# THUNDER PRM LIBRARY # Copyright 2004 Tenable Network Security # This library may only be used with the Thunder server and may not # be used with other products or open source projects # # NAME: # BIND dns logs # # DESCRIPTION: # This library is used to process logs generated by a BIND dns server. # These logs may be sent to a third party SYSLOG server, or monitored # directly with a Thunder client. # # LAST UPDATE: $Date$ id=1500 name=A remote query gained the version of BIND. This could be a normal network scan or perhaps an attacker who is looking to find vulnerable BIND name servers. match=ed match=named[ match=ion match=version.bind match=ersion match=rom match=unapproved query from match=pp regex=named\[.+unapproved query from \[([0-9]+(\.[0-9]+){3})\]\.([0-9]+) for "version\.bind" log=srcip:$1 srcport:$3 event:Bind-Version_Query dstport:53 type:application NEXT id=1501 name=A remote query gained the version of BIND. This could be a normal network scan or perhaps an attacker who is looking to find vulnerable BIND name servers. match=ed match=named[ match=ion match=version.bind match=ersion match=rom match=denied query from [ regex=named\[.+denied query from \[([0-9]+(\.[0-9]+){3})\]\.([0-9]+) for "version\.bind" log=srcip:$1 srcport:$3 event:Bind-Denied_Version_Query dstport:53 type:application NEXT id=1502 name=A remote query gained the version of BIND. This could be a normal network scan or perhaps an attacker who is looking to find vulnerable BIND name servers. match=ed match=named[ match=ion match=version.bind match=ersion match=rom match=denied query from match=!denied query from [ regex=named\[.+denied query from ([0-9]+(\.[0-9]+){3})\.([0-9]+) for "version\.bind" log=srcip:$1 srcport:$3 event:Bind-Denied_Version_Query dstport:53 type:access-denied NEXT id=1503 name=An unapproved DNS zone transfer occurred. This could be a mis-configuration or an attempt by an unauthorized remote user to obtain your list of hosts. match=ed match=named[ match=rom match=unapproved AXFR from match=pp regex=AXFR from \[([0-9]+(\.[0-9]+){3})\]\.([0-9]+) for log=srcip:$1 srcport:$3 event:Bind-Zone_Transfer_Deny dstport:53 type:access-denied NEXT id=1504 name=A DNS zone transfer occurred. If your DNS server has not been secured, this could be an attempt by an unauthorized remote user to obtain your list of hosts. match=ed match=named[ match=!unapproved match=approved zone transfer (AXFR) of match=pp match=an regex=zone transfer.*to \[([0-9]+(\.[0-9]+){3})\]\.([0-9]+) log=srcip:$1 srcport:$3 event:Bind-Zone_Transfer dstport:53 type:application NEXT id=1505 name=A DNS query was denied because it came from an incorrect port. match=ed match=named[ match=rom match=refused query on non-query socket from regex=named\[.+refused query on non-query socket from \[([0-9]+(\.[0-9]+){3})\]\.([0-9]+) log=srcip:$1 srcport:$3 event:Bind-Refused_Query dstport:53 type:access-denied NEXT id=1506 name=A DNS query was denied because it came with a source port of zero. match=ed match=named[ match=ack match=ing match=pp match=packet match=pac match=or match=port match= packet match=rt match=ou match=in match=ng match=ce match=ck match=ur match=er match=ac match=op regex=named\[.+dropping source port zero packet from \[([0-9]+(\.[0-9]+){3})\]\.([0-9]+) log=srcip:$1 srcport:$3 event:Bind-Port_Zero_Packet dstport:53 type:access-denied NEXT id=1507 name=An unapproved update of new host information was denied. match=ed match=named[ match=rom match=ate match=unapproved update from match=pp match=date regex=named\[.+unapproved update from \[([0-9]+(\.[0-9]+){3})\]\.([0-9]+) log=srcip:$1 srcport:$3 event:Bind-Unapproved_Update dstport:53 type:access-denied NEXT id=1508 name=An unapproved recursive query of existing DNS host information was denied. match=ed match=named[ match=ecu match=rom match=unapproved recursive query from match=pp regex=named\[.+unapproved recursive query from \[([0-9]+(\.[0-9]+){3})\]\.([0-9]+) log=srcip:$1 srcport:$3 event:Bind-Unapproved_Recursive_Query dstport:53 type:access-denied NEXT id=1509 name=The named DNS process has exited with a fatal log message. match=ed match=named[ match=ing match=: exiting match=fatal log=event:Bind-Fatal_Exit dstport:53 type:process NEXT id=1510 name=A DNS response was received from an unexpected source. This may be the result of DNS spoofing, but is most likely a remote misconfigured DNS server. match=ed match=named[ match=rom match=ce match=: Response from unexpected source match=ect regex=unexpected source \(\[([0-9]+(\.[0-9]+){3})\]\.([0-9]{1,5})\) log=event:Bind-Unexpected_Response srcip:$1 srcport:$3 dstport:53 type:error NEXT id=1511 name=The named DNS server encountered a request for a known buffer overflow attack and stopped it. match=ed match=named[ match=rr match=le match=dlen overrun match=run log=event:Bind-Potential_Attack dstport:53 type:intrusion NEXT id=1512 name=The named DNS server encountered a request for a known buffer overflow attack and stopped it. match=ed match=named[ match=ack match=ate match=truncated oversize UDP packet match=run log=event:Bind-Potential_Attack dstport:53 type:intrusion NEXT id=1513 name=The named process encountered an issue which caused a core dump. match=ed match=named[ match=ent match=ion match=egmentation match=ault match=core d log=event:Bind-Segmentation_Fault type:error NEXT id=1514 name=A DNS zone transfer occurred. If your DNS server has not been secured, this could be an attempt by an unauthorized remote user to obtain your list of hosts. match=ed match=named[ match= zone match=sta match=ar match=: Transfer started match=an match=start log=event:Bind-Zone_Transfer_started dstport:53 type:application NEXT id=1515 name=An unapproved update of new host information was denied. match=ed match=named[ match=ate match= update match=date match= denied match=ent match=client regex=client ([0-9]+(\.[0-9]+){3})# log=event:Bind-Update_Denied dstport:53 type:access-denied srcip:$1 NEXT id=1516 name=An update of new host information failed. match=ed match=named[ match=ent match=client match=ing match= updating zone match=ail match=ate match=le match= update failed match=date match=ailed regex=client ([0-9]+(\.[0-9]+){3})# log=event:Bind-Update_Failed dstport:53 type:access-denied srcip:$1 NEXT id=1517 name=A remote DNS server incorrectly responded to information about a query which had no right to do so. match=ed match=named[ match=ol match=ing match=resolving match=ser match=: lame server resolving regex=: ([0-9]+(\.[0-9]+){3})# log=event:Bind-Lame_NameServer_Resolution dstport:53 type:error dstip:$1 NEXT id=1518 name=A remote DNS server has received an unexpected return code from a query. This is most often the result when a remote DNS server refuses to resolve a request from your DNS server. match=ed match=named[ match=ol match=ing match=resolving match=RCODE match=CO match=unexpected RCODE match=ect regex=: ([0-9]+(\.[0-9]+){3})# log=event:Bind-Unexpected_Return_Code dstport:53 type:dns dstip:$1 NEXT id=1519 name=A remote DNS server has received an unexpected return code from a query. According to the RFC, most older servers that do not support EDNS0, including prior versions of BIND, will send a FORMERR or NOTIMP response to these queries. When this happens, BIND 9 will automatically retry the query without EDNS0. match=ed match=named[ match=ol match=ing match=resolving match=: FORMERR resolving match=FO regex=: ([0-9]+(\.[0-9]+){3})# log=event:Bind-Resolve_Error dstport:53 type:dns dstip:$1 NEXT id=1520 name=The DNS server has just started. match=ed match=named[ match=ing match=running match=run log=event:Bind-Running dstport:53 type:restart NEXT id=1521 name=The DNS server is shutting down. match=ed match=named[ match=ing match=: shutting down: log=event:Bind-Shut-Down dstport:53 type:restart NEXT id=1522 name=The DNS server denied a query. match=ed match=named[ match=ent match=client match=: query ' match= denie regex=client ([0-9]+(\.[0-9]+){3})# log=event:Bind-Query_Denied dstport:53 type:access-denied srcip:$1 NEXT id=1523 name=The DNS server has had a zone updated. match=ed match=named[ match=ent match=client match=ing match= updating zone regex=client ([0-9]+(\.[0-9]+){3})# log=event:Bind-Zone_Update dstport:53 type:application srcip:$1 NEXT id=1524 name=The DNS server received additional information about a host that was not originally asked for. This likely means that the remote DNS server is mis-configured, but could also be an attempt to poison your DNS server with extraneous information. match=ed match=named[ match=ate match=ion match=: unrelated additional info ' regex=from \[([0-9]+(\.[0-9]+){3})\]\. log=event:Bind-Extra_Info_Sent dstport:53 type:application srcip:$1 NEXT id=1525 name=The DNS server received a referral that indicates the remote DNS server is mis-configured. However, this could also be an attempt to poison your DNS server with extraneous information. match=ed match=named[ match=rr match=: bad referral ( regex=from \[([0-9]+(\.[0-9]+){3})\]\. log=event:Bind-Bad_Referral dstport:53 type:error srcip:$1 NEXT id=1526 name=The DNS server is logging DNS requests and has logged an IPv4 address lookup for a domain name. #match=named[ match=: query: match=ent match=client match= IN A + match=IN regex= client ([0-9]+(\.[0-9]+){3})# log=event:Bind-Query_IPv4 dstport:53 type:dns srcip:$1 NEXT id=1527 name=The DNS server is logging DNS requests and has logged an IPv6 address lookup for a domain name. #match=named[ match=: query: match=ent match=client match= IN AAAA + match=IN regex= client ([0-9]+(\.[0-9]+){3})# log=event:Bind-Query_IPv6 dstport:53 type:dns srcip:$1 NEXT id=1528 name=The DNS server is logging DNS requests and has logged a domain name request for an IP address. #match=named[ match=ent match=client match=: query: match= IN PTR + match=IN match=TR regex= client ([0-9]+(\.[0-9]+){3})# log=event:Bind-Query_Domain dstport:53 type:dns srcip:$1 NEXT id=1529 name=The DNS server is logging DNS requests and has logged a request for the TXT entry of a DNS system. The TXT field is often used to send machine-readable information such as with the Sender Policy Framework. #match=named[ match=: query: match=ent match=client match= IN TXT + match=IN regex= client ([0-9]+(\.[0-9]+){3})# log=event:Bind-Query_TXT dstport:53 type:dns srcip:$1 NEXT id=1530 name=The DNS server is logging DNS requests and has logged a request for the MX record of a DNS system. This is used by email programs to locate the IP address of a domain's email system. These logs usually indicate that the local system is sending email. #match=named[ match=: query: match=ent match=client match= IN MX + match=IN regex= client ([0-9]+(\.[0-9]+){3})# log=event:Bind-Query_Mail_Server dstport:53 type:dns srcip:$1 NEXT id=1531 name=The DNS server is logging DNS requests and has logged a request for the Service Locator record of a DNS system. This SRV DNS record is a more recent RFC for the Domain Name System and in some cases, MX records can be obtained with this query technique. match=: query: #match=named[ match=ent match=client match= IN SRV + match=IN regex= client ([0-9]+(\.[0-9]+){3})# log=event:Bind-Query_Service_Locator dstport:53 type:dns srcip:$1 NEXT id=1532 name=The DNS server is logging DNS requests and has logged a request for the Start of Authority record of a DNS system. #match=named[ match=: query: match=ent match=client match= IN SOA + match=IN regex= client ([0-9]+(\.[0-9]+){3})# log=event:Bind-Query_Start_Of_Authority dstport:53 type:dns srcip:$1 NEXT id=1533 name=The DNS server is logging DNS requests and has logged a request for a transaction key, which is a method to secure name resolution. #match=named[ match=: query: match=ent match=client match= IN TKEY - match=IN regex= client ([0-9]+(\.[0-9]+){3})# log=event:Bind-Query_Transaction_Key dstport:53 type:dns srcip:$1 NEXT id=1534 name=The DNS server is logging DNS requests and has logged an authorized zone transfer. #match=named[ match=: query: match=ent match=client match= IN AXFR - match=IN regex= client ([0-9]+(\.[0-9]+){3})# log=event:Bind-Zone_Transfer_Query dstport:53 type:application srcip:$1 NEXT id=1535 name=The DNS server is logging DNS requests and has logged an authorized zone transfer. #match=named[ match=ent match=client match=ce match=ed match= received notify for zone regex= client ([0-9]+(\.[0-9]+){3})# log=event:Bind-Zone_Notify dstport:53 type:application srcip:$1 NEXT id=1536 name=The DNS server is logging a transfer from an outside source. match=ed match=named[ match= transfer of match=an match=ing match=connected using match=ect match=onnect regex= from ([0-9]+(\.[0-9]+){3})#53: connected using ([0-9]+(\.[0-9]+){3})#([0-9]+) log=event:Bind-Transfer dstport:53 type:application dstip:$1 srcip:$3 srcport:$5 NEXT id=1537 name=The DNS server has logged a permission denied while trying to dump the master file. match=ed match=named[ match=ing match=le match=: dumping master file: match=ion match=ss match=: open: permission denied log=event:Bind-Master_File_Dump_Denied type:access-denied NEXT id=1538 name=The DNS server logged a failed transfer due to permission denied.. match=ed match=named[ match= transfer of match=an match=ail match=ion match=ing match=ce match=le match=ss match= failed while receiving responses: permission denied regex= from ([0-9]+(\.[0-9]+){3})# log=event:Bind-Failed_Transfer dstport:53 type:access-denied srcip:$1 NEXT id=1539 name=The DNS server logged an end to a transfer. match=ed match=named[ match= transfer of match=an match= end of transfer regex= from ([0-9]+(\.[0-9]+){3})# log=event:Bind-Transfer_Ended dstport:53 type:application srcip:$1 NEXT id=1540 name=The DNS server has logged a bad owner name. match=ed match=named[ match= zone match= bad owner name (check-names) log=event:Bind-Bad_Owner_Name type:error NEXT id=1541 name=The DNS server logged a refresh in progress with a refresh check queued. match=ed match=named[ match= zone match=ss match= refresh in progress, refresh check queued regex= notify from ([0-9]+(\.[0-9]+){3})# log=event:Bind-Refresh_In_Progress dstport:53 type:application srcip:$1 NEXT id=1542 name=The named DNS process has exited. match=ed match=named[ match=ing match=exiting match=!fatal log=event:Bind-Process_Exit dstport:53 type:restart NEXT id=1543 name=The DNS server is logging DNS requests and has logged a domain name request for a Domain Server. match=ed match=named[ match=ent match=client match= IN NS + match=IN regex= client ([0-9]+(\.[0-9]+){3})# log=event:Bind-Query_Name_Server dstport:53 type:dns srcip:$1 NEXT id=1544 name=The DNS server has received some unexpected RCODE which it has refused, but was able to resolve the IP anyway. match=ser match=lame-servers match=RCODE match=CO match=ed match=unexpected RCODE match=ect regex=: ([0-9]+(\.[0-9]+){3})# log=event:Bind-Lame_NameServer_Unexpected_RCODE dstport:53 type:dns dstip:$1 NEXT id=1545 name=The DNS server logged that the network is unreachable. match=ed match=named[ match=le match=network unreachable match=ol match=ing match=resolving log=event:Bind-Network_Unreachable dstport:53 type:error NEXT id=1546 name=The DNS server has denied a client query. match=ed match=named[ match=ent match=client match=query (cache) regex= client ([0-9]+(\.[0-9]+){3})# log=event:Bind-Client_Query_Denied dstport:53 type:access-denied srcip:$1 NEXT id=1547 name=The DNS server refresh could not set the file modification time, the permission was denied. match=ed match=named[ match=: zone match=ion match=le match=refresh: could not set file modification time of match=ss match= permission denied log=event:Bind-Time_Modification_Denied dstport:53 type:error NEXT id=1548 name=The DNS response from a client querry was invalid. match=ed match=named[ match=rr match=rom match=: DNS format error from regex= from ([0-9]+(\.[0-9]+){3})# log=event:Bind-DNS_Format_Error_Invalid_Response dstport:53 srcip:$1 type:dns NEXT id=1549 name=The DNS response from a client querry resulted in a FORMERR status. match=ed match=named[ match=ol match=ing match=resolving match=rr match=: error (FORMERR) resolving match=FO match=ER regex=: ([0-9]+(\.[0-9]+){3})# log=event:Bind-FORMERR_Response_Error dstport:53 type:dns dstip:$1 NEXT id=1550 name=The DNS response from the internet. match=ed match=named[ match=ent match=client match=rom match=response from Internet for regex= ([0-9]+(\.[0-9]+){3})# log=event:Bind-Response_From_Internet dstport:53 type:dns dstip:$1 NEXT id=3300 name=The DNS had success in resolving an ip address after disabling EDNS. match=ed match=named[ match=ol match=ing match=resolving match=ce match=ss match=]: success resolving match=after disabling EDNS regex= \'([0-9]+(\.[0-9]+){3})\. log=event:Bind-Success_After_Disabling_EDNS dstport:53 type:dns dstip:$1 NEXT id=3301 name=The DNS server completed a zone transfer. match=Tra match=omplete match=named[ match=an match=rom match=IN match=from match= name match= from match=le match= named[ match= transfer of match=ed match=ess match=ss regex= from ([0-9]+(\.[0-9]+){3})# log=event:Bind-Zone_Transfer_Complete type:dns srcip:$1 NEXT id=3302 name=The DNS server truncated a TCP response but is resolving. match=named[ match=error match=TCP match= name match= named[ match=resolving match=truncated match=response regex=([0-9]+(\.[0-9]+){3})# log=event:Bind-Truncated_TCP_Resonse type:error srcip:$1 NEXT id=3303 name=The DNS server refused a connection. match=named[ match=error match=connection match=refused match= named[ match=resolving regex=([0-9]+(\.[0-9]+){3})# log=event:Bind-Connection_Refused type:error srcip:$1 NEXT id=3304 name=The DNS server a zone is up to date. match=named[ match=notify match=from match=is match= named[ match=date match=at match=zone is up to date regex=([0-9]+(\.[0-9]+){3})# log=event:Bind-Zone_Is_Up_To_Date type:dns srcip:$1 NEXT id=3305 name=The DNS server has listed a pre cache record. match=named[ match=resolver: match=createfetch: match= named[ match=]: resolver: createfetch: log=event:Bind-Pre_Cache_Entries type:dns NEXT id=3306 name=The DNS server has listed a pre cache record. match=named[ match=]: database: match=no_references: match= named[ match=]: database: no_references: delete log=event:Bind-Pre_Cache_Entries type:dns