Hey Brian, Your logs don't seem to include the program name (named) which is what throws off the decoder. Here are what they should look like:
Aug 29 15:33:13 ns3 named[464]: client 217.148.39.3#1036: query (cache) denied taken from http://www.ossec.net/wiki/index.php/Named cheers, cnk On Fri, Feb 20, 2009 at 3:35 AM, Brian Torbich <[email protected]> wrote: > > cnk, > > Thanks for all your help so far with this. > > Now that I did get my BIND 9 logging straightened out and sending to an > exclusive named log file, I am still experiencing the same problem. > > I used ossec-logtest to see in detail what is going on. I specified the log > file in ossec.conf as a syslog log_format and everything looks okay as far as > including named_rules.xml. But it is still not able to find a proper > decoder. Here is the output from 'ossec-logtest'.... > > > 2009/02/20 03:30:38 ossec-testrule: INFO: Started (pid: 8300). > ossec-testrule: Type one log per line. > > 20-Feb-2009 02:36:17.558 client 62.109.4.89#11357: query (cache) './NS/IN' > denied > > > **Phase 1: Completed pre-decoding. > full event: '20-Feb-2009 02:36:17.558 client 62.109.4.89#11357: query > (cache) './NS/IN' denied' > hostname: 'web' > program_name: '(null)' > log: '20-Feb-2009 02:36:17.558 client 62.109.4.89#11357: query (cache) > './NS/IN' denied' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > > Are my BIND 9 logs not in proper format? I am just using the default > named_rules.xml, I made no modifications. Also, I can see within this file > there is actually a rule in there, but it is just not picking it up for some > reason. > > It should be picked up by this rule below found in named_rules.xml.... > > <rule id="12108" level="2"> > <if_sid>12100</if_sid> > <match>query (cache) denied</match> > <description>Query cache denied (maybe config error).</description> > <info>http://www.reedmedia.net/misc/dns/errors.html</info> > </rule> > > > Thanks, > > ================================ > Brian Torbich > Voice Marketing, Inc. > http://www.voicemarketing.net > Cell Phone: 412-398-8234 > ================================ > > ----- Original Message ----- > From: "cnk" <[email protected]> > To: [email protected] > Sent: Thursday, February 19, 2009 10:50:58 AM GMT -05:00 US/Canada Eastern > Subject: [ossec-list] Re: active-response rules for blocking multiple BIND > Query cache denied events > > > Hey Brian, > > Yes, you can have different active-response for different rule sets. > To do this use <rules_id> or <rules_group> instead of <level> in your > active-response configs: > > <rules_id>Comma separated list of rules id (0-9)</rules_id> > <rules_group>Comma separated list of groups (A-Za-z0-9)</rules_group> > > cheers, > > cnk > > On Wed, Feb 18, 2009 at 6:30 PM, Brian Torbich > <[email protected]> wrote: >> >> cnk, >> >> I did some more research and what I am going to have to do is just specify a >> separate log file for the BIND messages. And then point OSSEC to that log >> file for named in ossec.conf. I am having all of it spill into >> /var/log/messages and that is confusing things right now and causing the >> wrong rules to trigger. >> >> Now, the question I s with active-response. In ossec.conf you can specify >> the time you want the IP bans to last, as shown below. But I would like >> different times for different rule sets. >> >> For example, I want the active-response 'web' IP bans to last for 600 >> seconds and I want the 'named' bans to last for 36 hours. >> >> Is it possible for me to do this? Can I set different active-response >> <timeout> settings for different rule sets? >> >> >> </active-response> >> >> <active-response> >> <!-- Firewall Drop response. Block the IP for >> - 600 seconds on the firewall (iptables, >> - ipfilter, etc). >> --> >> <command>firewall-drop</command> >> <location>local</location> >> <level>6</level> >> <timeout>600</timeout> >> </active-response> >> >> >> Thanks, >> >> ================================ >> Brian Torbich >> Voice Marketing, Inc. >> http://www.voicemarketing.net >> Cell Phone: 412-398-8234 >> ================================ >> >> ----- Original Message ----- >> From: "cnk" <[email protected]> >> To: [email protected] >> Sent: Tuesday, February 17, 2009 10:50:45 AM GMT -05:00 US/Canada Eastern >> Subject: [ossec-list] Re: active-response rules for blocking multiple BIND >> Query cache denied events >> >> >> Hey Brian, >> >> Can you share some sample log files so we can take a look at the >> decoder and rules? >> >> cheers, >> >> cnk >> >> On Mon, Feb 16, 2009 at 3:30 PM, Brian Torbich >> <[email protected]> wrote: >>> >>> Due to the heightened level of BIND DNS attacks lately, I am getting >>> thousands upon thousands of 'query (cache) denied' notice messages from >>> BIND. Even though there is a rule in named_rules.xml for this type of >>> event, it is actually being picked up under rule set syslog_rules.xml as an >>> "Unknown problem somewhere in the system". >>> >>> My questions is, how can I trouble shoot this so that it is not picked up >>> by the wrong rule set? Is there a way to set authority or priority in the >>> rule sets? Also, how can I modify the existing rule #12108 in >>> named_rules.xml to use active-response and block the IP address after so >>> many triggers? I am looking at some of the pure-ftpd_rules.xml and can get >>> a general idea of what to do from there. I am thinking I could just copy >>> the format of the FTP Brute Force attack rule. >>> >>> Thanks in advance for any help you can offer. >>> >>> >>> Regards, >>> >>> ================================ >>> Brian Torbich >>> Voice Marketing, Inc. >>> http://www.voicemarketing.net >>> Cell Phone: 412-398-8234 >>> ================================ >>> >> >
