January 1, 2026

Logging Ubiquiti EdgeRouter firewall events to Wazuh

Problem

Logging EdgeRouter firewall events to Wazuh needs custom decoder and rules.


Solution

In /var/ossec/etc/rules/edgerouter-fw_rules.xml: 

<group name="edgerouter,firewall,">

    <rule id="900100" level="3">

        <decoded_as>edgerouter-fw</decoded_as>

        <description>EdgeRouter firewall event: $(chain) $(proto) $(src_ip):$(src_port) → $(dst_ip):$(dst_port)</description>

        <group>network,firewall,</group>

    </rule>

    <rule id="900110" level="7">

        <match>-D]</match>

        <decoded_as>edgerouter-fw</decoded_as>

        <description>EdgeRouter DROP: $(src_ip):$(src_port) → $(dst_ip):$(dst_port) on $(chain)</description>

        <group>network,firewall,drop,</group>

    </rule>


    <rule id="900111" level="7">

        <match>-R]</match>

        <decoded_as>edgerouter-fw</decoded_as>

        <description>EdgeRouter REJECT: $(src_ip):$(src_port) → $(dst_ip):$(dst_port) on $(chain)</description>

        <group>network,firewall,reject,</group>

    </rule>


    <rule id="900120" level="3">

        <match>-A]</match>

        <decoded_as>edgerouter-fw</decoded_as>

        <description>EdgeRouter ACCEPT: $(src_ip):$(src_port) → $(dst_ip):$(dst_port) on $(chain)</description>

        <group>network,firewall,accept,</group>

    </rule>


    <rule id="900130" level="5">

        <match>SYN</match>

        <decoded_as>edgerouter-fw</decoded_as>

        <description>EdgeRouter SYN packet: $(src_ip) → $(dst_ip):$(dst_port)</description>

        <group>network,firewall,syn,</group>

    </rule>


    <rule id="900140" level="8">

        <decoded_as>edgerouter-fw</decoded_as>

        <decoded_as>edgerouter-fw</decoded_as>

        <regex type="pcre2">DPT=(22|3389|445|139|5985|5986)</regex>

        <description>EdgeRouter high‑risk port access: $(src_ip) → $(dst_ip):$(dst_port)</description>

        <group>network,firewall,highrisk,</group>

    </rule>


    <rule id="900150" level="9">

        <decoded_as>edgerouter-fw</decoded_as>

        <match>WAN_LOCAL</match>

        <description>EdgeRouter WAN_LOCAL hit: $(src_ip) → router on $(dst_port)</description>

        <group>network,firewall,router-protection,</group>

    </rule>


<rule id="900160" level="10" frequency="10" timeframe="60">

    <if_matched_sid>900130</if_matched_sid>

    <description>Possible port scan from $(src_ip)</description>

    <group>network,firewall,scan,</group>

</rule>

</group>


In /var/ossec/etc/decoders/edgerouter-fw.xml:

<decoder name="edgerouter-fw">

        <prematch type="pcre2">kernel: \[</prematch>

        <regex type="pcre2">\[(\S+)\]IN=(\S*) OUT=(\S*) MAC=(\S*) SRC=(\S*) DST=(\S*) LEN=(\S*) TOS=(\S*) PREC=(\S*) TTL=(\S*) ID=(\S*) PROTO=(\S*) SPT=(\S*) DPT=(\S*)</reg>

        <order>chain, in_iface, out_iface, mac, src_ip, dst_ip, len, tos, prec, ttl, id, proto, src_port, dst_port</order>

</decoder>


Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)