### ### BIND/NAMED ### ### $Id: named.txt,v 1.1 2002/04/14 05:49:32 emf Exp $ 'named.*IN MX. points to a CNAME' - - - 0 ignore 'named.*starting' - - - 0 ignore '^.{16}(.*) named\[([0-9]+)\]: Ready to answer queries' - - - 0 exec "/usr/local/bin/surf_GenericMsg -k logsurfer -h $2 -s 1 -m \"Nameserver started on $2\"" # keep track of named messages in a context so we have fodder for later reports. '^.{16}(.*) named\[([0-9]+)\]:' - - - 0 CONTINUE open "$2 named\\[$3\\]" - 1000 180 60 ignore # We want to alarm on DNS information gathering attempts '^.{16}(.*) named\[([0-9]+)\]: denied (.*) from \[(.*)\].*for \"(.*)\".*' - - - 0 CONTINUE exec "/usr/local/bin/surf_GenericMsg -k logsurfer -h $2 -s 4 -m \"Attempted DNS attack ($4) of $6 by $5\"" '^.{16}(.*) named\[([0-9]+)\]: denied (.*) from \[(.*)\].*for \"(.*)\".*' - - - 0 open "$5" - 5000 600 180 report "/usr/local/bin/surfmailer -r logsurfer -S \"security incident from $5\"" "$5" # source port zero messages are suspicious. '^.{16}(.*) named\[([0-9]+)\]: dropping source port zero packet from \[(.*)\].0' - - - 0 open "$4" - 5000 600 180 report "/usr/local/bin/surfmailer -r logsurfer -S \"security incident from $4\"" "$4" # We just rejected a zone file for some reason. '^.{16}(.*) named.*: master zone \"(.*)\".*rejected due to errors \(serial (.*)\)' - - - 0 CONTINUE exec "/usr/local/bin/surf_GenericMsg -k logsurfer -h $2 -s 5 -m \"DNS zone $3 serial $4 broken on $2\"" '^.{16}(.*) named\[([0-9]+)\]: master zone \"(.*)\".*rejected due to errors \(serial (.*)\)' - - - 0 report "/usr/local/bin/surfmailer -r logsurfer -S \"DNS zone $4 serial $5 broken on $2\"" "$2 named\\[$3\\]" # We couldn't open a zonefile. '^.{16}(.*) named.*: db_load could not open: (.*): No such file or directory' - - - 0 CONTINUE exec "/usr/local/bin/surf_GenericMsg -k logsurfer -h $2 -s 5 -m \"DNS zonefile $3 deleted or missing on $2\"" '^.{16}(.*) named\[([0-9]+)\]: db_load could not open: (.*): No such file or directory' - - - 0 report "/usr/local/bin/surfmailer -r logsurfer -S \"DNS zonefile $4 deleted or missing on $2\"" "$2 named\\[$3\\]" # Dont fall through.. 'named\[[0-9]+\]' - - - 0 ignore