title: Suspicious Named Error
status: experimental
description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts 
references:
    - https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml
author: Florian Roth
date: 2018/02/20
logsource:
    product: linux
    service: syslog
detection:
    keywords:
        - '* dropping source port zero packet from *'
        - '* denied AXFR from *'
        - '* exiting (due to fatal error)*'
    condition: keywords
falsepositives:
    - Unknown
level: high