cnk,
I did some more research and what I am going to have to do is just specify a
separate log file for the BIND messages. And then point OSSEC to that log file
for named in ossec.conf. I am having all of it spill into /var/log/messages
and that is confusing things right now and causing the wrong rules to trigger.
Now, the question I s with active-response. In ossec.conf you can specify the
time you want the IP bans to last, as shown below. But I would like different
times for different rule sets.
For example, I want the active-response 'web' IP bans to last for 600 seconds
and I want the 'named' bans to last for 36 hours.
Is it possible for me to do this? Can I set different active-response
<timeout> settings for different rule sets?
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
Thanks,
================================
Brian Torbich
Voice Marketing, Inc.
http://www.voicemarketing.net
Cell Phone: 412-398-8234
================================
----- Original Message -----
From: "cnk" <[email protected]>
To: [email protected]
Sent: Tuesday, February 17, 2009 10:50:45 AM GMT -05:00 US/Canada Eastern
Subject: [ossec-list] Re: active-response rules for blocking multiple BIND
Query cache denied events
Hey Brian,
Can you share some sample log files so we can take a look at the
decoder and rules?
cheers,
cnk
On Mon, Feb 16, 2009 at 3:30 PM, Brian Torbich
<[email protected]> wrote:
>
> Due to the heightened level of BIND DNS attacks lately, I am getting
> thousands upon thousands of 'query (cache) denied' notice messages from BIND.
> Even though there is a rule in named_rules.xml for this type of event, it is
> actually being picked up under rule set syslog_rules.xml as an "Unknown
> problem somewhere in the system".
>
> My questions is, how can I trouble shoot this so that it is not picked up by
> the wrong rule set? Is there a way to set authority or priority in the rule
> sets? Also, how can I modify the existing rule #12108 in named_rules.xml to
> use active-response and block the IP address after so many triggers? I am
> looking at some of the pure-ftpd_rules.xml and can get a general idea of what
> to do from there. I am thinking I could just copy the format of the FTP
> Brute Force attack rule.
>
> Thanks in advance for any help you can offer.
>
>
> Regards,
>
> ================================
> Brian Torbich
> Voice Marketing, Inc.
> http://www.voicemarketing.net
> Cell Phone: 412-398-8234
> ================================
>
