ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Wazuh when I write the rule I encounter with a problem (Nmap Scripting

    IT Discussion
    4
    13
    668
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kemal.tunc
      last edited by

      I started writing rules. I am trying to understand logically. I started by copying the Windows rule.

      But I want to write a special rule according to the log I have received.

      Can you help me

      or can you say my wrong points

      sorry for broken english

      Log :

      172.20.10.6 - - [18/Jun/2020:11:30:38 +0000] "HEAD /sitecore/admin/ShowConfig.aspx HTTP/1.1" 404 1824 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"

      decoder:

      <decoder name="example">
      <program_name>^example</program_name>
      </decoder>

      <decoder name="example">
      <type>web-log</type>
      <parent>example</parent>
      <prematch>\W*((?i)Nmap Scripting Engine(?-i))\W*</prematch>
      <regex>\W*((?i)Nmap Scripting Engine(?-i))\W*</regex>
      <order>nmap, webatacck</order>
      </decoder>

      rule :
      <group name="example,">
      <rule id="100010" level=“5”>
      <program_name>example</program_name>
      <regex>"[NHTTP]\w\W\w\S\w\S....."</regex>
      <description>Nmap Scripting Web Attack</description>
      <group>attack,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SI.4,</group>
      </rule>
      </group>

      1 Reply Last reply Reply Quote 1
      • O
        Obsolesce
        last edited by

        @DustinB3403

        D 1 Reply Last reply Reply Quote 1
        • D
          DustinB3403 @Obsolesce
          last edited by

          @Obsolesce said in Wazuh when I write the rule I encounter with a problem (Nmap Scripting:

          @DustinB3403

          Thanks for the page, unfortunately I'm not sure I can help with is issue, I'll try though.

          @kemal-tunc what error are you receiving?

          1 Reply Last reply Reply Quote 1
          • I
            IRJ
            last edited by

            Ok so you are trying to detect when someone uses NMap scripting engine....

            What log file is storing this?

            1 Reply Last reply Reply Quote 0
            • I
              IRJ
              last edited by

              
              <!-- ################################### -->
              <!-- # NMAP Detection Rule                   #  -->
              <!-- ################################### -->
              
              
              <group name="NMAP_Security_Correlations,">
              
                <rule id="100100" level="5">
                  <match>Nmap Scripting Engine</match>
                  <description>NMap Scripting Engine Detected</description>
                  <location>/var/log/nginx/access.log</location>
                </rule>
              
              </group>
              
              

              If using NGINX, you could also just block this and not worry about alerting on it. Just add that to your NGINX configuration file.

              if ($http_user_agent ~* (nmap scripting engine) {
                  return 403
              }
              
              1 Reply Last reply Reply Quote 0
              • I
                IRJ
                last edited by

                You do not need a decoder for this, just create a new rule file like the one above.

                1 Reply Last reply Reply Quote 0
                • K
                  kemal.tunc
                  last edited by

                  What log file is storing this?

                  apache

                  If I replace nginx section with apache?

                  I 1 Reply Last reply Reply Quote 1
                  • I
                    IRJ @kemal.tunc
                    last edited by

                    @kemal-tunc said in Wazuh when I write the rule I encounter with a problem (Nmap Scripting:

                    What log file is storing this?

                    apache

                    If I replace nginx section with apache?

                    Yeah just change the location to match apache log

                    1 Reply Last reply Reply Quote 0
                    • K
                      kemal.tunc
                      last edited by

                      unfortunately didn't show

                      ip - - [02/Jul/2020:14:14:40 +0000] "HEAD /modelsearch/login.cfm HTTP/1.1" 404 1374 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
                      

                      /var/log/apache2/access.log

                      <group name="NMAP_Security_Correlations,">
                      <rule id="100100" level="5">
                      <match>Nmap Scripting Engine</match>
                      <description>NMap Scripting Engine Detected</description>
                      <location>/var/log/apache2/access.log</location>
                      </rule>
                      </group>

                      Ekran Resmi 2020-07-02 17.21.39.png

                      wazuh-manager restart done

                      I 1 Reply Last reply Reply Quote 0
                      • I
                        IRJ @kemal.tunc
                        last edited by

                        @kemal-tunc said in Wazuh when I write the rule I encounter with a problem (Nmap Scripting:

                        unfortunately didn't show

                        ip - - [02/Jul/2020:14:14:40 +0000] "HEAD /modelsearch/login.cfm HTTP/1.1" 404 1374 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"

                        /var/log/apache2/access.log

                        <group name="NMAP_Security_Correlations,">
                        <rule id="100100" level="5">
                        <match>Nmap Scripting Engine</match>
                        <description>NMap Scripting Engine Detected</description>
                        <location>/var/log/apache2/access.log</location>
                        </rule>
                        </group>

                        Ekran Resmi 2020-07-02 17.21.39.png

                        wazuh-manager restart done

                        You need to restart agents, too

                        1 Reply Last reply Reply Quote 0
                        • K
                          kemal.tunc
                          last edited by

                          after the rule, realized

                          1 Reply Last reply Reply Quote 0
                          • K
                            kemal.tunc
                            last edited by

                            nothing changed

                            1 Reply Last reply Reply Quote 0
                            • K
                              kemal.tunc
                              last edited by

                              @IRJ

                              based on this value, the rule worked

                              <if_matched_sid>31101</if_matched_sid>

                              <!-- Local rules -->
                              <!-- Modify it at your will. -->
                              <!-- Copyright (C) 2015-2020, Wazuh Inc. -->
                              <!-- Example -->
                              <!-- ################################### -->
                              <!-- # NMAP Detection Rule # -->
                              <!-- ################################### -->
                              <group name="NMAP_Security_Correlations,">
                              <rule id="100100" level="10">
                              <if_matched_sid>31101</if_matched_sid>
                              <match>Nmap Scripting Engine</match>
                              <description>NMap Scripting Engine Detected</description>
                              <location>/var/log/apache2/access.log</location>
                              </rule>
                              </group>

                              0245-web_rules.xml

                              I examined and combined but I did not understand the logic

                              1 Reply Last reply Reply Quote 1
                              • 1 / 1
                              • First post
                                Last post