Mikrotik decoder
584 views
Skip to first unread message
reza fathi
Jul 26, 2023, 4:35:19 PM7/26/23
to Wazuh mailing list
Hi,
I wanted to create a decoder for this firewall alert from mikrotik but could not be successful. Here is the alert:
prerouting in:ether9_Gateway_gate out:(unknown 0), src-mac 64:d1:54:93:43:de, proto TCP (RST), 185.150.189.173:10565->137.191.178.208:80, len 40
Any help would be appreciated.
Julián Morales
Jul 26, 2023, 5:11:35 PM7/26/23
to reza fathi, Wazuh mailing list
Hi,
Creating custom decoders for specific log formats like your Mikrotik firewall alert can be a bit challenging, but Wazuh provides extensive documentation and examples to help you get started.
A decoder in Wazuh is used to parse the incoming log data and extract key information. The rule then analyzes the data extracted by the decoder and generates alerts based on certain conditions.
Here's an example of a custom decoder that might work for your log:
<!-- prerouting in:ether9_Gateway_gate out:(unknown 0), src-mac 64:d1:54:93:43:de, proto TCP (RST), 185.150.189.173:10565->137.191.178.208:80, len 40 -->
<decoder name="mikrotik-prerouting">
<prematch>^prerouting in:</prematch>
<regex>in:(\S+) out:(\.+), src-mac (\S+), proto (\S+) \((\S+)\), (\S+)->(\S+), len (\d+)</regex>
<order>srcinterface, dstinterface, srcmac, protocol, flag, srcip, dstip, length</order>
```
This decoder is designed to match logs that start with "prerouting in:" and extract the source interface, destination interface, source MAC address, protocol, flag, source IP, destination IP, and length.
The `<prematch>` tag is used to identify logs that this decoder should be applied to.
The `<regex>` tag contains a regular expression that matches the structure of your log and captures the relevant fields.
The `<order>` tag specifies the order of the fields captured by the regex.
Please replace the decoder name and regex with values that match your specific log format. Once you've created your custom decoder, you can test it using the `ossec-logtest` tool to ensure it's working as expected.
For more information on creating custom decoders and rules, you can refer to the following resources:
- Creating decoders and rules from scratch: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
- Custom rules and decoders: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
- Decoders syntax: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
- Rules syntax: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
I hope this helps!
Creating custom decoders for specific log formats like your Mikrotik firewall alert can be a bit challenging, but Wazuh provides extensive documentation and examples to help you get started.
A decoder in Wazuh is used to parse the incoming log data and extract key information. The rule then analyzes the data extracted by the decoder and generates alerts based on certain conditions.
Here's an example of a custom decoder that might work for your log:
<!-- prerouting in:ether9_Gateway_gate out:(unknown 0), src-mac 64:d1:54:93:43:de, proto TCP (RST), 185.150.189.173:10565->137.191.178.208:80, len 40 -->
<decoder name="mikrotik-prerouting">
<prematch>^prerouting in:</prematch>
<regex>in:(\S+) out:(\.+), src-mac (\S+), proto (\S+) \((\S+)\), (\S+)->(\S+), len (\d+)</regex>
<order>srcinterface, dstinterface, srcmac, protocol, flag, srcip, dstip, length</order>
```
This decoder is designed to match logs that start with "prerouting in:" and extract the source interface, destination interface, source MAC address, protocol, flag, source IP, destination IP, and length.
The `<prematch>` tag is used to identify logs that this decoder should be applied to.
The `<regex>` tag contains a regular expression that matches the structure of your log and captures the relevant fields.
The `<order>` tag specifies the order of the fields captured by the regex.
Please replace the decoder name and regex with values that match your specific log format. Once you've created your custom decoder, you can test it using the `ossec-logtest` tool to ensure it's working as expected.
For more information on creating custom decoders and rules, you can refer to the following resources:
- Creating decoders and rules from scratch: https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
- Custom rules and decoders: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
- Decoders syntax: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
- Rules syntax: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
I hope this helps!
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0CEBF942-5D58-4CD2-ABF3-94FFAE23FC0C%40gmail.com.
Reply all
Reply to author
Forward
0 new messages