How to recognize malicious connection: login failed via dude?

I do not have dude on my router and I do not use it. But, quite often i see in log alert of failed connection via dude using bogus usernames. That are clearly malicious attempts.

As I understand it uses the same port as Winbox, so I cannot use port as indicator. Is there other way to recognize those connections in firewall, so I can handle them?

You are probably using a very old version of RouterOS, in new versions all logins are displayed as winbox. At the firewall level it is not possible to distinguish between winbox/dude applications. There are scripts that periodically monitor the local event log and add entries to: /ip/firewall/address-list