Wazuh when I write the rule I encounter with a problem (Nmap Scripting

DustinB3403

@Obsolesce said in Wazuh when I write the rule I encounter with a problem (Nmap Scripting:

@DustinB3403

Thanks for the page, unfortunately I'm not sure I can help with is issue, I'll try though.

@kemal-tunc what error are you receiving?

IRJ

Ok so you are trying to detect when someone uses NMap scripting engine....

What log file is storing this?

IRJ

<!-- ################################### -->
<!-- # NMAP Detection Rule                   #  -->
<!-- ################################### -->


<group name="NMAP_Security_Correlations,">

  <rule id="100100" level="5">
    <match>Nmap Scripting Engine</match>
    <description>NMap Scripting Engine Detected</description>
    <location>/var/log/nginx/access.log</location>
  </rule>

</group>

If using NGINX, you could also just block this and not worry about alerting on it. Just add that to your NGINX configuration file.

if ($http_user_agent ~* (nmap scripting engine) {
    return 403
}

IRJ

You do not need a decoder for this, just create a new rule file like the one above.

kemal.tunc

What log file is storing this?

apache

If I replace nginx section with apache?

IRJ

@kemal-tunc said in Wazuh when I write the rule I encounter with a problem (Nmap Scripting:

What log file is storing this?

apache

If I replace nginx section with apache?

Yeah just change the location to match apache log

kemal.tunc

unfortunately didn't show

ip - - [02/Jul/2020:14:14:40 +0000] "HEAD /modelsearch/login.cfm HTTP/1.1" 404 1374 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"

/var/log/apache2/access.log

<group name="NMAP_Security_Correlations,">
<rule id="100100" level="5">
<match>Nmap Scripting Engine</match>
<description>NMap Scripting Engine Detected</description>
<location>/var/log/apache2/access.log</location>
</rule>
</group>

wazuh-manager restart done

IRJ

@kemal-tunc said in Wazuh when I write the rule I encounter with a problem (Nmap Scripting:

unfortunately didn't show

ip - - [02/Jul/2020:14:14:40 +0000] "HEAD /modelsearch/login.cfm HTTP/1.1" 404 1374 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"

/var/log/apache2/access.log

<group name="NMAP_Security_Correlations,">
<rule id="100100" level="5">
<match>Nmap Scripting Engine</match>
<description>NMap Scripting Engine Detected</description>
<location>/var/log/apache2/access.log</location>
</rule>
</group>

wazuh-manager restart done

You need to restart agents, too

kemal.tunc

after the rule, realized

kemal.tunc

nothing changed

kemal.tunc

@IRJ

based on this value, the rule worked

<if_matched_sid>31101</if_matched_sid>

<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2020, Wazuh Inc. -->
<!-- Example -->
<!-- ################################### -->
<!-- # NMAP Detection Rule # -->
<!-- ################################### -->
<group name="NMAP_Security_Correlations,">
<rule id="100100" level="10">
<if_matched_sid>31101</if_matched_sid>
<match>Nmap Scripting Engine</match>
<description>NMap Scripting Engine Detected</description>
<location>/var/log/apache2/access.log</location>
</rule>
</group>

0245-web_rules.xml

I examined and combined but I did not understand the logic