1 <!-- @(#) $Id: ./etc/rules/named_rules.xml, 2011/09/08 dcid Exp $
3 - Example of Named rules for OSSEC.
5 - Copyright (C) 2009 Trend Micro Inc.
8 - This program is a free software; you can redistribute it
9 - and/or modify it under the terms of the GNU General Public
10 - License (version 2) as published by the FSF - Free Software
13 - License details: http://www.ossec.net/en/licensing.html
17 <group name="syslog,named,">
18 <rule id="12100" level="0">
19 <decoded_as>named</decoded_as>
20 <description>Grouping of the named rules</description>
23 <rule id="12101" level="12">
24 <if_sid>12100</if_sid>
25 <match>dropping source port zero packet from</match>
26 <description>Invalid DNS packet. Possibility of attack.</description>
27 <group>invalid_access,</group>
30 <rule id="12102" level="9">
31 <if_sid>12100</if_sid>
32 <match>denied AXFR from</match>
33 <description>Failed attempt to perform a zone transfer.</description>
34 <group>access_denied,</group>
37 <rule id="12103" level="4">
38 <if_sid>12100</if_sid>
39 <match>denied update from|unapproved update from</match>
40 <description>DNS update denied. </description>
41 <description>Generally mis-configuration.</description>
42 <info type="link">http://seclists.org/incidents/2000/May/217</info>
43 <group>client_misconfig,</group>
46 <rule id="12104" level="4">
47 <if_sid>12100</if_sid>
48 <match>unable to rename log file</match>
49 <description>Log permission misconfiguration in Named.</description>
50 <group>system_error,</group>
53 <rule id="12105" level="4">
54 <if_sid>12100</if_sid>
55 <match>unexpected RCODE </match>
56 <description>Unexpected error while resolving domain.</description>
59 <rule id="12106" level="4">
60 <if_sid>12100</if_sid>
61 <match>refused notify from non-master</match>
62 <description>DNS configuration error.</description>
65 <rule id="12107" level="0">
66 <if_sid>12100</if_sid>
67 <regex>update \S+ denied</regex>
68 <description>DNS update using RFC2136 Dynamic protocol.</description>
71 <rule id="12108" level="5">
72 <if_sid>12100</if_sid>
73 <match>query (cache) denied|: query (cache)</match>
74 <description>Query cache denied (probably config error).</description>
75 <info type="link">http://www.reedmedia.net/misc/dns/errors.html</info>
76 <group>connection_attempt,</group>
79 <rule id="12109" level="12">
80 <if_sid>12100</if_sid>
81 <match>exiting (due to fatal error)</match>
82 <description>Named fatal error. DNS service going down.</description>
83 <group>service_availability,</group>
86 <rule id="12110" level="8">
87 <regex>^zone \S+ serial number \S+ received from master </regex>
88 <regex>\S+ \S ours (\S+)</regex>
89 <description>Serial number from master is lower </description>
90 <description>than stored.</description>
91 <group>system_error,</group>
94 <rule id="12111" level="8">
95 <regex>^transfer of \S+ from \S+ failed while receiving \S+ REFUSED</regex>
96 <description>Unable to perform zone transfer.</description>
97 <group>system_error,</group>
100 <rule id="12112" level="4">
101 <regex>^zone \S+: expired</regex>
102 <description>Zone transfer error.</description>
105 <rule id="12113" level="0">
106 <if_sid>12100</if_sid>
107 <match>zone transfer deferred due to quota</match>
108 <description>Zone transfer deferred.</description>
111 <rule id="12114" level="1">
112 <if_sid>12100</if_sid>
113 <match>bad owner name (check-names)</match>
114 <description>Hostname contains characters that check-names does not like.</description>
117 <rule id="12115" level="0">
118 <if_sid>12100</if_sid>
119 <match>loaded serial|transferred serial</match>
120 <description>Zone transfer.</description>
123 <rule id="12116" level="1">
124 <if_sid>12100</if_sid>
125 <match>syntax error near|</match>
126 <match>reloading configuration failed: unexpected token</match>
127 <description>Syntax error in a named configuration file.</description>
131 <rule id="12117" level="1">
132 <if_sid>12100</if_sid>
133 <regex>refresh: retry limit for master \S+ exceeded</regex>
134 <description>Zone transfer rety limit exceeded</description>
137 <rule id="12118" level="1">
138 <if_sid>12100</if_sid>
139 <match>already exists previous definition</match>
140 <description>Zone has been duplicated.</description>
143 <rule id="12119" level="3">
144 <if_sid>12100</if_sid>
145 <match>starting BIND</match>
146 <description>BIND has been started</description>
149 <rule id="12120" level="1">
150 <if_sid>12100</if_sid>
151 <match>has no address records</match>
152 <description>Missing A or AAAA record</description>
155 <rule id="12121" level="1">
156 <if_sid>12100</if_sid>
157 <regex>zone \S+: \(master\) removed</regex>
158 <description>Zone has been removed from a master server</description>
161 <rule id="12122" level="1">
162 <if_sid>12100</if_sid>
163 <regex>loading from master file \S+ failed: not at top of zone$</regex>
164 <description>Origin of zone and owner name of SOA do not match.</description>
167 <rule id="12123" level="0">
168 <if_sid>12100</if_sid>
169 <match>already exists previous definition</match>
170 <description>Zone has been duplicated</description>
173 <rule id="12125" level="3">
174 <if_sid>12100</if_sid>
175 <match>reloading configuration failed: unexpected end of input</match>
176 <description>BIND Configuration error.</description>
179 <rule id="12126" level="0">
180 <if_sid>12100</if_sid>
181 <regex>zone \S+: \(master\) removed</regex>
182 <description>Zone has been removed from a master server</description>
185 <rule id="12127" level="1">
186 <if_sid>12100</if_sid>
187 <regex>loading from master file \S+ failed: not at top of zone$</regex>
188 <description>Origin of zone and owner name of SOA do not match.</description>
191 <rule id="12128" level="1">
192 <if_sid>12100</if_sid>
193 <match>^transfer of|</match>
194 <match>AXFR started$</match>
195 <description>Zone transfer.</description>
198 <rule id="12129" level="4">
199 <if_sid>12128</if_sid>
200 <match>failed to connect: connection refused</match>
201 <description>Zone transfer failed, unable to connect to master.</description>
204 <rule id="12130" level="2">
205 <if_sid>12100</if_sid>
206 <match>IPv6 interfaces failed</match>
207 <description>Could not listen on IPv6 interface.</description>
210 <rule id="12131" level="2">
211 <if_sid>12100</if_sid>
212 <match>failed; interface ignored</match>
213 <description>Could not bind to an interface.</description>
216 <rule id="12132" level="0">
217 <if_sid>12128</if_sid>
218 <match>failed while receiving responses: not authoritative</match>
219 <description>Master is not authoritative for zone.</description>
222 <rule id="12133" level="4">
223 <if_sid>12100</if_sid>
224 <regex>open: \S+: permission denied$</regex>
225 <description>Could not open configuration file, permission denied.</description>
228 <rule id="12134" level="4">
229 <if_sid>12100</if_sid>
230 <match>loading configuration: permission denied</match>
231 <description>Could not open configuration file, permission denied.</description>
234 <rule id="12135" level="0">
235 <if_sid>12100</if_sid>
236 <match>IN SOA -E</match>
237 <description>Domain in SOA -E.</description>
240 <rule id="12136" level="4">
241 <if_sid>12128</if_sid>
242 <match>failed to connect: host unreachable</match>
243 <description>Master appears to be down.</description>
246 <rule id="12137" level="0">
247 <if_sid>12100</if_sid>
248 <match>IN AXFR -</match>
249 <description>Domain is queried for a zone transferred.</description>
252 <rule id="12138" level="0">
253 <if_sid>12100</if_sid>
254 <match> IN A +</match>
255 <description>Domain A record found.</description>
258 <rule id="12139" level="3">
259 <if_sid>12100</if_sid>
260 <regex>client \S+: bad zone transfer request: \S+: non-authoritative zone \(NOTAUTH\)</regex>
261 <description>Bad zone transfer request.</description>
264 <rule id="12140" level="2">
265 <if_sid>12100</if_sid>
266 <match>refresh: failure trying master</match>
267 <description>Cannot refresh a domain from the master server.</description>
270 <rule id="12141" level="1">
271 <if_sid>12100</if_sid>
272 <match>SOA record not at top of zone</match>
273 <description>Origin of zone and owner name of SOA do not match.</description>
276 <rule id="12142" level="0">
277 <if_sid>12100</if_sid>
278 <match>command channel listening on</match>
279 <description>named command channel is listening.</description>
282 <rule id="12143" level="0">
283 <if_sid>12100</if_sid>
284 <match>automatic empty zone</match>
285 <description>named has created an automatic empty zone.</description>
288 <rule id="12144" level="9">
289 <if_sid>12100</if_sid>
290 <match>reloading configuration failed: out of memory</match>
291 <description>Server does not have enough memory to reload the configuration.</description>
294 <rule id="12145" level="1">
295 <if_sid>12100</if_sid>
296 <regex>zone transfer \S+ denied</regex>
297 <description>zone transfer denied</description>
300 <rule id="12146" level="0">
301 <if_sid>12100</if_sid>
302 <match>error sending response: host unreachable$</match>
303 <description>Cannot send a DNS response.</description>
306 <rule id="12147" level="0">
307 <if_sid>12100</if_sid>
308 <regex>update forwarding \.+ denied$</regex>
309 <description>Cannot update forwarding domain.</description>
312 <rule id="12148" level="0">
313 <if_sid>12100</if_sid>
314 <match>: parsing failed$</match>
315 <description>Parsing of a configuration file has failed.</description>
318 <rule id="12149" level="10" frequency="6" timeframe="120">
319 <if_matched_sid>12108</if_matched_sid>
321 <description> Multiple query (cache) failures.</description>
322 <group>connection_attempt,</group>
325 </group> <!-- SYSLOG,NAMED -->