PageRenderTime 25ms CodeModel.GetById 23ms app.highlight 1ms RepoModel.GetById 0ms app.codeStats 1ms

/rules/50_named_rules.xml

https://bitbucket.org/oscarschneider/ossec-rules
XML | 104 lines | 75 code | 15 blank | 14 comment | 0 complexity | 20ba82df00a527fd5630a3ff456a9b7e MD5 | raw file
  1<!-- @(#) $Id: named_rules.xml,v 1.22 2010/03/04 20:12:33 dcid Exp $
  2  -  Example of Named rules for OSSEC.
  3  -
  4  -  Copyright (C) 2009 Trend Micro Inc.
  5  -  All rights reserved.
  6  -
  7  -  This program is a free software; you can redistribute it
  8  -  and/or modify it under the terms of the GNU General Public
  9  -  License (version 2) as published by the FSF - Free Software
 10  -  Foundation.
 11  -
 12  -  License details: http://www.ossec.net/en/licensing.html
 13  -->
 14
 15
 16<group name="syslog,named,">
 17  <rule id="12100" level="0" noalert="1">
 18    <decoded_as>named</decoded_as>
 19    <description>Grouping of the named rules</description>
 20  </rule>
 21  
 22  <rule id="12101" level="12">
 23    <if_sid>12100</if_sid>
 24    <match>dropping source port zero packet from</match>
 25    <description>Invalid DNS packet. Possibility of attack.</description>
 26    <group>invalid_access,</group>
 27  </rule>
 28
 29  <rule id="12102" level="9">
 30    <if_sid>12100</if_sid>
 31    <match>denied AXFR from</match>
 32    <description>Failed attempt to perform a zone transfer.</description>
 33    <group>access_denied,</group>
 34  </rule>
 35
 36  <rule id="12103" level="4">
 37    <if_sid>12100</if_sid>
 38    <match>denied update from|unapproved update from</match>
 39    <description>DNS update denied. </description>
 40    <description>Generally mis-configuration.</description>
 41    <info type="link">http://seclists.org/incidents/2000/May/217</info>
 42    <group>client_misconfig,</group>
 43  </rule>
 44
 45  <rule id="12104" level="4">
 46    <if_sid>12100</if_sid>
 47    <match>unable to rename log file</match>
 48    <description>Log permission misconfiguration in Named.</description>
 49    <group>system_error,</group>
 50  </rule>
 51
 52  <rule id="12105" level="4">
 53    <if_sid>12100</if_sid>
 54    <match>unexpected RCODE </match>
 55    <description>Unexpected error while resolving domain.</description>
 56  </rule>  
 57
 58  <rule id="12106" level="4">
 59    <if_sid>12100</if_sid>
 60    <match>refused notify from non-master</match>
 61    <description>DNS configuration error.</description>
 62  </rule>
 63
 64  <rule id="12107" level="0">
 65    <if_sid>12100</if_sid>
 66    <regex>update \S+ denied</regex>
 67    <description>DNS update using RFC2136 Dynamic protocol.</description>
 68    <!-- <info>http://www.isc.org/index.pl?/sw/bind/FAQ.php</info> dead link, and don't know what the issue is with this -->
 69  </rule>
 70
 71  <rule id="12108" level="4">
 72    <if_sid>12100</if_sid>
 73    <match>query (cache) denied</match>
 74    <description>Query cache denied (maybe config error).</description>
 75    <info type="link">http://www.reedmedia.net/misc/dns/errors.html</info>
 76  </rule>
 77  
 78  <rule id="12109" level="12">
 79    <if_sid>12100</if_sid>
 80    <match>exiting (due to fatal error)</match>
 81    <description>Named fatal error. DNS service going down.</description>
 82    <group>service_availability,</group>
 83  </rule>
 84
 85  <rule id="12110" level="8">
 86    <regex>^zone \S+ serial number \S+ received from master </regex>
 87    <regex>\S+ \S ours (\S+)</regex>
 88    <description>Serial number from master is lower </description>
 89    <description>than stored.</description>
 90    <group>system_error,</group>
 91  </rule>
 92  
 93  <rule id="12111" level="8">
 94    <regex>^transfer of \S+ from \S+ failed while receiving \S+ REFUSED</regex>
 95    <description>Unable to perform zone transfer.</description>
 96    <group>system_error,</group>
 97  </rule>
 98
 99  <rule id="12112" level="4">
100    <regex>^zone \S+: expired</regex>
101    <description>Zone transfer error.</description>
102  </rule>
103  
104</group> <!-- SYSLOG,NAMED -->