CIsco Meraki Decoders & Rules

[Utkarsh Bhargava]

Hello Community,

Can any one help me with CIsco Meraki Decoders & Rules ?

regards

Utkarsh

[Julia Magán Rodríguez]

Hello,

In order to help you with your use case, I need you to share with me some sample logs you are receiving so I can see their format and create the decoders and rules.

You can also get more information about custom decoders and rules here.

[Utkarsh Bhargava]

Hi Julia,

Thank you so much for your quick response. You can collect the sample logs from this link :  https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples

Can you share some video lecture which can help me understand how decoder works in Wazuh.

regards

Utkarsh

Sent from Mailspring, the best free email app for work

On Apr 21 2022, at 1:01 pm, Julia Magán Rodríguez <julia...@wazuh.com> wrote:

Hello,

In order to help you with your use case, I need you to share with me some sample logs you are receiving so I can see their format and create the decoders and rules.

You can also get more information about custom decoders and rules here.

On Thursday, April 21, 2022 at 9:06:54 AM UTC+2 utk...@null.co.in wrote:

Hello Community,

Can any one help me with CIsco Meraki Decoders & Rules ?

regards

Utkarsh

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f46ab80a-8bcc-4666-902b-72bb47d5bd3cn%40googlegroups.com.

[Julia Magán Rodríguez]

Hello,

I saw that there are different types of logs, so I decided to test the following one to show you the decoders and rules process:

Apr 20 14:36:35 192.168.10.1 1 948077314.907556162 MX60 urls src=192.168.10.3:62526 dst=54.241.7.X.X mac=00:1A:A0:XX:XX:XX request: GET http://www.meraki.com

To test the decoders and rules, we are going to use wazuh-logtest . You can see more info about this tool here.

First of all, we are going to test the log without creating decoders:

[root@localhost]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.6
Type one log per line

Apr 20 14:36:35 192.168.10.1 1 948077314.907556162 MX60 urls src=192.168.10.3:62526 dst=54.241.7.X.X mac=00:1A:A0:XX:XX:XX request: GET http://www.meraki.com

**Phase 1: Completed pre-decoding.
    full event: 'Apr 20 14:36:35 192.168.10.1 1 948077314.907556162 MX60 urls src=192.168.10.3:62526 dst=54.241.7.X.X mac=00:1A:A0:XX:XX:XX request: GET http://www.meraki.com'
    timestamp: 'Apr 20 14:36:35'
    hostname: '192.168.10.1'

**Phase 2: Completed decoding.
    No decoder matched.

We can see that timestamp and hostname fields are extracted correctly. As we expected, no decoder matched, so we are going to create one. I could see that every CISCO Meraki log has 1 948077314.907556162 MX60 in it at the beginnig, so we are going to use this for the decoder:

<decoder name="cisco_meraki">
    <prematch>\d \d+.\d+ \S+</prematch>
</decoder>

Now, we get:

Apr 20 14:36:35 192.168.10.1 1 948077314.907556162 MX60 urls src=192.168.10.3:62526 dst=54.241.7.X.X mac=00:1A:A0:XX:XX:XX request: GET http://www.meraki.com

**Phase 1: Completed pre-decoding.
    full event: 'Apr 20 14:36:35 192.168.10.1 1 948077314.907556162 MX60 urls src=192.168.10.3:62526 dst=54.241.7.X.X mac=00:1A:A0:XX:XX:XX request: GET http://www.meraki.com'
    timestamp: 'Apr 20 14:36:35'
    hostname: '192.168.10.1'

**Phase 2: Completed decoding.
    name: 'cisco_meraki'

The next step is to create child decoders to extract useful info from the logs:

<decoder name="cisco_meraki_child">
    <parent>cisco_meraki</parent>
    <regex>src=(\d+.\d+.\d+.\d+):(\d+)</regex>
    <order>srcip,srcport</order>
</decoder>

<decoder name="cisco_meraki_child">
    <parent>cisco_meraki</parent>
    <regex>mac=(\S+)</regex>
    <order>mac</order>
</decoder>

<decoder name="cisco_meraki_child">
    <parent>cisco_meraki</parent>
    <regex>dst=(\S+)</regex>
    <order>dstip</order>
</decoder>

<decoder name="cisco_meraki_child">
    <parent>cisco_meraki</parent>
    <regex>request: (\S+ \S+)</regex>
    <order>request</order>
</decoder>

I recommend you create separate decoders for each field, so if one is missing, it won’t affect the others. Let’s test the log again:

[root@localhost]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.6
Type one log per line

Apr 20 14:36:35 192.168.10.1 1 948077314.907556162 MX60 urls src=192.168.10.3:62526 dst=54.241.7.X.X mac=00:1A:A0:XX:XX:XX request: GET http://www.meraki.com

**Phase 1: Completed pre-decoding.
    full event: 'Apr 20 14:36:35 192.168.10.1 1 948077314.907556162 MX60 urls src=192.168.10.3:62526 dst=54.241.7.X.X mac=00:1A:A0:XX:XX:XX request: GET http://www.meraki.com'
    timestamp: 'Apr 20 14:36:35'
    hostname: '192.168.10.1'

**Phase 2: Completed decoding.
    name: 'cisco_meraki'
    dstip: '54.241.7.X.X'
    mac: '00:1A:A0:XX:XX:XX'
    request: 'GET http://www.meraki.com'
    srcip: '192.168.10.3'
    srcport: '62526'

Now, srcip, srcport, dstip, mac, and request are extracted. Note that we have used regex and order to extract those fields. You can get more info here.

Finally, we can create some rules to trigger some alerts with this log:

<group name="cisco_meraki">
  <rule id="100002" level="0">
    <decoded_as>cisco_meraki</decoded_as>
    <regex>urls</regex>
    <description>CISCO Meraki - Group of urls events</description>
  </rule>

  <rule id="100003" level="10">
    <if_sid>100002</if_sid>
    <field name="request">GET</field>
    <description>GET request</description>
  </rule>
</group>

The first rule is silent. I’ve created this rule because I saw that there are different types of logs, so we are grouping urls logs with this rule. Then, I’ve created a rule that triggers an alert when we get an urls log with a GET request. Take a look here to get more info about rules.

We can test it again with wazuh-logtest:

[root@localhost]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.2.6
Type one log per line

Apr 20 14:36:35 192.168.10.1 1 948077314.907556162 MX60 urls src=192.168.10.3:62526 dst=54.241.7.X.X mac=00:1A:A0:XX:XX:XX request: GET http://www.meraki.com

**Phase 1: Completed pre-decoding.
    full event: 'Apr 20 14:36:35 192.168.10.1 1 948077314.907556162 MX60 urls src=192.168.10.3:62526 dst=54.241.7.X.X mac=00:1A:A0:XX:XX:XX request: GET http://www.meraki.com'
    timestamp: 'Apr 20 14:36:35'
    hostname: '192.168.10.1'

**Phase 2: Completed decoding.
    name: 'cisco_meraki'
    dstip: '54.241.7.X.X'
    mac: '00:1A:A0:XX:XX:XX'
    request: 'GET http://www.meraki.com'
    srcip: '192.168.10.3'
    srcport: '62526'

**Phase 3: Completed filtering (rules).
    id: '100003'
    level: '10'
    description: 'GET request'
    groups: '['cisco_meraki']'
    firedtimes: '1'
    mail: 'False'
**Alert to be generated.

The log matches with a rule and triggers an alert, as we can see in Phase 3.

I also simulated the event, to check that the alert was displayed correctly in Kibana (attached image).

​

[Utkarsh Bhargava]

Hi Julia,

Thank you so much, this is really helpful.

I understood how wazuh decoder work.

If there will be any query in future, I will get back to you.

Once again thank you.

regards

Sent from Mailspring, the best free email app for work

On Apr 22 2022, at 5:29 pm, Julia Magán Rodríguez <julia...@wazuh.com> wrote:

Hello,

On Friday, April 22, 2022 at 8:15:00 AM UTC+2 utk...@null.co.in wrote:

Hi Julia,

Thank you so much for your quick response. You can collect the sample logs from this link :  https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples

Can you share some video lecture which can help me understand how decoder works in Wazuh.

regards

Utkarsh

Sent from Mailspring, the best free email app for work

On Apr 21 2022, at 1:01 pm, Julia Magán Rodríguez <julia...@wazuh.com> wrote:

Hello,

In order to help you with your use case, I need you to share with me some sample logs you are receiving so I can see their format and create the decoders and rules.

You can also get more information about custom decoders and rules here.

On Thursday, April 21, 2022 at 9:06:54 AM UTC+2 utk...@null.co.in wrote:

Hello Community,

Can any one help me with CIsco Meraki Decoders & Rules ?

regards

Utkarsh

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f46ab80a-8bcc-4666-902b-72bb47d5bd3cn%40googlegroups.com.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/00c7eeb9-8112-4644-9fb9-aa76a34c48a4n%40googlegroups.com.