[ossec-list] Re: My rule detects and alerts but doesn't block

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Peter,

You did very well with the decoders and rules :) I don't know exactly why it is
not working (I guess it is the after_parent in the prematch), but I
would suggest
the following changes:

<decoder name="named_lame">
 <parent>named</parent>
  <prematch>^lame server resolving \S+ \S+ \S+:</prematch>
 <regex offset="after_prematch">^ (\d+.\d+.\d+.\d+)</regex>
  <order>srcip</order>
</decoder>

It tried it here and seemed to work.

hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 5/15/07, Peter Robinson <peter@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> Hi
>
> I've been trying to write a rule to detect and then block hosts sending
> DNS lame server requests.
>
> My rule detects and alerts but doesn't block. The alert shows that the
> srcip is unknown - is my capture wrong somewhere??
>
> thanks
>
> #################
>
> Added to decoder.xml
>
> # added PTR
> <decoder name="named_lame">
>   <parent>named</parent>
>   <prematch offset="after_parent">^lame </prematch>
>   <regex offset="after_prematch">\.+(\d+.\d+.\d+.\d+)#53$</regex>
>   <order>srcip</order>
> </decoder>
>
> New rule file contains
>
> <group name="syslog,named,lame">
>   <rule id="12150" level="0" noalert="1">
>   <decoded_as>named_lame</decoded_as>
>   <description>Grouping of the named rules</description>
>   </rule>
>
>
>  <rule id="12151" level="12">
>      <if_sid>12150</if_sid>
>      <match>lame server resolving</match>
>      <description>Named -- lame server resolving....</description>
>      <group>access_denied,</group>
>  </rule>
> </group>
>
> ########
>
> Alert log
>
> ** Alert 1179225703.43187: mail  - syslog,named,lameaccess_denied,
> 2007 May 15 10:41:43 server2->/var/log/syslog
> Rule: 12151 (level 12) -> 'Named -- lame server resolving....'
> Src IP: (none)
> User: (none)
> named[5673]: lame server resolving '74.103.229.203.in-addr.arpa' (in
> '103.229.203.in-addr.arpa'?): 203.238.128.26#53
>
>
>