/rules/50_named_rules.xml
XML | 104 lines | 75 code | 15 blank | 14 comment | 0 complexity | 20ba82df00a527fd5630a3ff456a9b7e MD5 | raw file
1<!-- @(#) $Id: named_rules.xml,v 1.22 2010/03/04 20:12:33 dcid Exp $ 2 - Example of Named rules for OSSEC. 3 - 4 - Copyright (C) 2009 Trend Micro Inc. 5 - All rights reserved. 6 - 7 - This program is a free software; you can redistribute it 8 - and/or modify it under the terms of the GNU General Public 9 - License (version 2) as published by the FSF - Free Software 10 - Foundation. 11 - 12 - License details: http://www.ossec.net/en/licensing.html 13 --> 14 15 16<group name="syslog,named,"> 17 <rule id="12100" level="0" noalert="1"> 18 <decoded_as>named</decoded_as> 19 <description>Grouping of the named rules</description> 20 </rule> 21 22 <rule id="12101" level="12"> 23 <if_sid>12100</if_sid> 24 <match>dropping source port zero packet from</match> 25 <description>Invalid DNS packet. Possibility of attack.</description> 26 <group>invalid_access,</group> 27 </rule> 28 29 <rule id="12102" level="9"> 30 <if_sid>12100</if_sid> 31 <match>denied AXFR from</match> 32 <description>Failed attempt to perform a zone transfer.</description> 33 <group>access_denied,</group> 34 </rule> 35 36 <rule id="12103" level="4"> 37 <if_sid>12100</if_sid> 38 <match>denied update from|unapproved update from</match> 39 <description>DNS update denied. </description> 40 <description>Generally mis-configuration.</description> 41 <info type="link">http://seclists.org/incidents/2000/May/217</info> 42 <group>client_misconfig,</group> 43 </rule> 44 45 <rule id="12104" level="4"> 46 <if_sid>12100</if_sid> 47 <match>unable to rename log file</match> 48 <description>Log permission misconfiguration in Named.</description> 49 <group>system_error,</group> 50 </rule> 51 52 <rule id="12105" level="4"> 53 <if_sid>12100</if_sid> 54 <match>unexpected RCODE </match> 55 <description>Unexpected error while resolving domain.</description> 56 </rule> 57 58 <rule id="12106" level="4"> 59 <if_sid>12100</if_sid> 60 <match>refused notify from non-master</match> 61 <description>DNS configuration error.</description> 62 </rule> 63 64 <rule id="12107" level="0"> 65 <if_sid>12100</if_sid> 66 <regex>update \S+ denied</regex> 67 <description>DNS update using RFC2136 Dynamic protocol.</description> 68 <!-- <info>http://www.isc.org/index.pl?/sw/bind/FAQ.php</info> dead link, and don't know what the issue is with this --> 69 </rule> 70 71 <rule id="12108" level="4"> 72 <if_sid>12100</if_sid> 73 <match>query (cache) denied</match> 74 <description>Query cache denied (maybe config error).</description> 75 <info type="link">http://www.reedmedia.net/misc/dns/errors.html</info> 76 </rule> 77 78 <rule id="12109" level="12"> 79 <if_sid>12100</if_sid> 80 <match>exiting (due to fatal error)</match> 81 <description>Named fatal error. DNS service going down.</description> 82 <group>service_availability,</group> 83 </rule> 84 85 <rule id="12110" level="8"> 86 <regex>^zone \S+ serial number \S+ received from master </regex> 87 <regex>\S+ \S ours (\S+)</regex> 88 <description>Serial number from master is lower </description> 89 <description>than stored.</description> 90 <group>system_error,</group> 91 </rule> 92 93 <rule id="12111" level="8"> 94 <regex>^transfer of \S+ from \S+ failed while receiving \S+ REFUSED</regex> 95 <description>Unable to perform zone transfer.</description> 96 <group>system_error,</group> 97 </rule> 98 99 <rule id="12112" level="4"> 100 <regex>^zone \S+: expired</regex> 101 <description>Zone transfer error.</description> 102 </rule> 103 104</group> <!-- SYSLOG,NAMED -->