Network discover

[Andrea Lenarduzzi]

Hi, Is there a network discover software that integrates in wazuh?

Thanks you

Regards

Inviato da Yahoo Mail su Android

[Francisco Navarro]

It depends on what you're looking for. Wazuh does have native integration with both Suricata and Snort, which are NIDS (Network Intrusion Detection System) software and work well to detect threats in networking. Also, there is a tool called OwlH, which is part of Wazuh project and will help you deploy the right Network Intrusion Detection System in your environment, configure it correctly and keep it updated. Some features of this tool are:
Detection of new systems in the network.
Detection of hidden systems that are using spoofing.
Detection of unauthorized use of services.
Prevention mode. Running in Intrusion Prevention System (IPS) mode, a Network IDS may also act by stopping, blocking, or discarding a bad connection as soon as it is detected.

Recommended readings:

• https://documentation.wazuh.com/4.0/learning-wazuh/suricata.html
• https://wazuh.com/owlh-network-ids-integration/
• https://www.owlh.net/
• https://documentation.owlh.net/en/0.14.0/main/OwlHWazuh.html

If you mean network discovering tools like Nmap, to scan for hosts, open ports and running services in the network, there is no default rules and decoders for those tools right because it is more usual to use a NIDS as Suricata for this, but they could be easily added if you require, it depends on what you want to do. Have in mind that Wazuh analyzes data and generates alerts for important security events. One option, for example, would be configured wazuh Command monitoring feature to execute a certain command from time to time (for example, a network scan using Nmap) and report if there is any change in the output. This would require writing some custom decoders and rules for the alerts to generate. I could help you with this if it is what you are looking for, but I think that using Suricata or snort would be better for discovering new hosts in the network among other threats. So please, try to be more specific in what are you looking for, what kind of events do you want to detect, and I could give you a more concrete answer.

[Andrea Lenarduzzi]

Thank you Francisco.

These are activity details.

I would like to scan all my networks to find hosts(desktops,laptops,phones,printers,switch,routers) with ip,mac, os version,ecc

Scheduling scans

Than I would like to allert me if there is new hosts

Thank you

Uzzi

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/044895a6-3e2e-4d4c-86df-8992af7473e5n%40googlegroups.com.

[Francisco Navarro]

To monitorize changes in the output of a command you need to add this to the configuration of the hosts where the scan need to be performed:

<localfile>

      <log_format>full_command</log_format> 

<command>YOUR_COMMAND</command> 

     <frequency>120</frequency> 

</localfile>

For host discovering with nmap I recommend nmap -sP x.x.x.x/24

Then, whenever the output of this command changes it will be sent to analisisd to generate new alerts. To tests this you can use ossec-logtest utility on /var/ossec/bin. In order to check if are the logs reaching the manager, I recommend enabling the option logall_json on the manager configuration (this option makes all security event to be logged into a file called an archives.json and can be used for testing purpose even though it should be disabled as soon as you finish the testing).

In my case, enabling logall I got the following on /var/ossec/log/archives/archives.json file:

{"timestamp":"2021-01-18T12:40:26.910+0000","agent":{"id":"000","name":"centos7m"},"manager":{"name":"centos7m"},"id":"1610973626.160680","full_log":"ossec: output: 'nmap -sP 172.17.1.0/24':\nStarting Nmap 6.40 ( http://nmap.org ) at 2021-01-18 12:40 UTC\nNmap scan report for 172.17.1.1\nHost is up (0.00020s latency).\nMAC Address: 0A:00:27:00:00:01 (Unknown)\nNmap scan report for 172.17.1.17\nHost is up.\nNmap done: 256 IP addresses (2 hosts up) scanned in 2.38 seconds","decoder":{"name":"ossec"},"location":"nmap -sP 172.17.1.0/24"}

If I introduced this on the logtest utility:

ossec: output: 'nmap -sP 172.17.1.0/24':\nStarting Nmap 6.40 ( http://nmap.org ) at 2021-01-18 12:42 UTC\nNmap scan report for 172.17.1.1\nHost is up (0.00034s latency).\nMAC Address: 0A:00:27:00:00:01 (Unknown)\nNmap scan report for 172.17.1.17\nHost is up.\nNmap done: 256 IP addresses (2 hosts up) scanned in 4.71 seconds

**Phase 1: Completed pre-decoding.
       full event: 'ossec: output: 'nmap -sP 172.17.1.0/24':\nStarting Nmap 6.40 ( http://nmap.org ) at 2021-01-18 12:42 UTC\nNmap scan report for 172.17.1.1\nHost is up (0.00034s latency).\nMAC Address: 0A:00:27:00:00:01 (Unknown)\nNmap scan report for 172.17.1.17\nHost is up.\nNmap done: 256 IP addresses (2 hosts up) scanned in 4.71 seconds'
       timestamp: '(null)'
       hostname: 'centos7m'
       program_name: '(null)'
       log: 'ossec: output: 'nmap -sP 172.17.1.0/24':\nStarting Nmap 6.40 ( http://nmap.org ) at 2021-01-18 12:42 UTC\nNmap scan report for 172.17.1.1\nHost is up (0.00034s latency).\nMAC Address: 0A:00:27:00:00:01 (Unknown)\nNmap scan report for 172.17.1.17\nHost is up.\nNmap done: 256 IP addresses (2 hosts up) scanned in 4.71 seconds'

**Phase 2: Completed decoding.
       decoder: 'ossec'

**Phase 3: Completed filtering (rules).
       Rule id: '530'
       Level: '0'
       Description: 'OSSEC process monitoring rules.'

So, the command output is reaching the manager and being decoded, it just doesn’t trigger any alert because is not configured for this.

We will create a simple rule that generates an alert if the output of this command changes. As in this example with nstat to check changes in ports: https://documentation.wazuh.com/4.0/user-manual/capabilities/command-monitoring/command-configuration.html#check-if-the-output-changed

We will use the following rule as a base, adding it to /var/ossec/etc/rules/local_rules.xml

<rule id="3213" level="7">
  <if_sid>530</if_sid>
  <match>ossec: output: 'nmap -sP</match>
  <check_diff />
  <description>Nmap host detection output changed</description>
</rule>

After including that rule (which uses the check_diff option to trigger alerts only when there is a change between the last output and the current one), if we restart the manager and add another host to the network an alert like the following one will be triggered:

** Alert 1610974325.167750: - local,syslog,sshd,
2021 Jan 18 12:52:05 centos7m->nmap -sP 172.17.1.0/24
Rule: 321333 (level 7) -> 'Nmap host detection output changed'
ossec: output: 'nmap -sP 172.17.1.0/24':
Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-18 12:51 UTC
Nmap scan report for 172.17.1.1
Host is up (0.00035s latency).
MAC Address: 0A:00:27:00:00:01 (Unknown)
Nmap scan report for 172.17.1.17
Host is up.
Nmap done: 256 IP addresses (2 hosts up) scanned in 6.16 seconds
Previous output:
ossec: output: 'nmap -sP 172.17.1.0/24':
Starting Nmap 6.40 ( http://nmap.org ) at 2021-01-18 12:51 UTC
Nmap scan report for 172.17.1.1
Host is up (0.00026s latency).
MAC Address: 0A:00:27:00:00:01 (Unknown)
Nmap scan report for 172.17.1.17
Host is up.
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.19 seconds

Of course, you could add extra rules to trigger alerts if certain specific node got disconnected, if there are more than X nodes connected, etc… it depends on your needs!

I hope this helps you do not hesitate to ask again if you have any further issue.

​