January 1, 2026

Logging Ubiquiti EdgeRouter firewall events to Wazuh

Problem

Logging EdgeRouter firewall events to Wazuh needs custom decoder and rules.


Solution

In /var/ossec/etc/rules/edgerouter-fw_rules.xml: 

<group name="local,edgerouter,">

<rule id="900100" level="3">

    <decoded_as>edgerouter-fw-tcp</decoded_as>

    <description>EdgeRouter TCP packet: $(srcip):$(srcport) → $(dstip):$(dstport) via $(in_iface)</description>

    <group>edgerouter,tcp,firewall,</group>

</rule>

<rule id="900110" level="3">

    <decoded_as>edgerouter-fw-udp</decoded_as>

    <description>EdgeRouter UDP packet: $(srcip):$(srcport) → $(dstip):$(dstport) via $(in_iface), payload $(payload_len) bytes</description>

    <group>edgerouter,udp,firewall,</group>

</rule>

<rule id="900120" level="3">

    <decoded_as>edgerouter-fw-icmp</decoded_as>

    <description>EdgeRouter ICMP packet: $(srcip) → $(dstip), type $(icmp_type) code $(icmp_code)</description>

    <group>edgerouter,icmp,firewall,</group>

</rule>

<rule id="900200" level="5">

    <if_sid>900100</if_sid>

    <match>SYN</match>

    <description>TCP SYN from $(srcip):$(srcport) to $(dstip):$(dstport) blocked by $(chain)</description>

    <group>edgerouter,tcp,syn,</group>

</rule>

<rule id="900210" level="10" frequency="10" timeframe="60">

    <if_matched_sid>900200</if_matched_sid>

    <same_source_ip />

    <description>Possible TCP SYN scan: $(srcip) sent repeated SYN packets to multiple ports</description>

    <group>edgerouter,tcp,scan,</group>

</rule>

<rule id="900300" level="4">

    <if_sid>900110</if_sid>

    <description>UDP traffic: $(srcip):$(srcport) → $(dstip):$(dstport)</description>

    <group>edgerouter,udp,event,</group>

</rule>

<rule id="900310" level="10" frequency="20" timeframe="30">

    <if_matched_sid>900300</if_matched_sid>

    <same_source_ip />

    <description>Possible UDP flood: $(srcip) sent $(frequency) packets in $(timeframe)s</description>

    <group>edgerouter,udp,flood,</group>

</rule>

<rule id="900400" level="4">
    <if_sid>900120</if_sid>
    <match>TYPE=8</match>
    <description>ICMP Echo Request (ping) from $(srcip) to $(dstip), seq $(icmp_seq)</description>
    <group>edgerouter,icmp,echo,</group>
</rule>

<rule id="900410" level="10" frequency="20" timeframe="30">
    <if_matched_sid>900400</if_matched_sid>
    <same_source_ip />
    <description>Possible ICMP flood: $(srcip) sent $(frequency) echo requests in $(timeframe)s</description>
    <group>edgerouter,icmp,flood,</group>
</rule>

<rule id="900500" level="3">
    <match>WAN_LOCAL</match>
    <description>EdgeRouter WAN_LOCAL rule matched: $(srcip) → $(dstip) on $(proto)</description>
    <group>edgerouter,wan_local,</group>
</rule>

<rule id="900600" level="5">
    <match>WAN_LOCAL-default-D</match>
    <description>Inbound traffic blocked by WAN_LOCAL: $(srcip):$(srcport) → $(dstip):$(dstport) proto $(proto)</description>
    <group>edgerouter,blocked,wan_local,</group>
</rule>

<rule id="900700" level="8">
    <if_sid>900200</if_sid>
    <match>WAN_LOCAL-default-D</match>
    <description>Blocked TCP SYN: $(srcip):$(srcport) → $(dstip):$(dstport) flags $(flags)</description>
    <group>edgerouter,tcp,blocked,scan,</group>
</rule>

<rule id="900710" level="8" frequency="15" timeframe="60">
    <if_matched_group>blocked</if_matched_group>
    <same_source_ip />
    <description>Repeated blocked traffic from $(srcip): $(frequency) events in $(timeframe)s</description>
    <group>edgerouter,blocked,scan,</group>
</rule>

</group>


In /var/ossec/etc/decoders/edgerouter-fw.xml. Make sure there are no line breaks inside <regex> node:

<decoder name="edgerouter-fw-tcp">

    <parent>kernel</parent>

    <regex type="pcre2">\[([^\]]+)\]IN=(\S*)\s+OUT=(\S*)\s+MAC=([0-9A-Fa-f:]+)\s+SRC=([0-9.]+)\s+DST=([0-9.]+)\s+LEN=(\d+)\s+TOS=(\S+)\s+PREC=(\S+)\s+TTL=(\d+)\s+ID=(\d+)(?:\s+DF)?\s+PROTO=TCP\s+SPT=(\d+)\s+DPT=(\d+)\s+WINDOW=(\d+)\s+RES=(\S+)\s+(\S+)\s+URGP=(\d+)</regex>

    <order>chain,in_iface,out_iface,mac,srcip,dstip,len,tos,prec,ttl,id,srcport,dstport,window,res,flags,urgp</order>

</decoder>


<decoder name="edgerouter-fw-udp">

    <parent>kernel</parent>

    <regex type="pcre2">\[([^\]]+)\]IN=(\S*)\s+OUT=(\S*)\s+MAC=([0-9A-Fa-f:]+)\s+SRC=([0-9.]+)\s+DST=([0-9.]+)\s+LEN=(\d+)\s+TOS=(\S+)\s+PREC=(\S+)\s+TTL=(\d+)\s+ID=(\d+)\s+PROTO=UDP\s+SPT=(\d+)\s+DPT=(\d+)\s+LEN=(\d+)</regex>

    <order>chain,in_iface,out_iface,mac,srcip,dstip,len,tos,prec,ttl,id,srcport,dstport,payload_len</order>

</decoder>


<decoder name="edgerouter-fw-icmp">

    <parent>kernel</parent>

    <regex type="pcre2">\[([^\]]+)\]IN=(\S*)\s+OUT=(\S*)\s+MAC=([0-9A-Fa-f:]+)\s+SRC=([0-9.]+)\s+DST=([0-9.]+)\s+LEN=(\d+)\s+TOS=(\S+)\s+PREC=(\S+)\s+TTL=(\d+)\s+ID=(\d+)(?:\s+DF)?\s+PROTO=ICMP\s+TYPE=(\d+)\s+CODE=(\d+)\s+ID=(\d+)\s+SEQ=(\d+)</regex>

    <order>chain,in_iface,out_iface,mac,srcip,dstip,len,tos,prec,ttl,id,icmp_type,icmp_code,icmp_id,icmp_seq</order>

</decoder>


Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)