Due to the heightened level of BIND DNS attacks lately, I am getting thousands upon thousands of 'query (cache) denied' notice messages from BIND. Even though there is a rule in named_rules.xml for this type of event, it is actually being picked up under rule set syslog_rules.xml as an "Unknown problem somewhere in the system".
My questions is, how can I trouble shoot this so that it is not picked up by the wrong rule set? Is there a way to set authority or priority in the rule sets? Also, how can I modify the existing rule #12108 in named_rules.xml to use active-response and block the IP address after so many triggers? I am looking at some of the pure-ftpd_rules.xml and can get a general idea of what to do from there. I am thinking I could just copy the format of the FTP Brute Force attack rule. Thanks in advance for any help you can offer. Regards, ================================ Brian Torbich Voice Marketing, Inc. http://www.voicemarketing.net Cell Phone: 412-398-8234 ================================
