Thanks for trying it.
- Permissions on the script are good.
# ll active-response/bin/firewall-dns-query-drop.sh
-rwxr-x--- 1 root ossec 5758 Mar 10 07:58
active-response/bin/firewall-dns-query-drop.sh*
- I removed the <level> 8 tag.
- This is a stand-alone install so I don't think the server tag is
needed.
Just to confirm that when you say it worked, the active-response.log shows
an attempt to run the script
active-response/bin/firewall-dns-query-drop.sh?
I did a test where I copied firewall-drop.sh to firewall-dns-query-drop.sh
just to eliminate any concern that the issue might be with the script, but
the script did not get invoked. It would generate an error, because an IP
address isn't passed, but I'm convinced it's something in the
ossec-server.conf file. I'm going to try it out on a clean Cent-OS 7
system next.
Thanks for the help,
-- Ralph
On Tuesday, March 14, 2017 at 8:13:31 AM UTC-4, Pedro Sanchez wrote:
>
> Hi Ralph,
>
> I have been testing your configuration, everything works great on my
> environment (using standard firewall-drop.sh).
>
> Few tips which may help you:
>
>
> - Active-response block: you are using *rules_id *and *level*, since
> your rule will have same level no matter what, maybe you could remove
> <level>
> - Active-response block: You defined "local" which will only trigger
> active-response to remote agents, in case you want to trigger
> active-response at the manager, you could use "*server*", or both, "
> *server,local*" ("*all*" option is not working on my environment)
> - Ruleset: I did verify your decoders and rules, still, you could use
> bin/ossec-logtest tool and paste your event, just to confirm they are
> working properly on your installation
> - You could run the active-response manually by running:
> *bin/agent_control
> -b ip_address_to_block -f firewall-dns-query-drop5400 -u agent_id*
> - Permissions: Confirm your scripts have permissions to root:ossec and
> rwxr-x---
>
>
> Hope it helps, best regards,
> Pedro Sanchez.
>
>
>
>
>
>
>
>
> On Monday, March 13, 2017 at 3:11:50 PM UTC+1, Ralph Durkee wrote:
>>
>>
>> I’m getting heavy flurries of bogus DNS queries to non-recursive,
>> authoritative DNS server. The traffic comes from a large spread of src ip
>> address, so it’s obviously mostly spoofed. The queries are all denied, so
>> it’s almost no risk, except that it heavily overloads the log management,
>> it’s annoying, and could cause some more serious logs to get missed in the
>> flurry. The rate of traffic is about 3 – 20 queries per second, and a
>> flurry often runs for several hours. The host name is random, but the
>> domain names are pretty static within a single flurry. So I’ve written a
>> named decoder to extract the host name as ‘user’, and rules to alert on the
>> flurry of denied queries. The decoder and alerts are working fine. I also
>> have an active response script which adds an iptable rule to drop queries
>> for a specific denied domain name. The script works fine when run by hand.
>> Its based on the existing active-response/bin/firewall-drop.sh so that it
>> uses the same locking directory, so that the two scripts will co-operate on
>> locking, The one thing that’s not working that when the alert is generated
>> the script doesn't get run. The script is in the active-response/bin with
>> rx permissions. There’s no error log in the ossec.log and there’s not even
>> an indication that it started to run in the active-responses.log. The first
>> thing the script does is generate a log to active-response.log similar to
>> the script it’s based on. However the script is not run when the alert is
>> generated for rule 100002.
>>
>>
>> *Sample traffic:*
>>
>>
>> Mar 13 01:42:45 net19 named[6147]: client 31.150.218.239#6173 (
>> odcdavcxkvin.games.yuanyou8.com): query (cache) '
>> odcdavcxkvin.games.yuanyou8.com/A/IN' denied
>>
>> Mar 13 01:42:45 net19 named[6147]: client 29.153.55.216#28938 (
>> qbwrypybuhuv.games.yuanyou8.com): query (cache) '
>> qbwrypybuhuv.games.yuanyou8.com/A/IN' denied
>>
>> Mar 13 01:42:46 net19 named[6147]: client 126.122.141.86#34892 (
>> azkhczkxcpgh.games.yuanyou8.com): query (cache) '
>> azkhczkxcpgh.games.yuanyou8.com/A/IN' denied
>>
>> Mar 13 01:42:46 net19 named[6147]: client 72.226.226.185#29311 (
>> wfgdglqlqbwd.games.yuanyou8.com): query (cache) '
>> wfgdglqlqbwd.games.yuanyou8.com/A/IN' denied
>>
>>
>> *Sample alerts:*
>>
>>
>> ** Alert 1489383774.343817: - local,syslog,
>>
>> 2017 Mar 13 01:42:54 net19->/var/log/named.log
>>
>> Rule: 12108 (level 4) -> 'Invalid Query cache denied.'
>>
>> Src IP: 60.50.34.62
>>
>> Mar 13 01:42:53 net19 named[6147]: client 60.50.34.62#39074 (
>> uburatmbgrov.games.yuanyou8.com): query (cache) '
>> uburatmbgrov.games.yuanyou8.com/A/IN' denied
>>
>>
>> ** Alert 1489383774.344139: - local,syslog,
>>
>> 2017 Mar 13 01:42:54 net19->/var/log/named.log
>>
>> Rule: 12108 (level 4) -> 'Invalid Query cache denied.'
>>
>> Src IP: 42.76.121.217
>>
>> Mar 13 01:42:54 net19 named[6147]: client 42.76.121.217#52337 (
>> eropovspwfyl.games.yuanyou8.com): query (cache) '
>> eropovspwfyl.games.yuanyou8.com/A/IN' denied
>>
>>
>> ** Alert 1489383774.344465: - local,syslog,
>>
>> 2017 Mar 13 01:42:54 net19->/var/log/named.log
>>
>> Rule: 100002 (level 8) -> 'Multiple denied DNS queries in a short time.'
>>
>> Src IP: 96.174.127.167
>>
>> Mar 13 01:42:54 net19 named[6147]: client 96.174.127.167#16133 (
>> qtoncngdqvcv.games.yuanyou8.com): query (cache) '
>> qtoncngdqvcv.games.yuanyou8.com/A/IN' denied
>>
>> Mar 13 01:42:54 net19 named[6147]: client 42.76.121.217#52337 (
>> eropovspwfyl.games.yuanyou8.com): query (cache) '
>> eropovspwfyl.games.yuanyou8.com/A/IN' denied
>>
>> Mar 13 01:42:53 net19 named[6147]: client 60.50.34.62#39074 (
>> uburatmbgrov.games.yuanyou8.com): query (cache) '
>> uburatmbgrov.games.yuanyou8.com/A/IN' denied
>>
>> Mar 13 01:42:53 net19 named[6147]: client 31.138.210.77#3939 (
>> izilszqtqvav.games.yuanyou8.com): query (cache) '
>> izilszqtqvav.games.yuanyou8.com/A/IN' denied
>>
>> Mar 13 01:42:53 net19 named[6147]: client 44.157.160.105#63395 (
>> afmxgjqfelwj.games.yuanyou8.com): query (cache) '
>> afmxgjqfelwj.games.yuanyou8.com/A/IN' denied
>>
>> Mar 13 01:42:53 net19 named[6147]: client 1.58.85.178#22054 (
>> olshwnafqhihgvkn.games.yuanyou8.com): query (cache) '
>> olshwnafqhihgvkn.games.yuanyou8.com/A/IN' denied
>>
>> Mar 13 01:42:53 net19 named[6147]: client 103.7.105.111#13695 (
>> yzunwbizupyr.games.yuanyou8.com): query (cache) '
>> yzunwbizupyr.games.yuanyou8.com/A/IN' denied
>>
>> Mar 13 01:42:52 net19 named[6147]: client 34.96.205.55#4089 (
>> atkdwdixmfkl.games.yuanyou8.com): query (cache) '
>> atkdwdixmfkl.games.yuanyou8.com/A/IN' denied
>>
>> Mar 13 01:42:52 net19 named[6147]: client 70.94.229.18#28624 (
>> oletkhwbodyn.games.yuanyou8.com): query (cache) '
>> oletkhwbodyn.games.yuanyou8.com/A/IN' denied
>>
>> Mar 13 01:42:51 net19 named[6147]: client 47.224.195.250#8636 (
>> axcpajunsfoj.games.yuanyou8.com): query (cache) '
>> axcpajunsfoj.games.yuanyou8.com/A/IN' denied
>>
>> Mar 13 01:42:51 net19 named[6147]: client 96.243.170.64#27176 (
>> ahefilwzohgb.games.yuanyou8.com): query (cache) '
>> ahefilwzohgb.games.yuanyou8.com/A/IN' denied
>>
>>
>> *Active response configuration. *
>>
>>
>> <!-- RALPH: Customized script based on firewall-drop.sh
>>
>> uses same locking, drops DNS queries with specific domain name.
>>
>> -->
>>
>> <command>
>>
>> <name>firewall-dns-query-drop</name>
>>
>> <executable>firewall-dns-query-drop.sh</executable>
>>
>> <expect>user</expect>
>>
>> <timeout_allowed>yes</timeout_allowed>
>>
>> </command>
>>
>>
>> . . .
>>
>> <active-response>
>>
>> <command>firewall-dns-query-drop</command>
>>
>> <location>local</location>
>>
>> <rules_id>100002</rules_id>
>>
>> <level>8</level>
>>
>> <timeout>5400</timeout>
>>
>> </active-response>
>>
>>
>>
>>
>> *The decoder:*
>>
>>
>> # *cat etc/decoders.d/local_named.xml*
>>
>>
>>
>> <!--- RALPH: Adjust decoder to catch domain name.
>>
>> SAMPLES:
>>
>>
>> Mar 7 09:43:19 net19 named[6147]: client 53.144.157.215#61687 (
>> qhctgjulipqfchyv.qiyering.com): query (cache) '
>> qhctgjulipqfchyv.qiyering.com/A/IN' denied
>>
>>
>> Doesn't make sense to put the domain name in "user", except only srcip
>> and user
>>
>> are passed to active scripts, and have a <same_xxx> capability.
>>
>> -->
>>
>>
>> <decoder name="named-query-denied">
>>
>> <parent>named</parent>
>>
>> <prematch>denied$</prematch>
>>
>> <regex>client (\S+)#\d+\s+\((\S+)\): query </regex>
>>
>> <order>srcip,user</order>
>>
>> </decoder>
>>
>>
>> *new rules in rules/local_rules.xml*
>>
>>
>> <!-- Was level 0, now it needs to aggregate to an automated response.
>>
>> -->
>>
>> <rule id="12108" level="4" overwrite="yes">
>>
>> <if_sid>12100</if_sid>
>>
>> <match>query (cache) denied|: query (cache)</match>
>>
>> <description>Invalid Query cache denied.</description>
>>
>> </rule>
>>
>>
>> <rule id="100002" level="8" frequency="10" timeframe="60" >
>>
>> <if_matched_sid>12108</if_matched_sid>
>>
>> <description>Multiple denied DNS queries in a short time.</description>
>>
>> <info></info>
>>
>> </rule>
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
