Wazuh when I write the rule I encounter with a problem (Nmap Scripting
-
Ok so you are trying to detect when someone uses NMap scripting engine....
What log file is storing this?
-
<!-- ################################### --> <!-- # NMAP Detection Rule # --> <!-- ################################### --> <group name="NMAP_Security_Correlations,"> <rule id="100100" level="5"> <match>Nmap Scripting Engine</match> <description>NMap Scripting Engine Detected</description> <location>/var/log/nginx/access.log</location> </rule> </group>If using NGINX, you could also just block this and not worry about alerting on it. Just add that to your NGINX configuration file.
if ($http_user_agent ~* (nmap scripting engine) { return 403 } -
You do not need a decoder for this, just create a new rule file like the one above.
-
What log file is storing this?
apache
If I replace nginx section with apache?
-
@kemal-tunc said in Wazuh when I write the rule I encounter with a problem (Nmap Scripting:
What log file is storing this?
apache
If I replace nginx section with apache?
Yeah just change the location to match apache log
-
unfortunately didn't show
ip - - [02/Jul/2020:14:14:40 +0000] "HEAD /modelsearch/login.cfm HTTP/1.1" 404 1374 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"/var/log/apache2/access.log
<group name="NMAP_Security_Correlations,">
<rule id="100100" level="5">
<match>Nmap Scripting Engine</match>
<description>NMap Scripting Engine Detected</description>
<location>/var/log/apache2/access.log</location>
</rule>
</group>
wazuh-manager restart done
-
@kemal-tunc said in Wazuh when I write the rule I encounter with a problem (Nmap Scripting:
unfortunately didn't show
ip - - [02/Jul/2020:14:14:40 +0000] "HEAD /modelsearch/login.cfm HTTP/1.1" 404 1374 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
/var/log/apache2/access.log
<group name="NMAP_Security_Correlations,">
<rule id="100100" level="5">
<match>Nmap Scripting Engine</match>
<description>NMap Scripting Engine Detected</description>
<location>/var/log/apache2/access.log</location>
</rule>
</group>wazuh-manager restart done
You need to restart agents, too
-
after the rule, realized
-
nothing changed
-
based on this value, the rule worked
<if_matched_sid>31101</if_matched_sid>
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2020, Wazuh Inc. -->
<!-- Example -->
<!-- ################################### -->
<!-- # NMAP Detection Rule # -->
<!-- ################################### -->
<group name="NMAP_Security_Correlations,">
<rule id="100100" level="10">
<if_matched_sid>31101</if_matched_sid>
<match>Nmap Scripting Engine</match>
<description>NMap Scripting Engine Detected</description>
<location>/var/log/apache2/access.log</location>
</rule>
</group>0245-web_rules.xml
I examined and combined but I did not understand the logic
