Wazuh when I write the rule I encounter with a problem (Nmap Scripting
-
I started writing rules. I am trying to understand logically. I started by copying the Windows rule.
But I want to write a special rule according to the log I have received.
Can you help me
or can you say my wrong points
sorry for broken english
Log :
172.20.10.6 - - [18/Jun/2020:11:30:38 +0000] "HEAD /sitecore/admin/ShowConfig.aspx HTTP/1.1" 404 1824 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
decoder:
<decoder name="example">
<program_name>^example</program_name>
</decoder><decoder name="example">
<type>web-log</type>
<parent>example</parent>
<prematch>\W*((?i)Nmap Scripting Engine(?-i))\W*</prematch>
<regex>\W*((?i)Nmap Scripting Engine(?-i))\W*</regex>
<order>nmap, webatacck</order>
</decoder>rule :
<group name="example,">
<rule id="100010" level=“5”>
<program_name>example</program_name>
<regex>"[NHTTP]\w\W\w\S\w\S....."</regex>
<description>Nmap Scripting Web Attack</description>
<group>attack,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SI.4,</group>
</rule>
</group> -
-
@Obsolesce said in Wazuh when I write the rule I encounter with a problem (Nmap Scripting:
Thanks for the page, unfortunately I'm not sure I can help with is issue, I'll try though.
@kemal-tunc what error are you receiving?
-
Ok so you are trying to detect when someone uses NMap scripting engine....
What log file is storing this?
-
<!-- ################################### --> <!-- # NMAP Detection Rule # --> <!-- ################################### --> <group name="NMAP_Security_Correlations,"> <rule id="100100" level="5"> <match>Nmap Scripting Engine</match> <description>NMap Scripting Engine Detected</description> <location>/var/log/nginx/access.log</location> </rule> </group>If using NGINX, you could also just block this and not worry about alerting on it. Just add that to your NGINX configuration file.
if ($http_user_agent ~* (nmap scripting engine) { return 403 } -
You do not need a decoder for this, just create a new rule file like the one above.
-
What log file is storing this?
apache
If I replace nginx section with apache?
-
@kemal-tunc said in Wazuh when I write the rule I encounter with a problem (Nmap Scripting:
What log file is storing this?
apache
If I replace nginx section with apache?
Yeah just change the location to match apache log
-
unfortunately didn't show
ip - - [02/Jul/2020:14:14:40 +0000] "HEAD /modelsearch/login.cfm HTTP/1.1" 404 1374 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"/var/log/apache2/access.log
<group name="NMAP_Security_Correlations,">
<rule id="100100" level="5">
<match>Nmap Scripting Engine</match>
<description>NMap Scripting Engine Detected</description>
<location>/var/log/apache2/access.log</location>
</rule>
</group>
wazuh-manager restart done
-
@kemal-tunc said in Wazuh when I write the rule I encounter with a problem (Nmap Scripting:
unfortunately didn't show
ip - - [02/Jul/2020:14:14:40 +0000] "HEAD /modelsearch/login.cfm HTTP/1.1" 404 1374 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
/var/log/apache2/access.log
<group name="NMAP_Security_Correlations,">
<rule id="100100" level="5">
<match>Nmap Scripting Engine</match>
<description>NMap Scripting Engine Detected</description>
<location>/var/log/apache2/access.log</location>
</rule>
</group>wazuh-manager restart done
You need to restart agents, too
-
after the rule, realized
-
nothing changed
-
based on this value, the rule worked
<if_matched_sid>31101</if_matched_sid>
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2020, Wazuh Inc. -->
<!-- Example -->
<!-- ################################### -->
<!-- # NMAP Detection Rule # -->
<!-- ################################### -->
<group name="NMAP_Security_Correlations,">
<rule id="100100" level="10">
<if_matched_sid>31101</if_matched_sid>
<match>Nmap Scripting Engine</match>
<description>NMap Scripting Engine Detected</description>
<location>/var/log/apache2/access.log</location>
</rule>
</group>0245-web_rules.xml
I examined and combined but I did not understand the logic
