[Solved][Help] OSSEC Log DNS analyzing

Post by **ayu** » 19 May 2008, 06:27

I am getting a lot of DNS errors in my OSSEC log (using the WebUI), and i thought that maybe someone knows more exactly what it means =)

Does it mean that my DNS was not able to solve the query and it's sending it to the next DNS or what? because if it means that, then it's positive, because that is the way i meant for it to work.

2008 May 19 11:44:49 Rule Id: 12105 level: 4
Location: Teresa->/var/log/syslog
Unexpected error while resolving domain.
May 19 11:44:49 Teresa named[4083]: unexpected RCODE (SERVFAIL) resolving 'mscom.na-test.llnwd.net/A/IN': 69.28.143.16#53

2008 May 19 11:36:19 Rule Id: 12105 level: 4
Location: Teresa->/var/log/syslog
Unexpected error while resolving domain.
May 19 11:36:18 Teresa named[4083]: unexpected RCODE (SERVFAIL) resolving 'mscom.na-test.llnwd.net/A/IN': 69.28.143.16#53

Post by **bad_brain** » 19 May 2008, 07:58

don't worry, that's caused by a bad config on the remote server....most likely the domain is set up as zone in their DNS config (that's why it resolves the hostname) but there is no zone file for that domain on which the DNS config is depending (that's why the final resolution fails)....

Post by **ayu** » 19 May 2008, 07:59

ah ok, glad to hear that it wasn't mine =)

Post by **ayu** » 22 May 2008, 12:35

yet another weird log from snort that I can't understand xD

Code: Select all

2008 May 22 20:18:27  Rule Id: 20100  level: 8
Location: Teresa->/var/log/snort/alert
Src IP: 192.168.0.9
First time this IDS alert is generated.
[**] [122:3:0] (portscan) TCP Portsweep [**][Classification: Preprocessor] [Priority: 3] 192.168.0.9 -> 89.87.3.25

All of a sudden i got a bunch of these....the thing that is confusing me is that it's coming from the WAN side of my server (192.168.0.9) =/

I mean...portscan from there? =/ (seems to happen after i installed either VMware or warcraft3)

Post by **bad_brain** » 22 May 2008, 12:43

hm, kinda weird and most likely a false positive, a scan from a private to a public IP wouldn't even work because the replies wouldn't be routed on the internet....

Post by **ayu** » 22 May 2008, 12:50

*digs deep into the rules files again*

Lyecdevf · Post by **Lyecdevf** » 22 May 2008, 15:09

How about if you prevent it to log errors?! You can do so by adding a level of 0 in local_rules.xml with a to prevent logging as alerts.

Post by **ayu** » 25 May 2008, 11:16

Ok, this one is just for fun xD

Code: Select all

[**] [1:100000273:3] COMMUNITY BOT GTBot info command [**][Classification: A Network Trojan was detected] [Priority: 1] 192.168.0.9:53218 -> 62.75.148.170:6667

Look out b_b! the killer server is attacking you with trojans! O_O

Post by **bad_brain** » 25 May 2008, 12:54

ummm....wait, I think the log entry is because YOU are the community bot...

hats off to your programmer, good AI....