Detection of hidden ports
197 views
Skip to first unread message
Nidhi Soni
Mar 1, 2023, 12:44:24 AM3/1/23
to Wazuh mailing list
Hi all,
I have wazuh manager version: 4.3.7 installed on ubuntu
I have wazuh agent 4.3.7 installed on ubuntu
How can I get alerts for hidden ports using rootcheck
Ifeanyi Onyia Odike
Mar 1, 2023, 3:43:03 AM3/1/23
to Wazuh mailing list
Hi Nidhi,
Thank you for using Wazuh!
To answer your query. You will like to detect open ports on monitored agents using Wazuh.
You can integrate NMAP with Wazuh to scan network subnets for open ports and services, as explained and exemplified in the following repository: Github Wazuh-Nmap
NMAP must be installed on the agents and the NMAP output converted to JSON and added to the active responses file of each agent.
NMAP must be installed on the agents and the NMAP output converted to JSON and added to the active responses file of each agent.
Below is a blog post that also details how this can be achieved. Socfortress - Using Wazuh stack to run network scans
Let me know if your objectives were achieved with the information provided.
BR,
Nidhi Soni
Mar 1, 2023, 9:16:06 AM3/1/23
to Wazuh mailing list
Hi,
I want to detect hidden ports using rootcheck as mentioned in the documentation:
https://documentation.wazuh.com/current/user-manual/capabilities/anomalies-detection/how-it-works.html
What steps should I follow to get alert for the hidden ports using rootcheck?
I want to detect hidden ports using rootcheck as mentioned in the documentation:
https://documentation.wazuh.com/current/user-manual/capabilities/anomalies-detection/how-it-works.html
What steps should I follow to get alert for the hidden ports using rootcheck?
Ifeanyi Onyia Odike
Mar 1, 2023, 1:39:53 PM3/1/23
to Wazuh mailing list
Hi Nidhi,
Please note that Wazuh mentions this as a functionality of the Rootcheck feature.
To configure, please see the example provided in the guide: Anomaly and malware detection - Basic example
I hope this helps.
BR,
Please note that Wazuh mentions this as a functionality of the Rootcheck feature.
To configure, please see the example provided in the guide: Anomaly and malware detection - Basic example
I hope this helps.
BR,
Nidhi Soni
Mar 2, 2023, 12:57:30 AM3/2/23
to Wazuh mailing list
Hi,
I have installed reptile rootkit and did the required configurations as given in wazuh blog:
https://wazuh.com/blog/using-wazuh-rootcheck-to-detect-reptile-rootkit
I used this command to hide : /reptile/reptile_cmd conn <ip> <port> hide
After that when I use : netstat -tun | grep <port> the network connection does not show up.
But I did not get alerts in alerts.json, also I didn't get logs in archives.json for hidden ports.
Ifeanyi Onyia Odike
Mar 2, 2023, 4:08:36 AM3/2/23
to Wazuh mailing list
Hi Nidhi,
Did you get the other alerts as stated in the blog post?
Nidhi Soni
Mar 2, 2023, 4:36:10 AM3/2/23
to Wazuh mailing list
Hi,
Yes I got the other alerts for:
Hide a process
Hide files and folders
Enable promiscuous mode on a network interface
Ifeanyi Onyia Odike
Mar 2, 2023, 2:30:05 PM3/2/23
to Wazuh mailing list
Hi Nidhi,
I will attempt to replicate this lab and revert with my findings.
I will respond to this as soon as I have the answer.
BR,
Reply all
Reply to author
Forward
0 new messages