SigmaHQ/rules/linux/lnx_susp_named.yml

title: Suspicious Named Error
status: experimental
description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
author: Florian Roth
date: 2018/02/20
logsource:
    product: linux
    service: syslog
detection:
    keywords:
        - '* dropping source port zero packet from *'
        - '* denied AXFR from *'
        - '* exiting (due to fatal error)*'
    condition: keywords
falsepositives:
    - Unknown
level: high
Rule: Linux > named > suspicious activity 2018-02-20 13:56:28 +00:00			`title: Suspicious Named Error`
			`status: experimental`
			`description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts`
			`references:`
			`- https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml`
			`author: Florian Roth`
			`date: 2018/02/20`
			`logsource:`
			`product: linux`
			`service: syslog`
			`detection:`
			`keywords:`
			`- '* dropping source port zero packet from *'`
			`- '* denied AXFR from *'`
			`- '* exiting (due to fatal error)*'`
			`condition: keywords`
			`falsepositives:`
			`- Unknown`
			`level: high`