I started writing rules. I am trying to understand logically. I started by copying the Windows rule.

But I want to write a special rule according to the log I have received.

Can you help me

or can you say my wrong points

sorry for broken english

Log :

172.20.10.6 - - [18/Jun/2020:11:30:38 +0000] "HEAD /sitecore/admin/ShowConfig.aspx HTTP/1.1" 404 1824 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"

decoder:

<decoder name="example">
<program_name>^example</program_name>
</decoder>

<decoder name="example">
<type>web-log</type>
<parent>example</parent>
<prematch>\W*((?i)Nmap Scripting Engine(?-i))\W*</prematch>
<regex>\W*((?i)Nmap Scripting Engine(?-i))\W*</regex>
<order>nmap, webatacck</order>
</decoder>

rule :
<group name="example,">
<rule id="100010" level=“5”>
<program_name>example</program_name>
<regex>"[NHTTP]\w\W\w\S\w\S....."</regex>
<description>Nmap Scripting Web Attack</description>
<group>attack,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SI.4,</group>
</rule>
</group>

What log file is storing this?

apache

If I replace nginx section with apache?

@IRJ

based on this value, the rule worked

<if_matched_sid>31101</if_matched_sid>

<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2020, Wazuh Inc. -->
<!-- Example -->
<!-- ################################### -->
<!-- # NMAP Detection Rule # -->
<!-- ################################### -->
<group name="NMAP_Security_Correlations,">
<rule id="100100" level="10">
<if_matched_sid>31101</if_matched_sid>
<match>Nmap Scripting Engine</match>
<description>NMap Scripting Engine Detected</description>
<location>/var/log/apache2/access.log</location>
</rule>
</group>

0245-web_rules.xml

I examined and combined but I did not understand the logic

@IRJ

based on this value, the rule worked

<if_matched_sid>31101</if_matched_sid>

<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2020, Wazuh Inc. -->
<!-- Example -->
<!-- ################################### -->
<!-- # NMAP Detection Rule # -->
<!-- ################################### -->
<group name="NMAP_Security_Correlations,">
<rule id="100100" level="10">
<if_matched_sid>31101</if_matched_sid>
<match>Nmap Scripting Engine</match>
<description>NMap Scripting Engine Detected</description>
<location>/var/log/apache2/access.log</location>
</rule>
</group>

0245-web_rules.xml

I examined and combined but I did not understand the logic

nothing changed

after the rule, realized

unfortunately didn't show

ip - - [02/Jul/2020:14:14:40 +0000] "HEAD /modelsearch/login.cfm HTTP/1.1" 404 1374 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"

/var/log/apache2/access.log

<group name="NMAP_Security_Correlations,">
<rule id="100100" level="5">
<match>Nmap Scripting Engine</match>
<description>NMap Scripting Engine Detected</description>
<location>/var/log/apache2/access.log</location>
</rule>
</group>

wazuh-manager restart done

What log file is storing this?

apache

If I replace nginx section with apache?

I started writing rules. I am trying to understand logically. I started by copying the Windows rule.

But I want to write a special rule according to the log I have received.

Can you help me

or can you say my wrong points

sorry for broken english

Log :

172.20.10.6 - - [18/Jun/2020:11:30:38 +0000] "HEAD /sitecore/admin/ShowConfig.aspx HTTP/1.1" 404 1824 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"

decoder:

<decoder name="example">
<program_name>^example</program_name>
</decoder>

<decoder name="example">
<type>web-log</type>
<parent>example</parent>
<prematch>\W*((?i)Nmap Scripting Engine(?-i))\W*</prematch>
<regex>\W*((?i)Nmap Scripting Engine(?-i))\W*</regex>
<order>nmap, webatacck</order>
</decoder>

rule :
<group name="example,">
<rule id="100010" level=“5”>
<program_name>example</program_name>
<regex>"[NHTTP]\w\W\w\S\w\S....."</regex>
<description>Nmap Scripting Web Attack</description>
<group>attack,pci_dss_11.4,gdpr_IV_35.7.d,nist_800_53_SI.4,</group>
</rule>
</group>