cnk,
Thanks for all your help so far with this.
Now that I did get my BIND 9 logging straightened out and sending to an
exclusive named log file, I am still experiencing the same problem.
I used ossec-logtest to see in detail what is going on. I specified the log
file in ossec.conf as a syslog log_format and everything looks okay as far as
including named_rules.xml. But it is still not able to find a proper decoder.
Here is the output from 'ossec-logtest'....
2009/02/20 03:30:38 ossec-testrule: INFO: Started (pid: 8300).
ossec-testrule: Type one log per line.
20-Feb-2009 02:36:17.558 client 62.109.4.89#11357: query (cache) './NS/IN'
denied
**Phase 1: Completed pre-decoding.
full event: '20-Feb-2009 02:36:17.558 client 62.109.4.89#11357: query
(cache) './NS/IN' denied'
hostname: 'web'
program_name: '(null)'
log: '20-Feb-2009 02:36:17.558 client 62.109.4.89#11357: query (cache)
'./NS/IN' denied'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
Are my BIND 9 logs not in proper format? I am just using the default
named_rules.xml, I made no modifications. Also, I can see within this file
there is actually a rule in there, but it is just not picking it up for some
reason.
It should be picked up by this rule below found in named_rules.xml....
<rule id="12108" level="2">
<if_sid>12100</if_sid>
<match>query (cache) denied</match>
<description>Query cache denied (maybe config error).</description>
<info>http://www.reedmedia.net/misc/dns/errors.html</info>
</rule>
Thanks,
================================
Brian Torbich
Voice Marketing, Inc.
http://www.voicemarketing.net
Cell Phone: 412-398-8234
================================
----- Original Message -----
From: "cnk" <[email protected]>
To: [email protected]
Sent: Thursday, February 19, 2009 10:50:58 AM GMT -05:00 US/Canada Eastern
Subject: [ossec-list] Re: active-response rules for blocking multiple BIND
Query cache denied events
Hey Brian,
Yes, you can have different active-response for different rule sets.
To do this use <rules_id> or <rules_group> instead of <level> in your
active-response configs:
<rules_id>Comma separated list of rules id (0-9)</rules_id>
<rules_group>Comma separated list of groups (A-Za-z0-9)</rules_group>
cheers,
cnk
On Wed, Feb 18, 2009 at 6:30 PM, Brian Torbich
<[email protected]> wrote:
>
> cnk,
>
> I did some more research and what I am going to have to do is just specify a
> separate log file for the BIND messages. And then point OSSEC to that log
> file for named in ossec.conf. I am having all of it spill into
> /var/log/messages and that is confusing things right now and causing the
> wrong rules to trigger.
>
> Now, the question I s with active-response. In ossec.conf you can specify
> the time you want the IP bans to last, as shown below. But I would like
> different times for different rule sets.
>
> For example, I want the active-response 'web' IP bans to last for 600 seconds
> and I want the 'named' bans to last for 36 hours.
>
> Is it possible for me to do this? Can I set different active-response
> <timeout> settings for different rule sets?
>
>
> </active-response>
>
> <active-response>
> <!-- Firewall Drop response. Block the IP for
> - 600 seconds on the firewall (iptables,
> - ipfilter, etc).
> -->
> <command>firewall-drop</command>
> <location>local</location>
> <level>6</level>
> <timeout>600</timeout>
> </active-response>
>
>
> Thanks,
>
> ================================
> Brian Torbich
> Voice Marketing, Inc.
> http://www.voicemarketing.net
> Cell Phone: 412-398-8234
> ================================
>
> ----- Original Message -----
> From: "cnk" <[email protected]>
> To: [email protected]
> Sent: Tuesday, February 17, 2009 10:50:45 AM GMT -05:00 US/Canada Eastern
> Subject: [ossec-list] Re: active-response rules for blocking multiple BIND
> Query cache denied events
>
>
> Hey Brian,
>
> Can you share some sample log files so we can take a look at the
> decoder and rules?
>
> cheers,
>
> cnk
>
> On Mon, Feb 16, 2009 at 3:30 PM, Brian Torbich
> <[email protected]> wrote:
>>
>> Due to the heightened level of BIND DNS attacks lately, I am getting
>> thousands upon thousands of 'query (cache) denied' notice messages from
>> BIND. Even though there is a rule in named_rules.xml for this type of
>> event, it is actually being picked up under rule set syslog_rules.xml as an
>> "Unknown problem somewhere in the system".
>>
>> My questions is, how can I trouble shoot this so that it is not picked up by
>> the wrong rule set? Is there a way to set authority or priority in the rule
>> sets? Also, how can I modify the existing rule #12108 in named_rules.xml to
>> use active-response and block the IP address after so many triggers? I am
>> looking at some of the pure-ftpd_rules.xml and can get a general idea of
>> what to do from there. I am thinking I could just copy the format of the
>> FTP Brute Force attack rule.
>>
>> Thanks in advance for any help you can offer.
>>
>>
>> Regards,
>>
>> ================================
>> Brian Torbich
>> Voice Marketing, Inc.
>> http://www.voicemarketing.net
>> Cell Phone: 412-398-8234
>> ================================
>>
>
