/rules/50_named_rules.xml

https://bitbucket.org/oscarschneider/ossec-rules · XML · 104 lines · 75 code · 15 blank · 14 comment · 0 complexity · 20ba82df00a527fd5630a3ff456a9b7e MD5 · raw file

  1. <!-- @(#) $Id: named_rules.xml,v 1.22 2010/03/04 20:12:33 dcid Exp $
  2. - Example of Named rules for OSSEC.
  3. -
  4. - Copyright (C) 2009 Trend Micro Inc.
  5. - All rights reserved.
  6. -
  7. - This program is a free software; you can redistribute it
  8. - and/or modify it under the terms of the GNU General Public
  9. - License (version 2) as published by the FSF - Free Software
  10. - Foundation.
  11. -
  12. - License details: http://www.ossec.net/en/licensing.html
  13. -->
  14. <group name="syslog,named,">
  15. <rule id="12100" level="0" noalert="1">
  16. <decoded_as>named</decoded_as>
  17. <description>Grouping of the named rules</description>
  18. </rule>
  19. <rule id="12101" level="12">
  20. <if_sid>12100</if_sid>
  21. <match>dropping source port zero packet from</match>
  22. <description>Invalid DNS packet. Possibility of attack.</description>
  23. <group>invalid_access,</group>
  24. </rule>
  25. <rule id="12102" level="9">
  26. <if_sid>12100</if_sid>
  27. <match>denied AXFR from</match>
  28. <description>Failed attempt to perform a zone transfer.</description>
  29. <group>access_denied,</group>
  30. </rule>
  31. <rule id="12103" level="4">
  32. <if_sid>12100</if_sid>
  33. <match>denied update from|unapproved update from</match>
  34. <description>DNS update denied. </description>
  35. <description>Generally mis-configuration.</description>
  36. <info type="link">http://seclists.org/incidents/2000/May/217</info>
  37. <group>client_misconfig,</group>
  38. </rule>
  39. <rule id="12104" level="4">
  40. <if_sid>12100</if_sid>
  41. <match>unable to rename log file</match>
  42. <description>Log permission misconfiguration in Named.</description>
  43. <group>system_error,</group>
  44. </rule>
  45. <rule id="12105" level="4">
  46. <if_sid>12100</if_sid>
  47. <match>unexpected RCODE </match>
  48. <description>Unexpected error while resolving domain.</description>
  49. </rule>
  50. <rule id="12106" level="4">
  51. <if_sid>12100</if_sid>
  52. <match>refused notify from non-master</match>
  53. <description>DNS configuration error.</description>
  54. </rule>
  55. <rule id="12107" level="0">
  56. <if_sid>12100</if_sid>
  57. <regex>update \S+ denied</regex>
  58. <description>DNS update using RFC2136 Dynamic protocol.</description>
  59. <!-- <info>http://www.isc.org/index.pl?/sw/bind/FAQ.php</info> dead link, and don't know what the issue is with this -->
  60. </rule>
  61. <rule id="12108" level="4">
  62. <if_sid>12100</if_sid>
  63. <match>query (cache) denied</match>
  64. <description>Query cache denied (maybe config error).</description>
  65. <info type="link">http://www.reedmedia.net/misc/dns/errors.html</info>
  66. </rule>
  67. <rule id="12109" level="12">
  68. <if_sid>12100</if_sid>
  69. <match>exiting (due to fatal error)</match>
  70. <description>Named fatal error. DNS service going down.</description>
  71. <group>service_availability,</group>
  72. </rule>
  73. <rule id="12110" level="8">
  74. <regex>^zone \S+ serial number \S+ received from master </regex>
  75. <regex>\S+ \S ours (\S+)</regex>
  76. <description>Serial number from master is lower </description>
  77. <description>than stored.</description>
  78. <group>system_error,</group>
  79. </rule>
  80. <rule id="12111" level="8">
  81. <regex>^transfer of \S+ from \S+ failed while receiving \S+ REFUSED</regex>
  82. <description>Unable to perform zone transfer.</description>
  83. <group>system_error,</group>
  84. </rule>
  85. <rule id="12112" level="4">
  86. <regex>^zone \S+: expired</regex>
  87. <description>Zone transfer error.</description>
  88. </rule>
  89. </group> <!-- SYSLOG,NAMED -->