bind9-refused Scenario

« bind9-refused »
v0.2 by mstilkerich
Attack scenarioremediation:trueservice:domainspoofable:0MITRE:T1590confidence:3

Act on queries / zone transfers denied by bind9 policy

Installation

cscli scenarios install mstilkerich/bind9-refused

Description

Detect AXFR requests and DNS queries rejected by bind9 security policy:

leakspeed of 10s, capacity of 5 on source ip

YAML Configuration

1type: leaky
2name: mstilkerich/bind9-refused
3description: "Act on queries / zone transfers denied by bind9 policy"
4debug: false
5filter: "evt.Meta.log_type == 'bind9_denied'"
6groupby: evt.Meta.source_ip
7capacity: 5
8leakspeed: 10s
9blackhole: 1m
10labels:
11  service: domain
12  classification:
13    - attack.T1590.002
14  spoofable: 0
15  confidence: 3
16  behavior: "generic:scan"
17  label: "Domain transfer attempt"
18  remediation: true
19

Hub configuration

« bind9-refused »v0.2 by mstilkerichAttack scenarioremediation:trueservice:domainspoofable:0MITRE:T1590confidence:3

« bind9-refused »
v0.2 by mstilkerich
Attack scenarioremediation:trueservice:domainspoofable:0MITRE:T1590confidence:3