To receive threat protection events in the syslog, you must enable the Security option in the DNS logging category of the Grid DNS Properties editor. For information about configuring the logging category, see Setting DNS Logging Categories. Once the Security option is enabled, hardware-based appliances log each threat protection related event in the syslog in CEF (Common Even Format). You can get detailed information about the events by reviewing the syslog periodically. For information about how to configure the syslog server, see Using a Syslog Server.
When a DNS attack is detected against an enabled rule, the appliance generates a log message. Note that only threat protection messages in CEF are displayed in the syslog. The log messages for rate limiting alert events also include the FQDNs extracted from DNS queries whose standard query and question count is greater than zero so you can quickly identify the offending clients. Note that the FQDN field displays “NA” for invalid DNS queries. This feature is enabled by default. You can disable this only in Maintenance Mode using the CLI command
set smartnic-debug-adp-log-fqdn off.
When the appliance detects ICMP ping attacks that exceed the pint size against an existing auto rule that has the following configuration:
Log Severity = Critical
Rule ID = 120600925
Rule Name = Potential DDoS related domain
Rule Action = Drop
Rule Category = Potential DDoS related Domains
It generates the following threat detection event log message:
2018-04-20T09:43:21+00:00 daemon infoblox
named: info CEF:0|Infoblox|NIOS|8.3.0-369415|RPZ-QNAME|Local-Data|7|app=DNS dst=10.34.173.11 src=10.120.20.28 spt=52240 view=_default qtype=A msg="rpz
QNAME Local-Data rewrite a_rec [A] via a_rec.local.com" IPSD=N/A Acct-Session-Id=8333332d-11111111 Parental-Control-Policy=010000000033 Calling-Station-Id=1101202041 NAS-PORT=1813 Subscriber-Secure-Policy=00000fff Guest=1 LocalID=000C2987FEEE CAT=RPZ
The number of log messages generated is based upon your Event per Second per Rule setting. For example, if the setting is 5, the appliance generates five log messages of the same event per second when the attack continues within the time duration. Each log message contains the following information:
To view DNS threat protection related log messages:
This page has no comments.