Here are a few signatures for bind. Some of them get rid of sid 1002 errors.
Most of the rules are sysadmin oriented (not necessarily security related). The
levels may need a bit of tweaking (I kept most of them very low).
Most of the rules have syslog messages embedded in them, but a few older
ones do not. If anyone thinks it will be worth it, I can probably dig
examples out
of older decommissioned hard drives.
I wasn't sure if I should send these here, or the dev list. So if the
dev list is the
better place to send them, let me know!
Thanks,
dan
<group name="local,syslog,dns,named,">
<rule id="100500" level="4">
<decoded_as>named</decoded_as>
<match>bad zone transfer request</match>
<description>bad zone transfer request</description>
<group>sysadmin,named,</group>
</rule>
<!--Mar 26 01:06:48 gorilla named[12721]: zone dnserrortool.com/IN: zone transfer deferred due to quota-->
<rule id="100501" level="1">
<decoded_as>named</decoded_as>
<match>zone transfer deferred due to quota$</match>
<description>Too many zone transfers</description>
<group>sysadmin,named,</group>
</rule>
<rule id="100504" level="7">
<decoded_as>named</decoded_as>
<match>reloading configuration failed: failure</match>
<description>named failure to reload config</description>
<group>sysadmin,named,</group>
</rule>
<!--Jan 11 14:05:53 ix named[2200]: /master/blockeddomain.hosts:16: aniulu.cn,\\010: bad owner name (check-names)-->
<rule id="100201" level="1">
<decoded_as>named</decoded_as>
<if_sid>1002</if_sid>
<match>bad owner name</match>
<description>named domain name correctness check</description>
<group>sysadmin,named,</group>
</rule>
<!--Dec 25 17:12:00 ix named[18333]: zone antivirus-solution.net/IN: loaded serial 6-->
<rule id="100202" level="1">
<decoded_as>named</decoded_as>
<match>loaded serial 6</match>
<description>Zone transfer</description>
<group>sysadmin,named,</group>
</rule>
<rule id="100203" level="4">
<decoded_as>named</decoded_as>
<match>Transfer started</match>
<description>Zone transfer started</description>
<group>sysadmin,ignore,</group>
</rule>
<rule id="100204" level="5">
<decoded_as>named</decoded_as>
<match>AXFR started</match>
<description>AXFR started</description>
<group>sysadmin,</group>
</rule>
<rule id="100205" level="1">
<decoded_as>named</decoded_as>
<match>AXFR ended</match>
<description>AXFR ended</description>
<group>sysadmin,</group>
</rule>
<rule id="110003" level="5">
<decoded_as>named</decoded_as>
<match>failed to connect: timed out</match>
<description>Check master DNS</description>
<group>sysadmin,</group>
</rule>
<rule id="110004" level="5">
<decoded_as>named</decoded_as>
<match>refresh: failure trying master</match>
<description>Cannot connect to master DNS</description>
<group>sysadmin,</group>
</rule>
<!--Mar 26 01:52:13 gorilla named[12721]: zone idenserror.com/IN: transferred serial 6-->
<rule id="110008" level="1">
<decoded_as>named</decoded_as>
<if_sid>1002<if_sid>
<match>transferred serial</match>
<description>domain transferred during zone transfer</description>
<group>sysadmin,</group>
</rule>
<!--Apr 20 00:45:40 gorilla named[19606]: zone adioserrores.com/IN: refresh: retry limit for master 192.168.1.33#53 exceeded (source 0.0.0.0#0)-->
<rule id="110023" level="5">
<decoded_as>named</decoded_as>
<regex>retry limit for master \S+ exceeded</regex>
<description>Slave server trying to refresh too fast</description>
</rule>
<!--May 4 14:53:13 gorilla named[29877]: /etc/blocked.zones_slave:9637: zone 'internet-optimizer.com': already exists previous definition: /etc/adserver.zones_slave:1593-->
<rule id="110027" level="7">
<decoded_as>named</decoded_as>
<match>already exists previous definition</match>
<description>Duplicated domains found in named configuration</description>
</rule>
<!--Jun 8 21:06:21 gorilla named[25104]: starting BIND 9.4.2-P2-->
<rule id="110031" level="1">
<decoded_as>named</decoded_as>
<match>starting BIND</match>
<description>BIND has been started</description>
<group>sysadmin,bind,dns,</group>
</rule>
<!--Jun 8 21:46:19 gorilla named[27527]: zone 17.168.192.in-addr.arpa/IN: NS 'gorilla.17.168.192.IN-ADDR.ARPA' has no address records (A or AAAA)-->
<rule id="110033" level="1">
<decoded_as>named</decoded_as>
<match>has no address records</match>
<description>Missing A or AAAA records</description>
</rule>
<!--Sep 8 12:38:41 gorilla named[699]: zone dns.org/IN: (master) removed-->
<rule id="110204" level="1">
<decoded_as>named</decoded_as>
<regex>zone \S+ \(master\) removed</regex>
<description>DNS zone removed</description>
<group>sysadmin,</group>
</rule>
<!--Nov 12 13:16:04 ix named[16880]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loading from master file standard/loopback6.arpa failed: not at top of zone-->
<rule id="110130" level="5">
<if_sid>1002</if_sid>
<decoded_as>named</decoded_as>
<match>not at top of zone</match>
<description>XXX bad zone file</description>
<group>dns,named,sysadmin,network,</group>
</rule>
<!--Nov 12 14:16:44 ix named[3709]: client 192.168.17.249#7784: zone transfer 'example.com/AXFR/IN' denied-->
<rule id="110131" level="5">
<decoded_as>named</decoded_as>
<regex>zone transfer\s+'\S+' denied</regex>
<description>Zone transfer denied</description>
<group>bind,dns,network,sysadmin,</group>
</rule>
<!--Jan 11 15:05:38 ix named[2200]: reloading configuration failed: unexpected end of input-->
<rule id="110170" level="1">
<decoded_as>named</decoded_as>
<if_sid>1002</if_sid>
<match>reloading configuration failed: unexpected end of input</match>
<description>Error in named.conf</description>
</rule>
</group>
