jcboliveira
New Around Here
Just did some dirty wazuh rules and decoders. ssh, drop, accept are already covered in standard rules
rules
<rule id="100001" level="4">
<program_name>rc_service</program_name>
<description>Info from Asus XT8 Firewall</description>
</rule>
<rule id="100002" level="4">
<program_name>dnsmasq-dhcp</program_name>
<description>Info from Asus XT8 DHCP</description>
<action>DHCPACK</action>
</rule>
<!-- accept all
<rule id="110000" level="5">
<regex type="pcre2">.*</regex>
<description>Info from Asus XT8</description>
</rule>
-->
<decoder name="rc_service">
<program_name>rc_service</program_name>
</decoder>
<decoder name="rc_service">
<parent>rc_service</parent>
<regex type="pcre2">(?i)(30053:notify_rc)(.*)</regex>
<order>action,data</order>
</decoder>
<decoder name="dnsmasq-dhcp">
<program_name>dnsmasq-dhcp</program_name>
</decoder>
<decoder name="dnsmasq-dhcp">
<parent>dnsmasq-dhcp</parent>
<regex type="pcre2">(?i)(DHCPACK)\(br0\) (.*) (.*) (.*)</regex>
<order>action,dstip,data,extra_data</order>
</decoder>
rules
<rule id="100001" level="4">
<program_name>rc_service</program_name>
<description>Info from Asus XT8 Firewall</description>
</rule>
<rule id="100002" level="4">
<program_name>dnsmasq-dhcp</program_name>
<description>Info from Asus XT8 DHCP</description>
<action>DHCPACK</action>
</rule>
<!-- accept all
<rule id="110000" level="5">
<regex type="pcre2">.*</regex>
<description>Info from Asus XT8</description>
</rule>
-->
<decoder name="rc_service">
<program_name>rc_service</program_name>
</decoder>
<decoder name="rc_service">
<parent>rc_service</parent>
<regex type="pcre2">(?i)(30053:notify_rc)(.*)</regex>
<order>action,data</order>
</decoder>
<decoder name="dnsmasq-dhcp">
<program_name>dnsmasq-dhcp</program_name>
</decoder>
<decoder name="dnsmasq-dhcp">
<parent>dnsmasq-dhcp</parent>
<regex type="pcre2">(?i)(DHCPACK)\(br0\) (.*) (.*) (.*)</regex>
<order>action,dstip,data,extra_data</order>
</decoder>
