CyberMind-FR
aeb4825b25
Pure-shell WiFi MAC address security monitor detecting randomized MACs, OUI anomalies, MAC floods, and spoofing. Integrates with CrowdSec via JSON log parsing and provides real-time hostapd hotplug detection. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
28 lines
937 B
YAML
28 lines
937 B
YAML
onsuccess: next_stage
|
|
name: secubox/mac-guardian
|
|
description: "Parse SecuBox mac-guardian JSON events"
|
|
filter: "evt.Line.Labels.type == 'mac-guardian'"
|
|
nodes:
|
|
- grok:
|
|
apply_on: evt.Line.Raw
|
|
expression: "^%{GREEDYDATA:json_raw}$"
|
|
statics:
|
|
- parsed: json_data
|
|
expression: "JsonExtract(evt.Parsed.json_raw, '')"
|
|
- filter: "evt.Parsed.json_data != ''"
|
|
statics:
|
|
- meta: log_type
|
|
value: mac_guardian
|
|
- meta: service
|
|
value: mac-guardian
|
|
- meta: source_mac
|
|
expression: "JsonExtract(evt.Parsed.json_raw, 'mac')"
|
|
- parsed: event_type
|
|
expression: "JsonExtract(evt.Parsed.json_raw, 'event')"
|
|
- parsed: iface
|
|
expression: "JsonExtract(evt.Parsed.json_raw, 'iface')"
|
|
- parsed: details
|
|
expression: "JsonExtract(evt.Parsed.json_raw, 'details')"
|
|
- parsed: timestamp
|
|
expression: "JsonExtract(evt.Parsed.json_raw, 'ts')"
|