I’m getting heavy flurries of bogus DNS queries to non-recursive,
authoritative DNS server. The traffic comes from a large spread of src ip
address, so it’s obviously mostly spoofed. The queries are all denied, so
it’s almost no risk, except that it heavily overloads the log management,
it’s annoying, and could cause some more serious logs to get missed in the
flurry. The rate of traffic is about 3 – 20 queries per second, and a
flurry often runs for several hours. The host name is random, but the
domain names are pretty static within a single flurry. So I’ve written a
named decoder to extract the host name as ‘user’, and rules to alert on the
flurry of denied queries. The decoder and alerts are working fine. I also
have an active response script which adds an iptable rule to drop queries
for a specific denied domain name. The script works fine when run by hand.
Its based on the existing active-response/bin/firewall-drop.sh so that it
uses the same locking directory, so that the two scripts will co-operate on
locking, The one thing that’s not working that when the alert is generated
the script doesn't get run. The script is in the active-response/bin with
rx permissions. There’s no error log in the ossec.log and there’s not even
an indication that it started to run in the active-responses.log. The first
thing the script does is generate a log to active-response.log similar to
the script it’s based on. However the script is not run when the alert is
generated for rule 100002.
*Sample traffic:*
Mar 13 01:42:45 net19 named[6147]: client 31.150.218.239#6173
(odcdavcxkvin.games.yuanyou8.com): query (cache)
'odcdavcxkvin.games.yuanyou8.com/A/IN' denied
Mar 13 01:42:45 net19 named[6147]: client 29.153.55.216#28938
(qbwrypybuhuv.games.yuanyou8.com): query (cache)
'qbwrypybuhuv.games.yuanyou8.com/A/IN' denied
Mar 13 01:42:46 net19 named[6147]: client 126.122.141.86#34892
(azkhczkxcpgh.games.yuanyou8.com): query (cache)
'azkhczkxcpgh.games.yuanyou8.com/A/IN' denied
Mar 13 01:42:46 net19 named[6147]: client 72.226.226.185#29311
(wfgdglqlqbwd.games.yuanyou8.com): query (cache)
'wfgdglqlqbwd.games.yuanyou8.com/A/IN' denied
*Sample alerts:*
** Alert 1489383774.343817: - local,syslog,
2017 Mar 13 01:42:54 net19->/var/log/named.log
Rule: 12108 (level 4) -> 'Invalid Query cache denied.'
Src IP: 60.50.34.62
Mar 13 01:42:53 net19 named[6147]: client 60.50.34.62#39074
(uburatmbgrov.games.yuanyou8.com): query (cache)
'uburatmbgrov.games.yuanyou8.com/A/IN' denied
** Alert 1489383774.344139: - local,syslog,
2017 Mar 13 01:42:54 net19->/var/log/named.log
Rule: 12108 (level 4) -> 'Invalid Query cache denied.'
Src IP: 42.76.121.217
Mar 13 01:42:54 net19 named[6147]: client 42.76.121.217#52337
(eropovspwfyl.games.yuanyou8.com): query (cache)
'eropovspwfyl.games.yuanyou8.com/A/IN' denied
** Alert 1489383774.344465: - local,syslog,
2017 Mar 13 01:42:54 net19->/var/log/named.log
Rule: 100002 (level 8) -> 'Multiple denied DNS queries in a short time.'
Src IP: 96.174.127.167
Mar 13 01:42:54 net19 named[6147]: client 96.174.127.167#16133
(qtoncngdqvcv.games.yuanyou8.com): query (cache)
'qtoncngdqvcv.games.yuanyou8.com/A/IN' denied
Mar 13 01:42:54 net19 named[6147]: client 42.76.121.217#52337
(eropovspwfyl.games.yuanyou8.com): query (cache)
'eropovspwfyl.games.yuanyou8.com/A/IN' denied
Mar 13 01:42:53 net19 named[6147]: client 60.50.34.62#39074
(uburatmbgrov.games.yuanyou8.com): query (cache)
'uburatmbgrov.games.yuanyou8.com/A/IN' denied
Mar 13 01:42:53 net19 named[6147]: client 31.138.210.77#3939
(izilszqtqvav.games.yuanyou8.com): query (cache)
'izilszqtqvav.games.yuanyou8.com/A/IN' denied
Mar 13 01:42:53 net19 named[6147]: client 44.157.160.105#63395
(afmxgjqfelwj.games.yuanyou8.com): query (cache)
'afmxgjqfelwj.games.yuanyou8.com/A/IN' denied
Mar 13 01:42:53 net19 named[6147]: client 1.58.85.178#22054
(olshwnafqhihgvkn.games.yuanyou8.com): query (cache)
'olshwnafqhihgvkn.games.yuanyou8.com/A/IN' denied
Mar 13 01:42:53 net19 named[6147]: client 103.7.105.111#13695
(yzunwbizupyr.games.yuanyou8.com): query (cache)
'yzunwbizupyr.games.yuanyou8.com/A/IN' denied
Mar 13 01:42:52 net19 named[6147]: client 34.96.205.55#4089
(atkdwdixmfkl.games.yuanyou8.com): query (cache)
'atkdwdixmfkl.games.yuanyou8.com/A/IN' denied
Mar 13 01:42:52 net19 named[6147]: client 70.94.229.18#28624
(oletkhwbodyn.games.yuanyou8.com): query (cache)
'oletkhwbodyn.games.yuanyou8.com/A/IN' denied
Mar 13 01:42:51 net19 named[6147]: client 47.224.195.250#8636
(axcpajunsfoj.games.yuanyou8.com): query (cache)
'axcpajunsfoj.games.yuanyou8.com/A/IN' denied
Mar 13 01:42:51 net19 named[6147]: client 96.243.170.64#27176
(ahefilwzohgb.games.yuanyou8.com): query (cache)
'ahefilwzohgb.games.yuanyou8.com/A/IN' denied
*Active response configuration. *
<!-- RALPH: Customized script based on firewall-drop.sh
uses same locking, drops DNS queries with specific domain name.
-->
<command>
<name>firewall-dns-query-drop</name>
<executable>firewall-dns-query-drop.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
. . .
<active-response>
<command>firewall-dns-query-drop</command>
<location>local</location>
<rules_id>100002</rules_id>
<level>8</level>
<timeout>5400</timeout>
</active-response>
*The decoder:*
# *cat etc/decoders.d/local_named.xml*
<!--- RALPH: Adjust decoder to catch domain name.
SAMPLES:
Mar 7 09:43:19 net19 named[6147]: client 53.144.157.215#61687
(qhctgjulipqfchyv.qiyering.com): query (cache)
'qhctgjulipqfchyv.qiyering.com/A/IN' denied
Doesn't make sense to put the domain name in "user", except only srcip and
user
are passed to active scripts, and have a <same_xxx> capability.
-->
<decoder name="named-query-denied">
<parent>named</parent>
<prematch>denied$</prematch>
<regex>client (\S+)#\d+\s+\((\S+)\): query </regex>
<order>srcip,user</order>
</decoder>
*new rules in rules/local_rules.xml*
<!-- Was level 0, now it needs to aggregate to an automated response.
-->
<rule id="12108" level="4" overwrite="yes">
<if_sid>12100</if_sid>
<match>query (cache) denied|: query (cache)</match>
<description>Invalid Query cache denied.</description>
</rule>
<rule id="100002" level="8" frequency="10" timeframe="60" >
<if_matched_sid>12108</if_matched_sid>
<description>Multiple denied DNS queries in a short time.</description>
<info></info>
</rule>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.