l.bourdin
/
Wazuh-Custom-rules
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Wazuh-Custom-rules/unifi-rules.xml

176 lines
6.1 KiB
XML
Raw Blame History

<!-- =========================
UniFi custom rules (tagged logs)
IDs: 100400+
One group per rule
========================= -->
<group name="unifi,noise,">
<rule id="100400" level="0">
<decoded_as>unifi</decoded_as>
<match>reporter_save_config</match>
<description>UniFi noise: save_config</description>
</rule>
</group>
<group name="unifi,noise,">
<rule id="100401" level="0">
<decoded_as>unifi</decoded_as>
<match>need_cfg_save</match>
<description>UniFi noise: need_cfg_save</description>
</rule>
</group>
<group name="unifi,noise,dns,">
<rule id="100402" level="0">
<decoded_as>unifi</decoded_as>
<match>use cached dns record</match>
<description>UniFi noise: cached dns record</description>
</rule>
</group>
<group name="unifi,sensitive,">
<rule id="100403" level="0">
<decoded_as>unifi</decoded_as>
<match>authkey:</match>
<description>UniFi sensitive: authkey ignored</description>
</rule>
</group>
<group name="unifi,switch,network_down,">
<rule id="100410" level="10">
<decoded_as>unifi</decoded_as>
<field name="link_state">down</field>
<field name="device_family">^USW</field>
<description>UniFi Switch: port link DOWN (site=$(site), device=$(device), port=$(port))</description>
</rule>
</group>
<group name="unifi,switch,network_down,">
<rule id="100411" level="10">
<decoded_as>unifi</decoded_as>
<field name="link_state">down</field>
<field name="device_family">^SW</field>
<description>UniFi Switch: port link DOWN (site=$(site), device=$(device), port=$(port))</description>
</rule>
</group>
<group name="unifi,switch,network_instability,flapping,">
<rule id="100412" level="12" frequency="3" timeframe="300">
<if_matched_sid>100410</if_matched_sid>
<same_field>site</same_field>
<same_field>device</same_field>
<same_field>port</same_field>
<description>UniFi Switch: port FLAPPING (3x DOWN/5min) site=$(site) device=$(device) port=$(port)</description>
</rule>
</group>
<group name="unifi,switch,network_instability,flapping,">
<rule id="100413" level="12" frequency="3" timeframe="300">
<if_matched_sid>100411</if_matched_sid>
<same_field>site</same_field>
<same_field>device</same_field>
<same_field>port</same_field>
<description>UniFi Switch: port FLAPPING (3x DOWN/5min) site=$(site) device=$(device) port=$(port)</description>
</rule>
</group>
<group name="unifi,switch,network_loop,stp,">
<rule id="100414" level="8">
<decoded_as>unifi</decoded_as>
<field name="device_family">^SW</field>
<field name="stp_to">Blocking</field>
<description>UniFi Switch: STP moved to BLOCKING (boucle réseau) site=$(site) device=$(device) port=$(port)</description>
</rule>
</group>
<group name="unifi,switch,network_loop,stp,">
<rule id="100415" level="8">
<decoded_as>unifi</decoded_as>
<field name="device_family">^USW</field>
<field name="stp_to">Blocking</field>
<description>UniFi Switch: STP moved to BLOCKING (boucle réseau) site=$(site) device=$(device) port=$(port)</description>
</rule>
</group>
<group name="unifi,dns,unifi_controller,">
<rule id="100420" level="8">
<decoded_as>unifi</decoded_as>
<field name="dns_host">.+</field>
<description>UniFi: DNS controller resolve failed for $(dns_host) (site=$(site), device=$(device))</description>
</rule>
</group>
<group name="unifi,unifi_controller,availability,">
<rule id="100421" level="11">
<decoded_as>unifi</decoded_as>
<field name="inform_error">.+</field>
<description>UniFi: Impossible de contacter le controlleur ($(inform_error)) url=$(inform_url) (site=$(site), device=$(device))</description>
</rule>
</group>
<group name="unifi,unifi_controller,availability,">
<rule id="100422" level="12">
<decoded_as>unifi</decoded_as>
<field name="state_to">Selfrun</field>
<description>UniFi: device switched to SELF-RUN (controller lost?) site=$(site) device=$(device)</description>
</rule>
</group>
<group name="unifi,wifi,authentication_failed,">
<rule id="100430" level="2">
<decoded_as>unifi</decoded_as>
<field name="event_type">failure</field>
<description>UniFi WiFi: assoc/auth failure sta=$(sta_mac) vap=$(vap) ap=$(device) site=$(site) wpa_auth_failures=$(wpa_auth_failures)</description>
</rule>
</group>
<group name="unifi,wifi,">
<rule id="100431" level="0">
<decoded_as>unifi</decoded_as>
<field name="wifi_event">disassociated</field>
<description>UniFi WiFi: STA $(wifi_event) sta=$(sta_mac) vap=$(vap) ap=$(device) site=$(site)</description>
</rule>
</group>
<group name="unifi,wifi,">
<rule id="100432" level="0">
<decoded_as>unifi</decoded_as>
<field name="wifi_event">deauthenticated</field>
<description>UniFi WiFi: STA $(wifi_event) sta=$(sta_mac) vap=$(vap) ap=$(device) site=$(site)</description>
</rule>
</group>
<group name="unifi,wifi,authentication_failed,correlation,">
<rule id="100433" level="10" frequency="5" timeframe="120">
<if_matched_sid>100430</if_matched_sid>
<same_field>site</same_field>
<same_field>sta_mac</same_field>
<description>UniFi WiFi: repeated auth failures (5x/2min) sta=$(sta_mac) site=$(site) vap=$(vap)</description>
</rule>
</group>
<group name="unifi,wifi,site_issue,authentication_failed,">
<rule id="100434" level="12" frequency="30" timeframe="300">
<if_matched_sid>100430</if_matched_sid>
<same_field>site</same_field>
<description>UniFi WiFi: many auth failures on site (30x/5min) site=$(site)</description>
</rule>
</group>
<group name="unifi,wifi,radio,stability,">
<rule id="100440" level="10">
<decoded_as>unifi</decoded_as>
<field name="kernel_event">ath_bstuck_tasklet</field>
<description>UniFi WiFi: radio stuck beacon/reset (radio wifi répond pas = reset) (site=$(site)) msg=$(msg)</description>
</rule>
</group>
<group name="unifi,wifi,radio,stability,">
<rule id="100441" level="12" frequency="3" timeframe="600">
<if_matched_sid>100440</if_matched_sid>
<same_field>site</same_field>
<description>UniFi WiFi: repeated stuck beacon/reset (3x/10min) site=$(site)</description>
</rule>
</group>
Reference in New Issue View Git Blame Copy Permalink