Page tree

Contents

To receive threat protection events in the syslog, you must enable the Security option in the DNS logging category of the Grid DNS Properties editor. For information about configuring the logging category, see Setting DNS Logging Categories. Once the Security option is enabled, hardware-based appliances log each threat protection related event in the syslog in CEF (Common Even Format). You can get detailed information about the events by reviewing the syslog periodically. For information about how to configure the syslog server, see Using a Syslog Server.
When a DNS attack is detected against an enabled rule, the appliance generates a log message. Note that only threat protection messages in CEF are displayed in the syslog. The log messages for rate limiting alert events also include the FQDNs extracted from DNS queries whose standard query and question count is greater than zero so you can quickly identify the offending clients. Note that the FQDN field displays “NA” for invalid DNS queries. This feature is enabled by default. You can disable this only in Maintenance Mode using the CLI command set smartnic-debug-adp-log-fqdn off.

Example:

When the appliance detects Potential DDoS related domain: phackt.com existing system rule that has the following configuration:

Log Severity = Critical
Rule ID = 120601943
Rule Name = Potential DDoS related domain
Rule Action = Drop
Rule Category = Potential DDoS related Domains

It generates the following threat detection event log message:

2020-12-21T22:47:37-08:00 daemon ibflex2.com threat-protect-log[12674]: err CEF:0|Infoblox|NIOS Threat|8.5.2-408818|120601943|Potential DDoS related domain: phackt.com|7|src=10.120.20.93 spt=42236 dst=10.35.139.5 dpt=53 act="DROP" cat="Potential DDoS related Domains" nat=0 nfpt=0 nlpt=0 fqdn=phackt.com hit_count=1.

The number of log messages generated is based upon your Event per Second per Rule setting. For example, if the setting is 5, the appliance generates five log messages of the same event per second when the attack continues within the time duration. Each log message contains the following information:

  • The timestamp when the event happened in yyyy-mm-ddThh:mm:ss+00:00 format.
  • Infoblox|NIOS Threat|x.x.x: Indicates the Infoblox product, and x.x.x represents the NIOS version.
  • The string following the NIOS version is a hard-coded constant. In this example, it is NIOS Threat.
  • The number following the rule ID is the log severity. The following numbers indicate the severity levels:
    • 8 = Critical
    • 7 = Major
    • 6 = Warning
    • 4 = Informational
  • dst: Destination IP address.
  • src: Source IP address.
  • spt: Source port.
  • dpt: Destination port.
  • CAT: The category to which the rule belongs. In this example, the category is "Potential DDoS." 

To view DNS threat protection related log messages:

  1. From the Administration tab, select the Logs tab -> Syslog tab.
  2. From the drop-down list at the upper right corner, select the Grid member on which you want to view the syslog.
  3. From the Quick Filter drop-down list, select Threat Rule Update Events or Threat Detection Event Logs to view rule update events or threat detection events respectively. To narrow down the system messages you want to view, click Show Filter and then select the filters you want to use. For information about how to use filters, see Using Filters.


This page has no comments.