Brian,
I wrote a decoder for my Bind9 query files:
<decoder name="bind9_query">
<!-- 25-Jan-2009 01:02:37.158 client 66.230.160.1#2806: view external:
query: . IN NS + -->
<prematch> client </prematch>
<regex offset="after_prematch">^(\d+.\d+.\d+.\d+)#</regex>
<order>srcip</order>
</decoder>
and had to insert it before the named_client block in decoder.xml
Then some local rules:
<group name="local_bind,">
<rule id="100201" level="5">
<decoded_as>bind9_query</decoded_as>
<regex>view external: query: \. IN NS +$</regex>
<description>recursive root query</description>
</rule>
<rule id="100202" level="5">
<decoded_as>bind9_query</decoded_as>
<match>view external: query: . IN </match>
<description>root query</description>
</rule>
<rule id="100203" level="5">
<decoded_as>bind9_query</decoded_as>
<regex>view external:\.++$</regex>
<description>recursive query</description>
</rule>
<rule id="100210" level="10" frequency="5" timeframe="60">
<if_matched_group>local_bind</if_matched_group>
<same_source_ip />
<description>Multiple DNS query offenses 5:60</description>
</rule>
<rule id="100211" level="10" frequency="3" timeframe="300">
<if_matched_sid>100201</if_matched_sid>
<same_source_ip />
<description>Multiple DNS query offenses 3:300</description>
</rule>
</group> <!-- local_bind -->
I'm new to ossec, and expect that there are better ways to do this; but it
works; and everybody is welcome to use it of course.
