Cisco IOS ruleset and decoder

[Namdev Pawar]

Hey All,

Can any one provide me a Cisco ISO ruleset and decoder OR can explain how to decode it.

I have upto 200 Routers in my Data Center and want to add in wazuh manager.

I hope you guys help me regard in this.

Thanks in advance.

[Jose Cruz Lopez]

Hello,

Currently, we have decoders and rules for Cisco IOS. You can check them here:
Decoders: https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0065-cisco-ios_decoders.xml
Rules:https://github.com/wazuh/wazuh/blob/master/ruleset/rules/0075-cisco-ios_rules.xml

But if you want to add some custom events, we recommend having an event as a starting point and add fields to the decoder in order to catch all the fields you want to extract (regex 101 is a useful tool for this task). Also, for those new fields, you may want to have rules for them, so add them to the rules file.

You can have more information about this process here: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

I hope this helps you.
If you have any more questions, please do not hesitate to ask us!
Best regards!