###
### BIND/NAMED
###
###	$Id: named.txt,v 1.1 2002/04/14 05:49:32 emf Exp $

'named.*IN MX. points to a CNAME' - - - 0 ignore
'named.*starting' - - - 0 ignore

'^.{16}(.*) named\[([0-9]+)\]: Ready to answer queries' - - - 0
        exec "/usr/local/bin/surf_GenericMsg -k logsurfer -h $2 -s 1 -m \"Nameserver started on $2\""

# keep track of named messages in a context so we have fodder for later reports.
'^.{16}(.*) named\[([0-9]+)\]:' - - - 0 CONTINUE
        open "$2 named\\[$3\\]" - 1000 180 60
        ignore

# We want to alarm on DNS information gathering attempts
'^.{16}(.*) named\[([0-9]+)\]: denied (.*) from \[(.*)\].*for \"(.*)\".*' - - - 0 CONTINUE
        exec "/usr/local/bin/surf_GenericMsg -k logsurfer -h $2 -s 4 -m \"Attempted DNS attack ($4) of $6 by $5\""
'^.{16}(.*) named\[([0-9]+)\]: denied (.*) from \[(.*)\].*for \"(.*)\".*' - - - 0
        open "$5" - 5000 600 180
        report "/usr/local/bin/surfmailer -r logsurfer -S \"security incident from $5\"" "$5"

# source port zero messages are suspicious.
'^.{16}(.*) named\[([0-9]+)\]: dropping source port zero packet from \[(.*)\].0' - - - 0
        open "$4" - 5000 600 180
        report "/usr/local/bin/surfmailer -r logsurfer -S \"security incident from $4\"" "$4"

# We just rejected a zone file for some reason.
'^.{16}(.*) named.*: master zone \"(.*)\".*rejected due to errors \(serial (.*)\)' - - - 0 CONTINUE
        exec "/usr/local/bin/surf_GenericMsg -k logsurfer -h $2 -s 5 -m \"DNS zone $3 serial $4 broken on $2\""
'^.{16}(.*) named\[([0-9]+)\]: master zone \"(.*)\".*rejected due to errors \(serial (.*)\)' - - - 0
        report "/usr/local/bin/surfmailer -r logsurfer -S \"DNS zone $4 serial $5 broken on $2\"" "$2 named\\[$3\\]"

# We couldn't open a zonefile.
'^.{16}(.*) named.*: db_load could not open: (.*): No such file or directory' - - - 0 CONTINUE
        exec "/usr/local/bin/surf_GenericMsg -k logsurfer -h $2 -s 5 -m \"DNS zonefile $3 deleted or missing on $2\""
'^.{16}(.*) named\[([0-9]+)\]: db_load could not open: (.*): No such file or directory' - - - 0
        report "/usr/local/bin/surfmailer -r logsurfer -S \"DNS zonefile $4 deleted or missing on $2\"" "$2 named\\[$3\\]"

# Dont fall through..
'named\[[0-9]+\]' - - - 0 ignore

