Cisco IOS Custom Rules
159 views
Skip to first unread message
John Carry
Jan 24, 2023, 7:18:04 AM1/24/23
to Wazuh mailing list
Hello All,
While capturing logs from Cisco switch 3560 we observed that few of the logs are not matching rules and there is need to create additional rules. Can anyone provide custom rules they have created at their to generate alerts for Cisco IOS based switch 3560? If yes please do the needful.
Some of the logs we observed have not triggered alert are as follows:
2023 Jan 24 16:28:47 localhost->192.168.x.x 9362: Jan 24 16:31:54.753: %SYS-5-CONFIG_I: Configured from console by ABC on vty0 (192.168.x.x)
2023 Jan 24 16:28:48 localhost->192.168.x.x 9363: Jan 24 16:32:00.768: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.23.231 port 514 started - reconnection
2023 Jan 24 16:28:52 localhost->192.168.x.x 9364: Jan 24 16:32:04.811: %SYS-5-CONFIG_I: Configured from console by ABC on vty0 (192.168.x.x)
2023 Jan 24 16:29:05 localhost->192.168.x.x 9365: Jan 24 16:32:18.510: %LINK-5-CHANGED: Interface Vlanx, changed state to administratively down
2023 Jan 24 16:29:05 localhost->192.168.x.x 9366: Jan 24 16:32:18.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlanx, changed state to down
2023 Jan 24 16:29:05 localhost->192.168.x.x 9367: Jan 24 16:32:19.466: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlanx, changed state to down
2023 Jan 24 16:29:22 localhost->192.168.x.x 9368: Jan 24 16:32:35.262: %SYS-5-CONFIG_I: Configured from console by ABC on vty0 (192.168.x.x)
2023 Jan 24 16:29:33 localhost->192.168.x.x 9369: Jan 24 16:32:46.318: %SYS-5-CONFIG_I: Configured from console by ABC on vty0 (192.168.x.x)
2023 Jan 24 16:31:50 localhost->192.168.x.x 9370: Jan 24 16:35:03.405: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan88, changed state to down
2023 Jan 24 16:32:06 localhost->192.168.x.x 9371: Jan 24 16:35:19.435: %SYS-5-CONFIG_I: Configured from console by ABC on vty0 (192.168.x.x)
2023 Jan 24 16:33:15 localhost->192.168.x.x 9372: Jan 24 16:36:28.046: %SYS-5-CONFIG_I: Configured from console by ABC on vty0 (192.168.x.x)
2023 Jan 24 16:33:38 localhost->192.168.x.x 9373: Jan 24 16:36:51.081: %SYS-5-CONFIG_I: Configured from console by ABC on vty0 (192.168.x.x)
2023 Jan 24 16:34:24 localhost->192.168.x.x 9374: Jan 24 16:37:37.285: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlanxx, changed state to down
2023 Jan 24 16:34:42 localhost->192.168.x.x 9375: Jan 24 16:37:54.641: %SYS-5-CONFIG_I: Configured from console by ABC on vty0 (192.168.x.x)
2023 Jan 24 16:28:48 localhost->192.168.x.x 9363: Jan 24 16:32:00.768: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 192.168.23.231 port 514 started - reconnection
2023 Jan 24 16:28:52 localhost->192.168.x.x 9364: Jan 24 16:32:04.811: %SYS-5-CONFIG_I: Configured from console by ABC on vty0 (192.168.x.x)
2023 Jan 24 16:29:05 localhost->192.168.x.x 9365: Jan 24 16:32:18.510: %LINK-5-CHANGED: Interface Vlanx, changed state to administratively down
2023 Jan 24 16:29:05 localhost->192.168.x.x 9366: Jan 24 16:32:18.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlanx, changed state to down
2023 Jan 24 16:29:05 localhost->192.168.x.x 9367: Jan 24 16:32:19.466: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlanx, changed state to down
2023 Jan 24 16:29:22 localhost->192.168.x.x 9368: Jan 24 16:32:35.262: %SYS-5-CONFIG_I: Configured from console by ABC on vty0 (192.168.x.x)
2023 Jan 24 16:29:33 localhost->192.168.x.x 9369: Jan 24 16:32:46.318: %SYS-5-CONFIG_I: Configured from console by ABC on vty0 (192.168.x.x)
2023 Jan 24 16:31:50 localhost->192.168.x.x 9370: Jan 24 16:35:03.405: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan88, changed state to down
2023 Jan 24 16:32:06 localhost->192.168.x.x 9371: Jan 24 16:35:19.435: %SYS-5-CONFIG_I: Configured from console by ABC on vty0 (192.168.x.x)
2023 Jan 24 16:33:15 localhost->192.168.x.x 9372: Jan 24 16:36:28.046: %SYS-5-CONFIG_I: Configured from console by ABC on vty0 (192.168.x.x)
2023 Jan 24 16:33:38 localhost->192.168.x.x 9373: Jan 24 16:36:51.081: %SYS-5-CONFIG_I: Configured from console by ABC on vty0 (192.168.x.x)
2023 Jan 24 16:34:24 localhost->192.168.x.x 9374: Jan 24 16:37:37.285: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlanxx, changed state to down
2023 Jan 24 16:34:42 localhost->192.168.x.x 9375: Jan 24 16:37:54.641: %SYS-5-CONFIG_I: Configured from console by ABC on vty0 (192.168.x.x)
Tomas Benitez Vescio
Jan 24, 2023, 7:45:55 AM1/24/23
to Wazuh mailing list
Hi,
Thanks for using Wazuh!
You may find useful to check out the decoders and rules for Cisco IOS already included in Wazuh:
In case you need to create new rules you can learn how to do such by following this documentation and blog but basically you would need to create a new decoder if the ones included are not useful for your case and then create a new rule that matches your criteria in order to generate an alert for that event. Remember you can test your new decoders and rules by using the tool wazuh-logtest.
Regards.
Reply all
Reply to author
Forward
0 new messages