ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Wazuh when I write the rule I encounter with a problem (Nmap Scripting

    Scheduled Pinned Locked Moved IT Discussion
    13 Posts 4 Posters 793 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • IRJI
      IRJ
      last edited by

      Ok so you are trying to detect when someone uses NMap scripting engine....

      What log file is storing this?

      1 Reply Last reply Reply Quote 0
      • IRJI
        IRJ
        last edited by

        
        <!-- ################################### -->
        <!-- # NMAP Detection Rule                   #  -->
        <!-- ################################### -->
        
        
        <group name="NMAP_Security_Correlations,">
        
          <rule id="100100" level="5">
            <match>Nmap Scripting Engine</match>
            <description>NMap Scripting Engine Detected</description>
            <location>/var/log/nginx/access.log</location>
          </rule>
        
        </group>
        
        

        If using NGINX, you could also just block this and not worry about alerting on it. Just add that to your NGINX configuration file.

        if ($http_user_agent ~* (nmap scripting engine) {
            return 403
        }
        
        1 Reply Last reply Reply Quote 0
        • IRJI
          IRJ
          last edited by

          You do not need a decoder for this, just create a new rule file like the one above.

          1 Reply Last reply Reply Quote 0
          • K
            kemal.tunc
            last edited by

            What log file is storing this?

            apache

            If I replace nginx section with apache?

            IRJI 1 Reply Last reply Reply Quote 1
            • IRJI
              IRJ @kemal.tunc
              last edited by

              @kemal-tunc said in Wazuh when I write the rule I encounter with a problem (Nmap Scripting:

              What log file is storing this?

              apache

              If I replace nginx section with apache?

              Yeah just change the location to match apache log

              1 Reply Last reply Reply Quote 0
              • K
                kemal.tunc
                last edited by

                unfortunately didn't show

                ip - - [02/Jul/2020:14:14:40 +0000] "HEAD /modelsearch/login.cfm HTTP/1.1" 404 1374 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
                

                /var/log/apache2/access.log

                <group name="NMAP_Security_Correlations,">
                <rule id="100100" level="5">
                <match>Nmap Scripting Engine</match>
                <description>NMap Scripting Engine Detected</description>
                <location>/var/log/apache2/access.log</location>
                </rule>
                </group>

                Ekran Resmi 2020-07-02 17.21.39.png

                wazuh-manager restart done

                IRJI 1 Reply Last reply Reply Quote 0
                • IRJI
                  IRJ @kemal.tunc
                  last edited by

                  @kemal-tunc said in Wazuh when I write the rule I encounter with a problem (Nmap Scripting:

                  unfortunately didn't show

                  ip - - [02/Jul/2020:14:14:40 +0000] "HEAD /modelsearch/login.cfm HTTP/1.1" 404 1374 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"

                  /var/log/apache2/access.log

                  <group name="NMAP_Security_Correlations,">
                  <rule id="100100" level="5">
                  <match>Nmap Scripting Engine</match>
                  <description>NMap Scripting Engine Detected</description>
                  <location>/var/log/apache2/access.log</location>
                  </rule>
                  </group>

                  Ekran Resmi 2020-07-02 17.21.39.png

                  wazuh-manager restart done

                  You need to restart agents, too

                  1 Reply Last reply Reply Quote 0
                  • K
                    kemal.tunc
                    last edited by

                    after the rule, realized

                    1 Reply Last reply Reply Quote 0
                    • K
                      kemal.tunc
                      last edited by

                      nothing changed

                      1 Reply Last reply Reply Quote 0
                      • K
                        kemal.tunc
                        last edited by

                        @IRJ

                        based on this value, the rule worked

                        <if_matched_sid>31101</if_matched_sid>

                        <!-- Local rules -->
                        <!-- Modify it at your will. -->
                        <!-- Copyright (C) 2015-2020, Wazuh Inc. -->
                        <!-- Example -->
                        <!-- ################################### -->
                        <!-- # NMAP Detection Rule # -->
                        <!-- ################################### -->
                        <group name="NMAP_Security_Correlations,">
                        <rule id="100100" level="10">
                        <if_matched_sid>31101</if_matched_sid>
                        <match>Nmap Scripting Engine</match>
                        <description>NMap Scripting Engine Detected</description>
                        <location>/var/log/apache2/access.log</location>
                        </rule>
                        </group>

                        0245-web_rules.xml

                        I examined and combined but I did not understand the logic

                        1 Reply Last reply Reply Quote 1
                        • 1 / 1
                        • First post
                          Last post