Hey Brian, Can you share some sample log files so we can take a look at the decoder and rules?
cheers, cnk On Mon, Feb 16, 2009 at 3:30 PM, Brian Torbich <[email protected]> wrote: > > Due to the heightened level of BIND DNS attacks lately, I am getting > thousands upon thousands of 'query (cache) denied' notice messages from BIND. > Even though there is a rule in named_rules.xml for this type of event, it is > actually being picked up under rule set syslog_rules.xml as an "Unknown > problem somewhere in the system". > > My questions is, how can I trouble shoot this so that it is not picked up by > the wrong rule set? Is there a way to set authority or priority in the rule > sets? Also, how can I modify the existing rule #12108 in named_rules.xml to > use active-response and block the IP address after so many triggers? I am > looking at some of the pure-ftpd_rules.xml and can get a general idea of what > to do from there. I am thinking I could just copy the format of the FTP > Brute Force attack rule. > > Thanks in advance for any help you can offer. > > > Regards, > > ================================ > Brian Torbich > Voice Marketing, Inc. > http://www.voicemarketing.net > Cell Phone: 412-398-8234 > ================================ >
