I will try some of these rules. Thanks for the help. I guess the default rules that come with OSSEC are made for BIND 8.
I am new the rule writing stuff. I didn't realize the <match> </match> had to be an *exact* match. ================================ Brian Torbich Voice Marketing, Inc. http://www.voicemarketing.net Cell Phone: 412-398-8234 ================================ ----- Original Message ----- From: "Amos" <[email protected]> To: [email protected] Sent: Friday, February 20, 2009 10:03:50 PM GMT -05:00 US/Canada Eastern Subject: [ossec-list] Re: active-response rules for blocking multiple BIND Query cache denied events Brian, I wrote a decoder for my Bind9 query files: <decoder name="bind9_query"> <!-- 25-Jan-2009 01:02:37.158 client 66.230.160.1#2806: view external: query: . IN NS + --> <prematch> client </prematch> <regex offset="after_prematch">^(\d+.\d+.\d+.\d+)#</regex> <order>srcip</order> </decoder> and had to insert it before the named_client block in decoder.xml Then some local rules: <group name="local_bind,"> <rule id="100201" level="5"> <decoded_as>bind9_query</decoded_as> <regex>view external: query: \. IN NS +$</regex> <description>recursive root query</description> </rule> <rule id="100202" level="5"> <decoded_as>bind9_query</decoded_as> <match>view external: query: . IN </match> <description>root query</description> </rule> <rule id="100203" level="5"> <decoded_as>bind9_query</decoded_as> <regex>view external:\.++$</regex> <description>recursive query</description> </rule> <rule id="100210" level="10" frequency="5" timeframe="60"> <if_matched_group>local_bind</if_matched_group> <same_source_ip /> <description>Multiple DNS query offenses 5:60</description> </rule> <rule id="100211" level="10" frequency="3" timeframe="300"> <if_matched_sid>100201</if_matched_sid> <same_source_ip /> <description>Multiple DNS query offenses 3:300</description> </rule> </group> <!-- local_bind --> I'm new to ossec, and expect that there are better ways to do this; but it works; and everybody is welcome to use it of course.
