15 0 SMTP - - - -
> 2012-01-08 04:12:53 222.35.140.244 mfgcmi.com SMTPSVC1 ASERVER 192.168.1.2 0
> QUIT - mfgcmi.com 240 26812 76 10 5484 SMTP - - - -
> 2012-01-08 04:12:56 222.35.140.244 hsujiezj.com SMTPSVC1 ASERVER 192.168.1.2
> 0 EHLO - +hsujiezj.com 250 0 304 17 0 SMTP - - - -
> 2012-01-08 04:13:22 222.35.140.244 hsujiezj.com SMTPSVC1 ASERVER 192.168.1.2
> 0 QUIT - hsujiezj.com 240 26812 76 10 5484 SMTP - - - -
> 2012-01-08 04:13:25 222.35.140.244 nftmxuxtp.com SMTPSVC1 ASERVER 192.168.1.2
> 0 EHLO - +nftmxuxtp.com 250 0 304 18 0 SMTP - - - -
>
>
> -----Original Message-----
> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
> Behalf Of dan (ddp)
> Sent: Tuesday, 10 January 2012 2:30 p.m.
> To: ossec-list@googlegroups.com
> Subject: Re: [ossec-list] Windows Event 529 - logging against INETINFO
>
> If you provide samples we can help.
>
> On Sun, Jan 8, 2012 at 11:46 PM, Andy Cockroft (andic) <an...@andic.co.nz>
> wrote:
>> Hi
>>
>> Has anyone tried to analyse the attack via the Exchange SMTP service?
>>
>> This results in thousands of 529 event entries, but with no IP address
>> logged - just usernames
>>
>> I have manually trolled through SMTPSVC1 daily logs, and it becomes
>> evident that these can be identified by multiple QUIT commands - and
>> citing the sourceIP
>>
>> Has anyone written a monitor / decoder for this Logfile so as to extract the
>> offending IP address and ban them automatically?
>>
>> If not I'll have to invent the first wheel
>>
>> Andy
>>
>> -----Original Message-----
>> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
>> On Behalf Of dan (ddp)
>> Sent: Monday, 9 January 2012 5:29 p.m.
>> To: ossec-list@googlegroups.com
>> Subject: Re: [ossec-list] multiple agents on a single server
>>
>> On Sun, Jan 8, 2012 at 11:18 PM, Jeff Jennings <jjenni...@zoominternet.net>
>> wrote:
>>> sure - I have multiple ip addresses on one server with different
>>> websites running on each of the ip addresses.
>>>
>>
>> OSSEC (mostly) monitors logs. It doesn't care much about your IP addresses.
>> You can configure 1 instance to look at the log files of each website.
>>
>>> -----Original Message----- From: dan (ddp)
>>> Sent: Sunday, January 08, 2012 11:05 PM
>>> To: ossec-list@googlegroups.com
>>> Subject: Re: [ossec-list] multiple agents on a single server
>>>
>>>
>>> On Sun, Jan 8, 2012 at 9:49 PM, Jeff Jennings
>>> <jjenni...@zoominternet.net> wrote:
>>>>
>>>> I ran across these instructions on how to install multiple agents on
>>>> a single server since I need to monitor multiple IP's
>>>>
>>>>
>>>> http://www.immutablesecurity.com/index.php/2010/10/22/2woo-day-6-run
>>>> n
>>>> ing-multiple-instances-on-one-box/comment-page-1/#comment-1043
>>>> I posted my problem in the comment area on this guy's page but I
>>>> guess he did not like the question and deleted my comment.
>>>>
>>>> In any event - his page refers to the following:
>>>>
>>>> Now, go into the <remote> section of ossec.conf in each remote
>>>> instance and configure the <local_ip> option to point to the correct
>>>> IP. Make sure each instance points to a unique IP.
>>>>
>>>> I can't find any section in the ossec-conf file on my agent servers
>>>> to place what is referred to above.
>>>>
>>>> ANY IDEAS?
>>>>
>>>
>>> I think the <remote> section is only available on the manager.
>>>
>>> I don't understand why you're installing multiple copies on a single
>>> agent though, your explanation made no sense. Any chance you could
>>> elaborate?
>>>
>>>> In addition his instructions go on to supply a startup script which
>>>> fails as follows, but I think it's failing because the additional
>>>> instances on the agents are not bound to specific Ip addresses.
>>>>
>>>> Can anyone give me some help here>
>>>>
>>>>
>>>>
>>>>
>>>> ossec-agentd not running...
>>>> ossec-execd not running...
>>>> [root@marine init.d]# ./ossec.sh start Starting OSSEC at /var/ossec6:
>>>> 2012/01/08 17:44:33 ossec-syscheckd(1702):
>>>> INFO: No directory provided for syscheck to monitor.
>>>
>>> ^^^^
>>> syscheck isn't configured?
>>>
>>>> /var/ossec6/bin/ossec-control: line 138: 8627 Segmentation fault
>>>
>>>
>>> Not being configured shouldn't cause a segfault in syscheck. What
>>> version are you using?
>>>
>>>> ${DIR}/bin/${i}
>>>> [FAILED]
>>>> Starting OSSEC at /var/ossec: [ OK ]
>>>> Starting OSSEC at /var/ossec2: 2012/01/08 17:44:35 ossec-syscheckd(1702):
>>>> INFO: No directory provided for syscheck to monitor.
>>>> /var/ossec2/bin/ossec-control: line 138: 8691 Segmentation fault
>>>> ${DIR}/bin/${i}
>>>> [FAILED]
>>>> Starting OSSEC at /var/ossec3: 2012/01/08 17:44:35 ossec-syscheckd(1702):
>>>> INFO: No directory provided for syscheck to monitor.
>>>> /var/ossec3/bin/ossec-control: line 138: 8720 Segmentation fault
>>>> ${DIR}/bin/${i}
>>>> [FAILED]
>>>> Starting OSSEC at /var/ossec4: 2012/01/08 17:44:36 ossec-syscheckd(1702):
>>>> INFO: No directory provided for syscheck to monitor.
>>>> /var/ossec4/bin/ossec-control: line 138: 8749 Segmentation fault
>>>> ${DIR}/bin/${i}
>>>> [FAILED]
>>>> Starting OSSEC at /var/ossec5: 2012/01/08 17:44:36 ossec-syscheckd(1702):
>>>> INFO: No directory provided for syscheck to monitor.
>>>> /var/ossec5/bin/ossec-control: line 138: 8778 Segmentation fault
>>>> ${DIR}/bin/${i}
>>>> [FAILED]
>>>> Starting OSSEC at /var/ossec6: 2012/01/08 17:44:36 ossec-syscheckd(1702):
>>>> INFO: No directory provided for syscheck to monitor.
>>>> /var/ossec6/bin/ossec-control: line 138: 8813 Segmentation fault
>>>> ${DIR}/bin/${i}
>>>> [FAILED]
>>>> [root@marine init.d]#
>>>
>>>
