Nmap scan not detected by security onion

[Ichran Ibiâan]

Hi Everyone,

In my internship project I’m asked to install a NSM solution which is SecurityOnion to monitor a SLES 11 server (VM), after i installed both machines and configured wazuh agent and wazuh manager, i tested a Nmap scan using a 3rd VM, the scan attempt is not detected on Security onion (sguil, squert, kibana), even though the attempt is logged on the sles machine and a test attempt to log as root with false password is detected, so my question is how to know if the logs where sent by wazuh agent (SLES) ? and where can find them on security Onion machine ?

Thaaanks

[Ichran Ibiâan]

when i started working on it i used t oget an : "ET SCAN" alert but recently when i reinstalled both security onion and SLES Vms and i started testing no alert is generated

[Wes Lambert]

Are you seeing any of the SLES VM traffic come across the sniffing interface?

Wazuh raw logs will be in /var/ossec/logs, and logs/alerts should be viewable in Kibana.

Thanks,

Wes

On Tue, Aug 4, 2020 at 7:17 AM Ichran Ibiâan <bi3och...@gmail.com> wrote:

when i started working on it i used t oget an : "ET SCAN" alert but recently when i reinstalled both security onion and SLES Vms and i started testing no alert is generated

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/ede97633-b28a-4cf6-81ad-1fd509806366o%40googlegroups.com.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[Ichran Ibiâan]

in fact i cant see any traffinc acroos the sniffing interface even if i use an metasploitable Vm