# THUNDER PRM LIBRARY
# Copyright 2004 Tenable Network Security
# This library may only be used with the Thunder server and may not
# be used with other products or open source projects
#
# NAME:
# BIND dns logs
#
# DESCRIPTION:
# This library is used to process logs generated by a BIND dns server.
# These logs may be sent to a third party SYSLOG server, or monitored
# directly with a Thunder client.
#
# LAST UPDATE: $Date$
id=1500
name=A remote query gained the version of BIND. This could be a normal network scan or perhaps an attacker who is looking to find vulnerable BIND name servers.
match=ed
match=named[
match=ion
match=version.bind
match=ersion
match=rom
match=unapproved query from
match=pp
regex=named\[.+unapproved query from \[([0-9]+(\.[0-9]+){3})\]\.([0-9]+) for "version\.bind"
log=srcip:$1 srcport:$3 event:Bind-Version_Query dstport:53 type:application
NEXT
id=1501
name=A remote query gained the version of BIND. This could be a normal network scan or perhaps an attacker who is looking to find vulnerable BIND name servers.
match=ed
match=named[
match=ion
match=version.bind
match=ersion
match=rom
match=denied query from [
regex=named\[.+denied query from \[([0-9]+(\.[0-9]+){3})\]\.([0-9]+) for "version\.bind"
log=srcip:$1 srcport:$3 event:Bind-Denied_Version_Query dstport:53 type:application
NEXT
id=1502
name=A remote query gained the version of BIND. This could be a normal network scan or perhaps an attacker who is looking to find vulnerable BIND name servers.
match=ed
match=named[
match=ion
match=version.bind
match=ersion
match=rom
match=denied query from
match=!denied query from [
regex=named\[.+denied query from ([0-9]+(\.[0-9]+){3})\.([0-9]+) for "version\.bind"
log=srcip:$1 srcport:$3 event:Bind-Denied_Version_Query dstport:53 type:access-denied
NEXT
id=1503
name=An unapproved DNS zone transfer occurred. This could be a mis-configuration or an attempt by an unauthorized remote user to obtain your list of hosts.
match=ed
match=named[
match=rom
match=unapproved AXFR from
match=pp
regex=AXFR from \[([0-9]+(\.[0-9]+){3})\]\.([0-9]+) for
log=srcip:$1 srcport:$3 event:Bind-Zone_Transfer_Deny dstport:53 type:access-denied
NEXT
id=1504
name=A DNS zone transfer occurred. If your DNS server has not been secured, this could be an attempt by an unauthorized remote user to obtain your list of hosts.
match=ed
match=named[
match=!unapproved
match=approved zone transfer (AXFR) of
match=pp
match=an
regex=zone transfer.*to \[([0-9]+(\.[0-9]+){3})\]\.([0-9]+)
log=srcip:$1 srcport:$3 event:Bind-Zone_Transfer dstport:53 type:application
NEXT
id=1505
name=A DNS query was denied because it came from an incorrect port.
match=ed
match=named[
match=rom
match=refused query on non-query socket from
regex=named\[.+refused query on non-query socket from \[([0-9]+(\.[0-9]+){3})\]\.([0-9]+)
log=srcip:$1 srcport:$3 event:Bind-Refused_Query dstport:53 type:access-denied
NEXT
id=1506
name=A DNS query was denied because it came with a source port of zero.
match=ed
match=named[
match=ack
match=ing
match=pp
match=packet
match=pac
match=or
match=port
match= packet
match=rt
match=ou
match=in
match=ng
match=ce
match=ck
match=ur
match=er
match=ac
match=op
regex=named\[.+dropping source port zero packet from \[([0-9]+(\.[0-9]+){3})\]\.([0-9]+)
log=srcip:$1 srcport:$3 event:Bind-Port_Zero_Packet dstport:53 type:access-denied
NEXT
id=1507
name=An unapproved update of new host information was denied.
match=ed
match=named[
match=rom
match=ate
match=unapproved update from
match=pp
match=date
regex=named\[.+unapproved update from \[([0-9]+(\.[0-9]+){3})\]\.([0-9]+)
log=srcip:$1 srcport:$3 event:Bind-Unapproved_Update dstport:53 type:access-denied
NEXT
id=1508
name=An unapproved recursive query of existing DNS host information was denied.
match=ed
match=named[
match=ecu
match=rom
match=unapproved recursive query from
match=pp
regex=named\[.+unapproved recursive query from \[([0-9]+(\.[0-9]+){3})\]\.([0-9]+)
log=srcip:$1 srcport:$3 event:Bind-Unapproved_Recursive_Query dstport:53 type:access-denied
NEXT
id=1509
name=The named DNS process has exited with a fatal log message.
match=ed
match=named[
match=ing
match=: exiting
match=fatal
log=event:Bind-Fatal_Exit dstport:53 type:process
NEXT
id=1510
name=A DNS response was received from an unexpected source. This may be the result of DNS spoofing, but is most likely a remote misconfigured DNS server.
match=ed
match=named[
match=rom
match=ce
match=: Response from unexpected source
match=ect
regex=unexpected source \(\[([0-9]+(\.[0-9]+){3})\]\.([0-9]{1,5})\)
log=event:Bind-Unexpected_Response srcip:$1 srcport:$3 dstport:53 type:error
NEXT
id=1511
name=The named DNS server encountered a request for a known buffer overflow attack and stopped it.
match=ed
match=named[
match=rr
match=le
match=dlen overrun
match=run
log=event:Bind-Potential_Attack dstport:53 type:intrusion
NEXT
id=1512
name=The named DNS server encountered a request for a known buffer overflow attack and stopped it.
match=ed
match=named[
match=ack
match=ate
match=truncated oversize UDP packet
match=run
log=event:Bind-Potential_Attack dstport:53 type:intrusion
NEXT
id=1513
name=The named process encountered an issue which caused a core dump.
match=ed
match=named[
match=ent
match=ion
match=egmentation
match=ault
match=core d
log=event:Bind-Segmentation_Fault type:error
NEXT
id=1514
name=A DNS zone transfer occurred. If your DNS server has not been secured, this could be an attempt by an unauthorized remote user to obtain your list of hosts.
match=ed
match=named[
match= zone
match=sta
match=ar
match=: Transfer started
match=an
match=start
log=event:Bind-Zone_Transfer_started dstport:53 type:application
NEXT
id=1515
name=An unapproved update of new host information was denied.
match=ed
match=named[
match=ate
match= update
match=date
match= denied
match=ent
match=client
regex=client ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Update_Denied dstport:53 type:access-denied srcip:$1
NEXT
id=1516
name=An update of new host information failed.
match=ed
match=named[
match=ent
match=client
match=ing
match= updating zone
match=ail
match=ate
match=le
match= update failed
match=date
match=ailed
regex=client ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Update_Failed dstport:53 type:access-denied srcip:$1
NEXT
id=1517
name=A remote DNS server incorrectly responded to information about a query which had no right to do so.
match=ed
match=named[
match=ol
match=ing
match=resolving
match=ser
match=: lame server resolving
regex=: ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Lame_NameServer_Resolution dstport:53 type:error dstip:$1
NEXT
id=1518
name=A remote DNS server has received an unexpected return code from a query. This is most often the result when a remote DNS server refuses to resolve a request from your DNS server.
match=ed
match=named[
match=ol
match=ing
match=resolving
match=RCODE
match=CO
match=unexpected RCODE
match=ect
regex=: ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Unexpected_Return_Code dstport:53 type:dns dstip:$1
NEXT
id=1519
name=A remote DNS server has received an unexpected return code from a query. According to the RFC, most older servers that do not support EDNS0, including prior versions of BIND, will send a FORMERR or NOTIMP response to these queries. When this happens, BIND 9 will automatically retry the query without EDNS0.
match=ed
match=named[
match=ol
match=ing
match=resolving
match=: FORMERR resolving
match=FO
regex=: ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Resolve_Error dstport:53 type:dns dstip:$1
NEXT
id=1520
name=The DNS server has just started.
match=ed
match=named[
match=ing
match=running
match=run
log=event:Bind-Running dstport:53 type:restart
NEXT
id=1521
name=The DNS server is shutting down.
match=ed
match=named[
match=ing
match=: shutting down:
log=event:Bind-Shut-Down dstport:53 type:restart
NEXT
id=1522
name=The DNS server denied a query.
match=ed
match=named[
match=ent
match=client
match=: query '
match= denie
regex=client ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Query_Denied dstport:53 type:access-denied srcip:$1
NEXT
id=1523
name=The DNS server has had a zone updated.
match=ed
match=named[
match=ent
match=client
match=ing
match= updating zone
regex=client ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Zone_Update dstport:53 type:application srcip:$1
NEXT
id=1524
name=The DNS server received additional information about a host that was not originally asked for. This likely means that the remote DNS server is mis-configured, but could also be an attempt to poison your DNS server with extraneous information.
match=ed
match=named[
match=ate
match=ion
match=: unrelated additional info '
regex=from \[([0-9]+(\.[0-9]+){3})\]\.
log=event:Bind-Extra_Info_Sent dstport:53 type:application srcip:$1
NEXT
id=1525
name=The DNS server received a referral that indicates the remote DNS server is mis-configured. However, this could also be an attempt to poison your DNS server with extraneous information.
match=ed
match=named[
match=rr
match=: bad referral (
regex=from \[([0-9]+(\.[0-9]+){3})\]\.
log=event:Bind-Bad_Referral dstport:53 type:error srcip:$1
NEXT
id=1526
name=The DNS server is logging DNS requests and has logged an IPv4 address lookup for a domain name.
#match=named[
match=: query:
match=ent
match=client
match= IN A +
match=IN
regex= client ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Query_IPv4 dstport:53 type:dns srcip:$1
NEXT
id=1527
name=The DNS server is logging DNS requests and has logged an IPv6 address lookup for a domain name.
#match=named[
match=: query:
match=ent
match=client
match= IN AAAA +
match=IN
regex= client ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Query_IPv6 dstport:53 type:dns srcip:$1
NEXT
id=1528
name=The DNS server is logging DNS requests and has logged a domain name request for an IP address.
#match=named[
match=ent
match=client
match=: query:
match= IN PTR +
match=IN
match=TR
regex= client ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Query_Domain dstport:53 type:dns srcip:$1
NEXT
id=1529
name=The DNS server is logging DNS requests and has logged a request for the TXT entry of a DNS system. The TXT field is often used to send machine-readable information such as with the Sender Policy Framework.
#match=named[
match=: query:
match=ent
match=client
match= IN TXT +
match=IN
regex= client ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Query_TXT dstport:53 type:dns srcip:$1
NEXT
id=1530
name=The DNS server is logging DNS requests and has logged a request for the MX record of a DNS system. This is used by email programs to locate the IP address of a domain's email system. These logs usually indicate that the local system is sending email.
#match=named[
match=: query:
match=ent
match=client
match= IN MX +
match=IN
regex= client ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Query_Mail_Server dstport:53 type:dns srcip:$1
NEXT
id=1531
name=The DNS server is logging DNS requests and has logged a request for the Service Locator record of a DNS system. This SRV DNS record is a more recent RFC for the Domain Name System and in some cases, MX records can be obtained with this query technique.
match=: query:
#match=named[
match=ent
match=client
match= IN SRV +
match=IN
regex= client ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Query_Service_Locator dstport:53 type:dns srcip:$1
NEXT
id=1532
name=The DNS server is logging DNS requests and has logged a request for the Start of Authority record of a DNS system.
#match=named[
match=: query:
match=ent
match=client
match= IN SOA +
match=IN
regex= client ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Query_Start_Of_Authority dstport:53 type:dns srcip:$1
NEXT
id=1533
name=The DNS server is logging DNS requests and has logged a request for a transaction key, which is a method to secure name resolution.
#match=named[
match=: query:
match=ent
match=client
match= IN TKEY -
match=IN
regex= client ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Query_Transaction_Key dstport:53 type:dns srcip:$1
NEXT
id=1534
name=The DNS server is logging DNS requests and has logged an authorized zone transfer.
#match=named[
match=: query:
match=ent
match=client
match= IN AXFR -
match=IN
regex= client ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Zone_Transfer_Query dstport:53 type:application srcip:$1
NEXT
id=1535
name=The DNS server is logging DNS requests and has logged an authorized zone transfer.
#match=named[
match=ent
match=client
match=ce
match=ed
match= received notify for zone
regex= client ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Zone_Notify dstport:53 type:application srcip:$1
NEXT
id=1536
name=The DNS server is logging a transfer from an outside source.
match=ed
match=named[
match= transfer of
match=an
match=ing
match=connected using
match=ect
match=onnect
regex= from ([0-9]+(\.[0-9]+){3})#53: connected using ([0-9]+(\.[0-9]+){3})#([0-9]+)
log=event:Bind-Transfer dstport:53 type:application dstip:$1 srcip:$3 srcport:$5
NEXT
id=1537
name=The DNS server has logged a permission denied while trying to dump the master file.
match=ed
match=named[
match=ing
match=le
match=: dumping master file:
match=ion
match=ss
match=: open: permission denied
log=event:Bind-Master_File_Dump_Denied type:access-denied
NEXT
id=1538
name=The DNS server logged a failed transfer due to permission denied..
match=ed
match=named[
match= transfer of
match=an
match=ail
match=ion
match=ing
match=ce
match=le
match=ss
match= failed while receiving responses: permission denied
regex= from ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Failed_Transfer dstport:53 type:access-denied srcip:$1
NEXT
id=1539
name=The DNS server logged an end to a transfer.
match=ed
match=named[
match= transfer of
match=an
match= end of transfer
regex= from ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Transfer_Ended dstport:53 type:application srcip:$1
NEXT
id=1540
name=The DNS server has logged a bad owner name.
match=ed
match=named[
match= zone
match= bad owner name (check-names)
log=event:Bind-Bad_Owner_Name type:error
NEXT
id=1541
name=The DNS server logged a refresh in progress with a refresh check queued.
match=ed
match=named[
match= zone
match=ss
match= refresh in progress, refresh check queued
regex= notify from ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Refresh_In_Progress dstport:53 type:application srcip:$1
NEXT
id=1542
name=The named DNS process has exited.
match=ed
match=named[
match=ing
match=exiting
match=!fatal
log=event:Bind-Process_Exit dstport:53 type:restart
NEXT
id=1543
name=The DNS server is logging DNS requests and has logged a domain name request for a Domain Server.
match=ed
match=named[
match=ent
match=client
match= IN NS +
match=IN
regex= client ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Query_Name_Server dstport:53 type:dns srcip:$1
NEXT
id=1544
name=The DNS server has received some unexpected RCODE which it has refused, but was able to resolve the IP anyway.
match=ser
match=lame-servers
match=RCODE
match=CO
match=ed
match=unexpected RCODE
match=ect
regex=: ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Lame_NameServer_Unexpected_RCODE dstport:53 type:dns dstip:$1
NEXT
id=1545
name=The DNS server logged that the network is unreachable.
match=ed
match=named[
match=le
match=network unreachable
match=ol
match=ing
match=resolving
log=event:Bind-Network_Unreachable dstport:53 type:error
NEXT
id=1546
name=The DNS server has denied a client query.
match=ed
match=named[
match=ent
match=client
match=query (cache)
regex= client ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Client_Query_Denied dstport:53 type:access-denied srcip:$1
NEXT
id=1547
name=The DNS server refresh could not set the file modification time, the permission was denied.
match=ed
match=named[
match=: zone
match=ion
match=le
match=refresh: could not set file modification time of
match=ss
match= permission denied
log=event:Bind-Time_Modification_Denied dstport:53 type:error
NEXT
id=1548
name=The DNS response from a client querry was invalid.
match=ed
match=named[
match=rr
match=rom
match=: DNS format error from
regex= from ([0-9]+(\.[0-9]+){3})#
log=event:Bind-DNS_Format_Error_Invalid_Response dstport:53 srcip:$1 type:dns
NEXT
id=1549
name=The DNS response from a client querry resulted in a FORMERR status.
match=ed
match=named[
match=ol
match=ing
match=resolving
match=rr
match=: error (FORMERR) resolving
match=FO
match=ER
regex=: ([0-9]+(\.[0-9]+){3})#
log=event:Bind-FORMERR_Response_Error dstport:53 type:dns dstip:$1
NEXT
id=1550
name=The DNS response from the internet.
match=ed
match=named[
match=ent
match=client
match=rom
match=response from Internet for
regex= ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Response_From_Internet dstport:53 type:dns dstip:$1
NEXT
id=3300
name=The DNS had success in resolving an ip address after disabling EDNS.
match=ed
match=named[
match=ol
match=ing
match=resolving
match=ce
match=ss
match=]: success resolving
match=after disabling EDNS
regex= \'([0-9]+(\.[0-9]+){3})\.
log=event:Bind-Success_After_Disabling_EDNS dstport:53 type:dns dstip:$1
NEXT
id=3301
name=The DNS server completed a zone transfer.
match=Tra
match=omplete
match=named[
match=an
match=rom
match=IN
match=from
match= name
match= from
match=le
match= named[
match= transfer of
match=ed
match=ess
match=ss
regex= from ([0-9]+(\.[0-9]+){3})#
log=event:Bind-Zone_Transfer_Complete type:dns srcip:$1
NEXT
id=3302
name=The DNS server truncated a TCP response but is resolving.
match=named[
match=error
match=TCP
match= name
match= named[
match=resolving
match=truncated
match=response
regex=([0-9]+(\.[0-9]+){3})#
log=event:Bind-Truncated_TCP_Resonse type:error srcip:$1
NEXT
id=3303
name=The DNS server refused a connection.
match=named[
match=error
match=connection
match=refused
match= named[
match=resolving
regex=([0-9]+(\.[0-9]+){3})#
log=event:Bind-Connection_Refused type:error srcip:$1
NEXT
id=3304
name=The DNS server a zone is up to date.
match=named[
match=notify
match=from
match=is
match= named[
match=date
match=at
match=zone is up to date
regex=([0-9]+(\.[0-9]+){3})#
log=event:Bind-Zone_Is_Up_To_Date type:dns srcip:$1
NEXT
id=3305
name=The DNS server has listed a pre cache record.
match=named[
match=resolver:
match=createfetch:
match= named[
match=]: resolver: createfetch:
log=event:Bind-Pre_Cache_Entries type:dns
NEXT
id=3306
name=The DNS server has listed a pre cache record.
match=named[
match=]: database:
match=no_references:
match= named[
match=]: database: no_references: delete
log=event:Bind-Pre_Cache_Entries type:dns