Password sniffer "dsniff" not detected with wazuh ?

70 views
Skip to first unread message

Steph b

unread,
May 11, 2024, 4:34:59 AM5/11/24
to Wazuh | Mailing List
Hello !
I just tested the dsniff utility on a debian 12 machine with the wazuh agent 4.7.3.
My wazuh server dashboard in on latest v4.7.4.

Dsniff is a password sniffer for several protocols

To my great surprise, the agent does not detect anything abnormal when I run the sniffer on the machine (nothing visible in the dashboard events).

I just upgraded the machine agent with dsniff to version 4.7.4, I have the same result: no detection.

Do you have an explanation?

regards.
Stephane

Md. Nazmur Sakib

unread,
May 15, 2024, 8:10:09 AM5/15/24
to Wazuh | Mailing List

Hi Stephane


I can see that Wazuh can not detect the dsniff util as there is no rule to detect it.


You can do this following the workaround.


Add this configuration to the agent.conf of groups to detect a running process for a group of agent 


 <localfile>

    <log_format>full_command</log_format>

    <alias>process list</alias>

    <command>ps -e -o pid,uname,command</command>

    <frequency>30</frequency>

  </localfile>


Ref: https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html



Next, add this custom rule to detect running commands related to Dsniff util commands.


<group name="ossec,">

  <rule id="100050" level="0">

    <if_sid>530</if_sid>

    <match>^ossec: output: 'process list'</match>

    <description>List of running processes.</description>

    <group>process_monitor,</group>

  </rule>


  <rule id="100051" level="7">

    <if_sid>100050</if_sid>

    <match>arpspoof|dsniff</match>

    <description>Dsniff uitl is runnig</description>

    <group>process_monitor,</group>

  </rule>

</group>


Ref: https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html


After adding the rule restart the manager. 


Now run this command.

sudo arpspoof 192.168.65.128 -t 192.168.65.133



This should reflect an alert on your dashboard.



I hope you find this information helpful.

Steph b

unread,
May 15, 2024, 2:08:06 PM5/15/24
to Wazuh | Mailing List
Hi Nazmur,
I thank you for your answer.

Yes i find this information helpful.
There is still something I don't understand.
I admit that I haven't looked into exactly how Dsniff works, but this rule will only match if the process is called Dsniff, right?
If the process is renamed to Desniff, there will be no triggering of the rule, right?

how come Wazuh doesn't detect this behavior ?

Regards.
Steph

Md. Nazmur Sakib

unread,
May 16, 2024, 6:46:06 AM5/16/24
to Wazuh | Mailing List

Yes, you need to define the patterns in the rule to detect it.


As I explained earlier Wazuh detects alerts based on logs forwarded to Wazuh and corresponding rules. You can use different NIDS tools and use logs from those tools to forward to Wazuh to trigger alerts.


I hope you find this information helpful.

Reply all
Reply to author
Forward
0 new messages