Hi all.
I've been working, unsuccessfully, at some rules to read by Bind9 querylog
on a Debian linux host. It appears that a new decoder is required since
I'm not logging to syslog. I've done the following, and inquire here for
additional guidance toward making this work.
accept existing etc/ossec.conf:
<location>/var/log/named/query.log</location>
and:
<include>named_rules.xml</include>
insert into etc/decoder.xml:
<!-- my Bind9 decoder.
- Will extract the srcip
- Example:
09-Jan-2009 13:41:13.672 client 123.45.67.8#16165: view external: query: .
IN NS +
-->
<decoder name="bind9">
<prematch> client </prematch>
<regex offset="after_prematch">^(\d+.\d+.\d+.\d+)#</regex>
<order>srcip</order>
</decoder>
modify rules/named_rules.xml :
<group name="syslog,named,">
<rule id="12100" level="0" noalert="1">
<!-- <decoded_as>named</decoded_as> -->
<decoded_as>bind9</decoded_as>
<description>Grouping of the named rules</description>
</rule>
added to rules/local_rules.xml:
<group name="named,">
<rule id="100201" level="5">
<!-- <if_sid>12100</if_sid> -->
<!-- the above if_sid didn't work; neither does the below decoded_as -->
<decoded_as>bind9</decoded_as>
<match>view external: query: . IN NS </match>
<description>recursive root query; possible forged attacher</description>
<group>abuse,</group>
</rule>
<rule id="100202" level="10" frequency="5" timeframe="5">
<if_matched_sid>100201</if_matched_sid>
<same_source_ip />
<description>Multiple recursive root queries
</description>
</rule>
</group>
With appreciation for your consideration,
