[ossec-list] My rule detects and alerts but doesn't block

Peter Robinson Tue, 15 May 2007 05:20:40 -0700

Hi 

I've been trying to write a rule to detect and then block hosts sending
DNS lame server requests.


My rule detects and alerts but doesn't block. The alert shows that the
srcip is unknown - is my capture wrong somewhere??

thanks 

#################

Added to decoder.xml

# added PTR
<decoder name="named_lame">
  <parent>named</parent>
  <prematch offset="after_parent">^lame </prematch>
  <regex offset="after_prematch">\.+(\d+.\d+.\d+.\d+)#53$</regex>
  <order>srcip</order>
</decoder>

New rule file contains

<group name="syslog,named,lame">
  <rule id="12150" level="0" noalert="1">
  <decoded_as>named_lame</decoded_as>
  <description>Grouping of the named rules</description>
  </rule>


 <rule id="12151" level="12">
     <if_sid>12150</if_sid>
     <match>lame server resolving</match>
     <description>Named -- lame server resolving....</description>
     <group>access_denied,</group>
 </rule>
</group>

########

Alert log

** Alert 1179225703.43187: mail  - syslog,named,lameaccess_denied,
2007 May 15 10:41:43 server2->/var/log/syslog
Rule: 12151 (level 12) -> 'Named -- lame server resolving....'
Src IP: (none)
User: (none)
named[5673]: lame server resolving '74.103.229.203.in-addr.arpa' (in
'103.229.203.in-addr.arpa'?): 203.238.128.26#53

[ossec-list] My rule detects and alerts but doesn't block

Reply via email to