Scan port using NMAP on Windows
168 views
Skip to first unread message
Adiel Jesus Navarro Rosado
Apr 4, 2022, 11:10:53 AM4/4/22
to Wazuh mailing list
How can I detect scanning port using NMAP on Windows?
Is there any rule for this on Windows?
Este mensaje (incluidos sus anexos) es exclusivamente para el uso de la persona o entidad a quien esta dirigido; contiene informacion estrictamente confidencial y legalmente protegida, cuya divulgacion es sancionada por la ley. Si el lector de este mensaje no es a quien esta dirigido, ni se trata del empleado o agente responsable de esta informacion, se le notifica por medio del presente, que su reproduccion y distribucion, esta estrictamente prohibida. Si Usted recibio este comunicado por error, favor de notificarlo inmediatamente al remitente y destruir el mensaje. Es responsabilidad del destinatario asegurarse que este correo electrónico y sus anexos no contengan virus. Todas las opiniones contenidas en este mail son propias del autor del mensaje y no necesariamente coinciden con las de [Radiomóvil Dipsa S.A. de C.V.] o alguna de sus empresas controladas, controladoras, afiliadas y subsidiarias. Este mensaje intencionalmente no contiene acentos.
This message (including attachments) is for the sole use of the person or entity to whom it is being sent. Therefore, it contains strictly confidential and legally protected material whose disclosure is subject to penalty by law. If the person reading this message is not the one to whom it is being sent and/or is not an employee or the responsible agent for this information, this person is herein notified that any unauthorized dissemination, distribution or copying of the materials included in this facsimile is strictly prohibited. If you received this document by mistake please notify immediately to the subscriber and destroy the message. It is the recipient’s responsibility to ensure that this message (including attachments) is virus free. Any opinions contained in this e-mail are those of the author of the message and do not necessarily coincide with those of [Radiomóvil Dipsa S.A. de C.V.] or any of its control, controlled, affiliates and subsidiaries companies. No part of this message or attachments may be used or reproduced in any manner whatsoever.
Marcel Kemp
Apr 6, 2022, 5:40:02 AM4/6/22
to Wazuh mailing list
Hi Adiel,
Thanks to this, as it can collect system logs and create specific rules that are parsed for the detection of various events, it is possible to detect weird traffic on ports, although for this, it is necessary to activate the host firewall and collect the logs (or collect the router logs), as these will have enough information to be able to detect port scanning. With these logs, you can create custom rules to match the pattern you are looking for, although if you only configure it this way, keep in mind that there are ways around this detection, which is why some security issues are more successfully detected by inspecting a server's actual network traffic, which is generally not accounted for in the logs.
Wazuh does have native integration with both Suricata and Snort, which are NIDS (Network Intrusion Detection System) software and work well to detect threats in networking.
Also, there is a tool called OwlH, which is part of Wazuh project and will help you deploy the right Network Intrusion Detection System in your environment, configure it correctly and keep it updated. Some features of this tool are:
- Detection of new systems in the network.
- Detection of hidden systems that are using spoofing.
- Detection of unauthorized use of services.
- Prevention mode. Running in Intrusion Prevention System (IPS) mode, a Network IDS may also act by stopping, blocking, or discarding a bad connection as soon as it is detected.
You can read more in these links, about two NIDS open source solution:
According to the rules, there are no default rules for tools like Nmap, although there are decoders to get the NIDS logs, so you can create a custom rule with the specific threat type. However, they could easily be added if required, depending on what you want to do. Note that Wazuh analyses data and generates alerts for important security events. One option, for example, would be the one discussed above, where we activate the host's firewall, and collect all the relevant information, so that once we have that information, we can create a rule to alert us to a specific pattern of actions. This would require writing some custom decoders and rules for the alerts to be generated. Below, I share with you the step-by-step documentation:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
If you have any questions, feel free to ask.
It depends on what you're looking for.
Wazuh is an excellent HIDS (Host-based Intrusion Detection System) among other things. In addition to its rule-based analysis of log events from agents and other devices, it also performs file integrity monitoring and anomaly detection. This provides a great deal of insight into the security of your digital assets. Ex: https://wazuh.com/blog/detecting-metasploit-attacks/
Wazuh is an excellent HIDS (Host-based Intrusion Detection System) among other things. In addition to its rule-based analysis of log events from agents and other devices, it also performs file integrity monitoring and anomaly detection. This provides a great deal of insight into the security of your digital assets. Ex: https://wazuh.com/blog/detecting-metasploit-attacks/
Thanks to this, as it can collect system logs and create specific rules that are parsed for the detection of various events, it is possible to detect weird traffic on ports, although for this, it is necessary to activate the host firewall and collect the logs (or collect the router logs), as these will have enough information to be able to detect port scanning. With these logs, you can create custom rules to match the pattern you are looking for, although if you only configure it this way, keep in mind that there are ways around this detection, which is why some security issues are more successfully detected by inspecting a server's actual network traffic, which is generally not accounted for in the logs.
Wazuh does have native integration with both Suricata and Snort, which are NIDS (Network Intrusion Detection System) software and work well to detect threats in networking.
Also, there is a tool called OwlH, which is part of Wazuh project and will help you deploy the right Network Intrusion Detection System in your environment, configure it correctly and keep it updated. Some features of this tool are:
- Detection of new systems in the network.
- Detection of hidden systems that are using spoofing.
- Detection of unauthorized use of services.
- Prevention mode. Running in Intrusion Prevention System (IPS) mode, a Network IDS may also act by stopping, blocking, or discarding a bad connection as soon as it is detected.
You can read more in these links, about two NIDS open source solution:
According to the rules, there are no default rules for tools like Nmap, although there are decoders to get the NIDS logs, so you can create a custom rule with the specific threat type. However, they could easily be added if required, depending on what you want to do. Note that Wazuh analyses data and generates alerts for important security events. One option, for example, would be the one discussed above, where we activate the host's firewall, and collect all the relevant information, so that once we have that information, we can create a rule to alert us to a specific pattern of actions. This would require writing some custom decoders and rules for the alerts to be generated. Below, I share with you the step-by-step documentation:
https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
If you have any questions, feel free to ask.
Reply all
Reply to author
Forward
0 new messages