Hiya,
I am getting tons of these messages from my name servers. I run several
hosting companys and these are all departed customers who have not updated
dns to point at new servers or just have domains specified with our
nameservers but no local zones set up on our nameservers. This meaning these
messages are much ado about nothing but the key word "denied" triggers
correctly a generic notification.
Received From: (LLCP) XXX.XXX.XXX.XXX->/var/log/messages
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
Portion of the log(s):
named[12637]: client XXX.XXX.XXX.XXX#32769: query
(cache) 'somedomain.com/MX/IN' denied
So I created the below custom rule to filter out these "Semi" false positives.
<rule id="100020" level="7">
<if_sid>1002</if_sid>
<srcip>XXX.XXX.XXX.XXX</srcip>
<match>query (cache)</match>
<description>Ignoring Bind Chatter</description>
</rule>
I think I am not getting the instructions for excluding false positives. Any
suggestions will be welcomed :-) The "srcip" is set to the ip of the ossec
agent server generating these notifications.
--
Kindest Regards,
Francesca Smith
"No Problems Only Solutions"
Lady Linux Internet Services
Baltimore, Maryland 21217
