cnk,
I fixed the problem and I see it is now using the proper decoder, but still not
using the correct rule set. It is still applying the syslog_rules.xml instead
of the named_rules.xml.
2009/02/20 13:18:50 ossec-testrule: INFO: Started (pid: 11710).
ossec-testrule: Type one log per line.
Feb 20 13:03:29 web named[6679]: client 62.109.4.89#27937: query (cache)
'./NS/IN' denied
**Phase 1: Completed pre-decoding.
full event: 'Feb 20 13:03:29 web named[6679]: client 62.109.4.89#27937:
query (cache) './NS/IN' denied'
hostname: 'web'
program_name: 'named'
log: 'client 62.109.4.89#27937: query (cache) './NS/IN' denied'
**Phase 2: Completed decoding.
decoder: 'named'
srcip: '62.109.4.89'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
Any ideas?
Thanks,
================================
Brian Torbich
Voice Marketing, Inc.
http://www.voicemarketing.net
Cell Phone: 412-398-8234
================================
----- Original Message -----
From: "cnk" <[email protected]>
To: [email protected]
Sent: Friday, February 20, 2009 10:51:34 AM GMT -05:00 US/Canada Eastern
Subject: [ossec-list] Re: active-response rules for blocking multiple BIND
Query cache denied events
Hey Brian,
Your logs don't seem to include the program name (named) which is what
throws off the decoder. Here are what they should look like:
Aug 29 15:33:13 ns3 named[464]: client 217.148.39.3#1036: query (cache) denied
taken from http://www.ossec.net/wiki/index.php/Named
cheers,
cnk
On Fri, Feb 20, 2009 at 3:35 AM, Brian Torbich
<[email protected]> wrote:
>
> cnk,
>
> Thanks for all your help so far with this.
>
> Now that I did get my BIND 9 logging straightened out and sending to an
> exclusive named log file, I am still experiencing the same problem.
>
> I used ossec-logtest to see in detail what is going on. I specified the log
> file in ossec.conf as a syslog log_format and everything looks okay as far as
> including named_rules.xml. But it is still not able to find a proper
> decoder. Here is the output from 'ossec-logtest'....
>
>
> 2009/02/20 03:30:38 ossec-testrule: INFO: Started (pid: 8300).
> ossec-testrule: Type one log per line.
>
> 20-Feb-2009 02:36:17.558 client 62.109.4.89#11357: query (cache) './NS/IN'
> denied
>
>
> **Phase 1: Completed pre-decoding.
> full event: '20-Feb-2009 02:36:17.558 client 62.109.4.89#11357: query
> (cache) './NS/IN' denied'
> hostname: 'web'
> program_name: '(null)'
> log: '20-Feb-2009 02:36:17.558 client 62.109.4.89#11357: query (cache)
> './NS/IN' denied'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> **Phase 3: Completed filtering (rules).
> Rule id: '1002'
> Level: '2'
> Description: 'Unknown problem somewhere in the system.'
> **Alert to be generated.
>
> Are my BIND 9 logs not in proper format? I am just using the default
> named_rules.xml, I made no modifications. Also, I can see within this file
> there is actually a rule in there, but it is just not picking it up for some
> reason.
>
> It should be picked up by this rule below found in named_rules.xml....
>
> <rule id="12108" level="2">
> <if_sid>12100</if_sid>
> <match>query (cache) denied</match>
> <description>Query cache denied (maybe config error).</description>
> <info>http://www.reedmedia.net/misc/dns/errors.html</info>
> </rule>
>
>
> Thanks,
>
> ================================
> Brian Torbich
> Voice Marketing, Inc.
> http://www.voicemarketing.net
> Cell Phone: 412-398-8234
> ================================
>
> ----- Original Message -----
> From: "cnk" <[email protected]>
> To: [email protected]
> Sent: Thursday, February 19, 2009 10:50:58 AM GMT -05:00 US/Canada Eastern
> Subject: [ossec-list] Re: active-response rules for blocking multiple BIND
> Query cache denied events
>
>
> Hey Brian,
>
> Yes, you can have different active-response for different rule sets.
> To do this use <rules_id> or <rules_group> instead of <level> in your
> active-response configs:
>
> <rules_id>Comma separated list of rules id (0-9)</rules_id>
> <rules_group>Comma separated list of groups (A-Za-z0-9)</rules_group>
>
> cheers,
>
> cnk
>
> On Wed, Feb 18, 2009 at 6:30 PM, Brian Torbich
> <[email protected]> wrote:
>>
>> cnk,
>>
>> I did some more research and what I am going to have to do is just specify a
>> separate log file for the BIND messages. And then point OSSEC to that log
>> file for named in ossec.conf. I am having all of it spill into
>> /var/log/messages and that is confusing things right now and causing the
>> wrong rules to trigger.
>>
>> Now, the question I s with active-response. In ossec.conf you can specify
>> the time you want the IP bans to last, as shown below. But I would like
>> different times for different rule sets.
>>
>> For example, I want the active-response 'web' IP bans to last for 600
>> seconds and I want the 'named' bans to last for 36 hours.
>>
>> Is it possible for me to do this? Can I set different active-response
>> <timeout> settings for different rule sets?
>>
>>
>> </active-response>
>>
>> <active-response>
>> <!-- Firewall Drop response. Block the IP for
>> - 600 seconds on the firewall (iptables,
>> - ipfilter, etc).
>> -->
>> <command>firewall-drop</command>
>> <location>local</location>
>> <level>6</level>
>> <timeout>600</timeout>
>> </active-response>
>>
>>
>> Thanks,
>>
>> ================================
>> Brian Torbich
>> Voice Marketing, Inc.
>> http://www.voicemarketing.net
>> Cell Phone: 412-398-8234
>> ================================
>>
>> ----- Original Message -----
>> From: "cnk" <[email protected]>
>> To: [email protected]
>> Sent: Tuesday, February 17, 2009 10:50:45 AM GMT -05:00 US/Canada Eastern
>> Subject: [ossec-list] Re: active-response rules for blocking multiple BIND
>> Query cache denied events
>>
>>
>> Hey Brian,
>>
>> Can you share some sample log files so we can take a look at the
>> decoder and rules?
>>
>> cheers,
>>
>> cnk
>>
>> On Mon, Feb 16, 2009 at 3:30 PM, Brian Torbich
>> <[email protected]> wrote:
>>>
>>> Due to the heightened level of BIND DNS attacks lately, I am getting
>>> thousands upon thousands of 'query (cache) denied' notice messages from
>>> BIND. Even though there is a rule in named_rules.xml for this type of
>>> event, it is actually being picked up under rule set syslog_rules.xml as an
>>> "Unknown problem somewhere in the system".
>>>
>>> My questions is, how can I trouble shoot this so that it is not picked up
>>> by the wrong rule set? Is there a way to set authority or priority in the
>>> rule sets? Also, how can I modify the existing rule #12108 in
>>> named_rules.xml to use active-response and block the IP address after so
>>> many triggers? I am looking at some of the pure-ftpd_rules.xml and can get
>>> a general idea of what to do from there. I am thinking I could just copy
>>> the format of the FTP Brute Force attack rule.
>>>
>>> Thanks in advance for any help you can offer.
>>>
>>>
>>> Regards,
>>>
>>> ================================
>>> Brian Torbich
>>> Voice Marketing, Inc.
>>> http://www.voicemarketing.net
>>> Cell Phone: 412-398-8234
>>> ================================
>>>
>>
>
