LLMNR/NBT-NS Poisoning and SMB Relay

[Mikayel Mikayelyan]

Hi all, how can i detect LLMNR attack in Wazuh and how can i connect T1557.001 framework in Wazuh with suricata 

[Eli Josue Rodriguez]

Hello Mikayel! Sorry for the late response. Let me research some information for you. At the moment, I could give you this which is about Suricata and Wazuh.

https://wazuh.com/blog/responding-to-network-attacks-with-suricata-and-wazuh-xdr/
https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html

Regards,

[Eli Josue Rodriguez]

Hello again! I was investigating and asking about your request, despite not having an exact solution, I can give you a couple of things that can direct you to what you want.

You should look to see if Suricata detects this type of attack (probably yes) or perhaps this can help Suricata detect that attack you mention.

https://youtu.be/bIUkCV_mLCU

As I also told you in the previous comment, it is possible to configure Suricata and Wazuh, I leave you again the links where you can review them and try them.

https://wazuh.com/blog/responding-to-network-attacks-with-suricata-and-wazuh-xdr/
https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html

Then, you must create your custom rule/decoder to alert. To create the custom rule/decoder you can rely on our wazuh guide in which we explain how to do it.

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

In addition, T1557.001 is a section within the Mitre matrix. This matrix describes attacks, techniques that hackers commonly use, in this it is the same, you must create your own rules that detect these techniques.

You can also check our guide for Mitre configuration https://documentation.wazuh.com/current/user-manual/ruleset/mitre.html

I hope this can give you a little guidance on what you want to do.

Best,