Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

named decoder not matching srcip on Ubuntu 20.04 #1927

Open
ogmueller opened this issue Oct 26, 2020 · 1 comment
Open

named decoder not matching srcip on Ubuntu 20.04 #1927

ogmueller opened this issue Oct 26, 2020 · 1 comment

Comments

@ogmueller
Copy link

Version:
Ubuntu 20.04.1 LTS
Package: ossec-hids-server
Version: 3.6.0-14954focal

Currently the named decoder assumes entries to look like (as mentioned in decoder.xml):
valhalla named[7885]: client 192.168.1.231#1142: update 'hayaletgemi.edu/IN' denied

BUT on Ubuntu 20.04 the log entries have an additional ID starting with "@":

Oct 26 00:00:53 valhalla named[43400]: client @0x7f2b78046e40 76.188.251.143#80 (sl): query (cache) 'sl/ANY/IN' denied
Oct 26 00:00:53 valhalla named[43400]: client @0x7f2b78046e40 76.188.251.143#80 (sl): query failed (REFUSED) for sl/IN/ANY at query.c:5425

When testing such a string the output in Phase 2 has no srcip in it and cannot block the attack:

echo "Oct 26 10:32:22 valhalla named[43400]: client @0x7f2b68014d40 173.27.216.50#80 (sl): query (cache) 'sl/ANY/IN' denied" | /var/ossec/bin/ossec-logtest
2020/10/26 15:53:50 ossec-testrule: INFO: Reading local decoder file.
2020/10/26 15:53:50 ossec-testrule: INFO: Reading the lists file: 'rules/lists/list-dev-hosts'
2020/10/26 15:53:50 ossec-testrule: INFO: Reading the lists file: 'rules/lists/list-internal-ip'
2020/10/26 15:53:50 ossec-testrule: INFO: Started (pid: 633656).
ossec-testrule: Type one log per line.



**Phase 1: Completed pre-decoding.
       full event: 'Oct 26 10:32:22 valhala named[43400]: client @0x7f2b68014d40 173.27.216.50#80 (sl): query (cache) 'sl/ANY/IN' denied'
       hostname: 'valhala'
       program_name: 'named'
       log: 'client @0x7f2b68014d40 173.27.216.50#80 (sl): query (cache) 'sl/ANY/IN' denied'

**Phase 2: Completed decoding.
       decoder: 'named'
       url: 'sl/ANY'

**Phase 3: Completed filtering (rules).
       Rule id: '12108'
       Level: '5'
       Description: 'Query cache denied (probably config error).'
       Info - Link: 'http://www.reedmedia.net/misc/dns/errors.html'
**Alert to be generated.

If decoder.xml is changed to:

<decoder name="named-query">
  <parent>named</parent>
  <prematch_pcre2>: query </prematch_pcre2>
  <pcre2>client @\S+ (\S+)#\d+[ ]*?\S*: </pcre2>
  <order>srcip,url</order>
</decoder>

Phase 2 output is correct including srcip:

**Phase 2: Completed decoding.
       decoder: 'named'
       srcip: '173.27.216.50'
       url: 'sl/ANY'
@ddpbsd
Copy link
Member

ddpbsd commented Nov 25, 2020
edited
Loading

It looks good, but it isn't decoding my log message correctly:

Nov 25 13:27:03 tiny named[478]: client @0xb464d6a2d0 127.0.0.1#25298 (www.slashdot.org): query: www.slashdot.org IN A + (127.0.0.1)

I didn't get much sleep last night, but this is confusing me.

EDIT: Ha! It's the : after query.

ddpbsd added a commit to ddpbsd/ossec-hids that referenced this issue Nov 25, 2020
@ddpbsd
named has changed its logging format at some point.
7375fe4 
This decoder correctly decodes the src ip again.
It ignores older logs though, we could probably devise a way to cover
both, but I'm not convinced it is worth it.
from ogmueller in issue ossec#1927
@ddpbsd ddpbsd mentioned this issue Nov 25, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ogmueller @ddpbsd