Hi Amos, I would recommend that you look at the logtest tool to debug your decoders and rules. We have more information about it at:
http://www.ossec.net/dcid/?p=136 If you run your logs through this tool, it will give you lots of information of what is going on.. thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Jan 9, 2009 at 12:23 PM, Amos <[email protected]> wrote: > > Hi all. > > I've been working, unsuccessfully, at some rules to read by Bind9 querylog > on a Debian linux host. It appears that a new decoder is required since > I'm not logging to syslog. I've done the following, and inquire here for > additional guidance toward making this work. > > > accept existing etc/ossec.conf: > <location>/var/log/named/query.log</location> > and: > <include>named_rules.xml</include> > > > insert into etc/decoder.xml: > > <!-- my Bind9 decoder. > - Will extract the srcip > - Example: > 09-Jan-2009 13:41:13.672 client 123.45.67.8#16165: view external: query: . > IN NS + > --> > > <decoder name="bind9"> > <prematch> client </prematch> > <regex offset="after_prematch">^(\d+.\d+.\d+.\d+)#</regex> > <order>srcip</order> > </decoder> > > > > modify rules/named_rules.xml : > > <group name="syslog,named,"> > <rule id="12100" level="0" noalert="1"> > <!-- <decoded_as>named</decoded_as> --> > <decoded_as>bind9</decoded_as> > <description>Grouping of the named rules</description> > </rule> > > > > added to rules/local_rules.xml: > > <group name="named,"> > > <rule id="100201" level="5"> > <!-- <if_sid>12100</if_sid> --> > <!-- the above if_sid didn't work; neither does the below decoded_as --> > <decoded_as>bind9</decoded_as> > <match>view external: query: . IN NS </match> > <description>recursive root query; possible forged attacher</description> > <group>abuse,</group> > </rule> > > <rule id="100202" level="10" frequency="5" timeframe="5"> > <if_matched_sid>100201</if_matched_sid> > <same_source_ip /> > <description>Multiple recursive root queries > </description> > </rule> > > </group> > > > With appreciation for your consideration, > > > >
