Hey Brian,
Yeah, it's still a log format issue. Using ossec-logtest -f you get a
full output of the rule matching and you'll see that it matches rule
12100 and tries all child named rules.
**Phase 1: Completed pre-decoding.
full event: 'Feb 20 13:03:29 web named[6679]: client
62.109.4.89#27937: query (cache) './NS/IN' denied'
hostname: 'web'
program_name: 'named'
log: 'client 62.109.4.89#27937: query (cache) './NS/IN' denied'
**Phase 2: Completed decoding.
decoder: 'named'
srcip: '62.109.4.89'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5700 - SSHD messages grouped.
Trying rule: 5600 - Grouping for the telnetd rules
Trying rule: 2100 - NFS rules grouped.
Trying rule: 2701 - Ignoring procmail messages.
Trying rule: 2800 - Pre-match rule for smartd.
Trying rule: 5100 - Pre-match rule for kernel messages
Trying rule: 5200 - Ignoring hpiod for producing useless logs.
Trying rule: 2830 - Crontab rule group.
Trying rule: 5300 - Initial grouping for su messages.
Trying rule: 5400 - Initial group for sudo messages
Trying rule: 9100 - PPTPD messages grouped
Trying rule: 9200 - Squid syslog messages grouped
Trying rule: 2900 - Dpkg (Debian Package) log.
Trying rule: 7200 - Grouping of the arpwatch rules.
Trying rule: 7300 - Grouping of Symantec AV rules.
Trying rule: 7400 - Grouping of Symantec Web Security rules.
Trying rule: 4300 - Grouping of PIX rules
Trying rule: 12100 - Grouping of the named rules
*Rule 12100 matched.
*Trying child rules.
Trying rule: 12107 - DNS update using RFC2136 Dynamic protocol.
Trying rule: 12101 - Invalid DNS packet. Possibility of attack.
Trying rule: 12109 - Named fatal error. DNS service going down.
Trying rule: 12102 - Failed attempt to perform a zone transfer.
Trying rule: 12103 - DNS update denied. Generally mis-configuration.
Trying rule: 12104 - Log permission misconfiguration in Named.
Trying rule: 12105 - Unexpected error while resolving domain.
Trying rule: 12106 - DNS configuration error.
Trying rule: 12108 - Query cache denied (maybe config error).
Trying rule: 13100 - Grouping for the smbd rules.
Trying rule: 11400 - Grouping for the vsftpd rules.
Trying rule: 11300 - Grouping for the pure-ftpd rules.
Trying rule: 11200 - Grouping for the proftpd rules.
Trying rule: 11500 - Grouping for the Microsoft ftp rules.
Trying rule: 11100 - Grouping for the ftpd rules.
Trying rule: 9300 - Grouping for the Horde imp rules.
Trying rule: 9900 - Grouping for the vpopmail rules.
Trying rule: 9800 - Grouping for the vm-pop3d rules.
Trying rule: 3900 - Grouping for the courier rules.
Trying rule: 30100 - Apache messages grouped.
Trying rule: 50100 - MySQL messages grouped.
Trying rule: 50500 - PostgreSQL messages grouped.
Trying rule: 4700 - Grouping of Cisco IOS rules.
Trying rule: 4500 - Grouping for the Netscreen Firewall rules
Trying rule: 4800 - SonicWall messages grouped.
Trying rule: 3300 - Grouping of the postfix reject rules.
Trying rule: 3320 - Grouping of the postfix rules.
Trying rule: 3390 - Grouping of the clamsmtpd rules.
Trying rule: 3100 - Grouping of the sendmail rules.
Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.
Trying rule: 3600 - Grouping of the imapd rules.
Trying rule: 3700 - Grouping of mailscanner rules.
Trying rule: 3800 - Grouping of Exchange rules.
Trying rule: 14100 - Grouping of racoon rules.
Trying rule: 14200 - Grouping of Cisco VPN concentrator rules
Trying rule: 3500 - Grouping for the spamd rules
Trying rule: 31200 - Grouping of Zeus rules.
Trying rule: 6100 - Solaris BSM Auditing messages grouped.
Trying rule: 19100 - VMWare messages grouped.
Trying rule: 19101 - VMWare ESX syslog messages grouped.
Trying rule: 40102 - Buffer overflow attack on rpc.statd
Trying rule: 40103 - Buffer overflow on WU-FTPD versions prior to 2.6
Trying rule: 40107 - Heap overflow in the Solaris cachefsd service.
Trying rule: 1003 - Non standard syslog message (size too large).
Trying rule: 40104 - Possible buffer overflow attempt.
Trying rule: 40105 - "Null" user changed some information.
Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd).
Trying rule: 40109 - Stack overflow attempt or program exiting
with SEGV (Solaris).
Trying rule: 2301 - Excessive number connections to a service.
Trying rule: 2502 - User missed the password more than one time
Trying rule: 100005 - (null)
Trying rule: 2504 - Illegal root login.
Trying rule: 7101 - Problems with the tripwire checking
Trying rule: 5901 - New group added to the system
Trying rule: 5902 - New user added to the system
Trying rule: 5904 - Information from the user was changed
Trying rule: 12110 - Serial number from master is lower than stored.
Trying rule: 12111 - Unable to perform zone transfer.
Trying rule: 1007 - File system full.
Trying rule: 30200 - Modsecurity alert.
Trying rule: 5604 - Reverse lookup error (bad hostname config).
Trying rule: 1004 - Syslogd exiting (logging stopped).
Trying rule: 1005 - Syslogd restarted.
Trying rule: 1006 - Syslogd restarted.
Trying rule: 2501 - User authentication failure.
Trying rule: 2503 - Connection blocked by Tcp Wrappers.
Trying rule: 14101 - VPN authentication failed.
Trying rule: 2103 - Unable to mount the NFS directory.
Trying rule: 12112 - Zone transfer error.
Trying rule: 2505 - Physical root login.
Trying rule: 2506 - Pop3 Authentication passed.
Trying rule: 11309 - FTP Authentication success.
Trying rule: 1001 - File missing. Root access unrestricted.
Trying rule: 1002 - Unknown problem somewhere in the system.
*Rule 1002 matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
You're hoping it will match rule 12108 however 12108 looks for
<match>query (cache) denied</match> where you have query
cache './NS/IN' denied. You could create a custom local rule to catch
your variation.
cheers,
cnk
On Fri, Feb 20, 2009 at 2:07 PM, Brian Torbich
<[email protected]> wrote:
>
> cnk,
>
> I fixed the problem and I see it is now using the proper decoder, but still
> not using the correct rule set. It is still applying the syslog_rules.xml
> instead of the named_rules.xml.
>
> 2009/02/20 13:18:50 ossec-testrule: INFO: Started (pid: 11710).
> ossec-testrule: Type one log per line.
>
> Feb 20 13:03:29 web named[6679]: client 62.109.4.89#27937: query (cache)
> './NS/IN' denied
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Feb 20 13:03:29 web named[6679]: client 62.109.4.89#27937:
> query (cache) './NS/IN' denied'
> hostname: 'web'
> program_name: 'named'
> log: 'client 62.109.4.89#27937: query (cache) './NS/IN' denied'
>
> **Phase 2: Completed decoding.
> decoder: 'named'
> srcip: '62.109.4.89'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '1002'
> Level: '2'
> Description: 'Unknown problem somewhere in the system.'
> **Alert to be generated.
>
>
> Any ideas?
>
>
> Thanks,
>
> ================================
> Brian Torbich
> Voice Marketing, Inc.
> http://www.voicemarketing.net
> Cell Phone: 412-398-8234
> ================================
>
> ----- Original Message -----
> From: "cnk" <[email protected]>
> To: [email protected]
> Sent: Friday, February 20, 2009 10:51:34 AM GMT -05:00 US/Canada Eastern
> Subject: [ossec-list] Re: active-response rules for blocking multiple BIND
> Query cache denied events
>
>
> Hey Brian,
>
> Your logs don't seem to include the program name (named) which is what
> throws off the decoder. Here are what they should look like:
>
> Aug 29 15:33:13 ns3 named[464]: client 217.148.39.3#1036: query (cache) denied
>
> taken from http://www.ossec.net/wiki/index.php/Named
>
> cheers,
>
> cnk
>
> On Fri, Feb 20, 2009 at 3:35 AM, Brian Torbich
> <[email protected]> wrote:
>>
>> cnk,
>>
>> Thanks for all your help so far with this.
>>
>> Now that I did get my BIND 9 logging straightened out and sending to an
>> exclusive named log file, I am still experiencing the same problem.
>>
>> I used ossec-logtest to see in detail what is going on. I specified the log
>> file in ossec.conf as a syslog log_format and everything looks okay as far
>> as including named_rules.xml. But it is still not able to find a proper
>> decoder. Here is the output from 'ossec-logtest'....
>>
>>
>> 2009/02/20 03:30:38 ossec-testrule: INFO: Started (pid: 8300).
>> ossec-testrule: Type one log per line.
>>
>> 20-Feb-2009 02:36:17.558 client 62.109.4.89#11357: query (cache) './NS/IN'
>> denied
>>
>>
>> **Phase 1: Completed pre-decoding.
>> full event: '20-Feb-2009 02:36:17.558 client 62.109.4.89#11357: query
>> (cache) './NS/IN' denied'
>> hostname: 'web'
>> program_name: '(null)'
>> log: '20-Feb-2009 02:36:17.558 client 62.109.4.89#11357: query (cache)
>> './NS/IN' denied'
>>
>> **Phase 2: Completed decoding.
>> No decoder matched.
>>
>> **Phase 3: Completed filtering (rules).
>> Rule id: '1002'
>> Level: '2'
>> Description: 'Unknown problem somewhere in the system.'
>> **Alert to be generated.
>>
>> Are my BIND 9 logs not in proper format? I am just using the default
>> named_rules.xml, I made no modifications. Also, I can see within this file
>> there is actually a rule in there, but it is just not picking it up for some
>> reason.
>>
>> It should be picked up by this rule below found in named_rules.xml....
>>
>> <rule id="12108" level="2">
>> <if_sid>12100</if_sid>
>> <match>query (cache) denied</match>
>> <description>Query cache denied (maybe config error).</description>
>> <info>http://www.reedmedia.net/misc/dns/errors.html</info>
>> </rule>
>>
>>
>> Thanks,
>>
>> ================================
>> Brian Torbich
>> Voice Marketing, Inc.
>> http://www.voicemarketing.net
>> Cell Phone: 412-398-8234
>> ================================
>>
>> ----- Original Message -----
>> From: "cnk" <[email protected]>
>> To: [email protected]
>> Sent: Thursday, February 19, 2009 10:50:58 AM GMT -05:00 US/Canada Eastern
>> Subject: [ossec-list] Re: active-response rules for blocking multiple BIND
>> Query cache denied events
>>
>>
>> Hey Brian,
>>
>> Yes, you can have different active-response for different rule sets.
>> To do this use <rules_id> or <rules_group> instead of <level> in your
>> active-response configs:
>>
>> <rules_id>Comma separated list of rules id (0-9)</rules_id>
>> <rules_group>Comma separated list of groups (A-Za-z0-9)</rules_group>
>>
>> cheers,
>>
>> cnk
>>
>> On Wed, Feb 18, 2009 at 6:30 PM, Brian Torbich
>> <[email protected]> wrote:
>>>
>>> cnk,
>>>
>>> I did some more research and what I am going to have to do is just specify
>>> a separate log file for the BIND messages. And then point OSSEC to that
>>> log file for named in ossec.conf. I am having all of it spill into
>>> /var/log/messages and that is confusing things right now and causing the
>>> wrong rules to trigger.
>>>
>>> Now, the question I s with active-response. In ossec.conf you can specify
>>> the time you want the IP bans to last, as shown below. But I would like
>>> different times for different rule sets.
>>>
>>> For example, I want the active-response 'web' IP bans to last for 600
>>> seconds and I want the 'named' bans to last for 36 hours.
>>>
>>> Is it possible for me to do this? Can I set different active-response
>>> <timeout> settings for different rule sets?
>>>
>>>
>>> </active-response>
>>>
>>> <active-response>
>>> <!-- Firewall Drop response. Block the IP for
>>> - 600 seconds on the firewall (iptables,
>>> - ipfilter, etc).
>>> -->
>>> <command>firewall-drop</command>
>>> <location>local</location>
>>> <level>6</level>
>>> <timeout>600</timeout>
>>> </active-response>
>>>
>>>
>>> Thanks,
>>>
>>> ================================
>>> Brian Torbich
>>> Voice Marketing, Inc.
>>> http://www.voicemarketing.net
>>> Cell Phone: 412-398-8234
>>> ================================
>>>
>>> ----- Original Message -----
>>> From: "cnk" <[email protected]>
>>> To: [email protected]
>>> Sent: Tuesday, February 17, 2009 10:50:45 AM GMT -05:00 US/Canada Eastern
>>> Subject: [ossec-list] Re: active-response rules for blocking multiple BIND
>>> Query cache denied events
>>>
>>>
>>> Hey Brian,
>>>
>>> Can you share some sample log files so we can take a look at the
>>> decoder and rules?
>>>
>>> cheers,
>>>
>>> cnk
>>>
>>> On Mon, Feb 16, 2009 at 3:30 PM, Brian Torbich
>>> <[email protected]> wrote:
>>>>
>>>> Due to the heightened level of BIND DNS attacks lately, I am getting
>>>> thousands upon thousands of 'query (cache) denied' notice messages from
>>>> BIND. Even though there is a rule in named_rules.xml for this type of
>>>> event, it is actually being picked up under rule set syslog_rules.xml as
>>>> an "Unknown problem somewhere in the system".
>>>>
>>>> My questions is, how can I trouble shoot this so that it is not picked up
>>>> by the wrong rule set? Is there a way to set authority or priority in the
>>>> rule sets? Also, how can I modify the existing rule #12108 in
>>>> named_rules.xml to use active-response and block the IP address after so
>>>> many triggers? I am looking at some of the pure-ftpd_rules.xml and can
>>>> get a general idea of what to do from there. I am thinking I could just
>>>> copy the format of the FTP Brute Force attack rule.
>>>>
>>>> Thanks in advance for any help you can offer.
>>>>
>>>>
>>>> Regards,
>>>>
>>>> ================================
>>>> Brian Torbich
>>>> Voice Marketing, Inc.
>>>> http://www.voicemarketing.net
>>>> Cell Phone: 412-398-8234
>>>> ================================
>>>>
>>>
>>
>
