How to detect port scans using wazuh?
5,870 views
Skip to first unread message
Open Source User
Apr 7, 2020, 9:01:07 AM4/7/20
to Wazuh mailing list
Dear Team,
I hope are very well, be aware of COVID 19.
I have one question, How to detect port scan using some tools example( Nmap, NetScan Tool, Global Network Inventory Scanner, Nessus....etc), it's possible to detect? and how?
Thank's
OSU
Franco Giovanolli
Apr 10, 2020, 7:11:41 AM4/10/20
to Wazuh mailing list
Hi OSU, Wazuh is an excellent HIDS (Host-based Intrusion Detection System) among other things. In addition to it’s rule-based analysis of log events from agents and other devices, it also performs file integrity monitoring and anomaly detection. This provides a great deal of insight into the security of your digital assets. However, some security issues are most successfully detected by inspecting a server’s actual network traffic, which generally is not accounted for in logs. This is where a NIDS (Network Intrusion Detection System) can provide additional insight into your security in a way that is highly complementary to the HIDS functionality in Wazuh.
You can read more in these links, about two NIDS opensource solution:
- Suricata: https://documentation.wazuh.com/3.12/learning-wazuh/suricata.html
You can read more in these links, about two NIDS opensource solution:
- Suricata: https://documentation.wazuh.com/3.12/learning-wazuh/suricata.html
Regards!
Franco.
Franco.
Open Source User
Apr 10, 2020, 7:46:14 AM4/10/20
to Wazuh mailing list
Hello Franco,
Thanks for your reply.
I going to share some problem about Suricata. I want to integrate Suricata in wazuh that's why I perform it like your reference document https://documentation.wazuh.com/3.12/learning-wazuh/suricata.html?highlight=suricata. after configuration as per the document, I face some problem which is that wazuh not ready but service is running. My wazuh version 3.12. before wazuh worked find after adding Suricata then I face the problem please need your help.I have attached some snapshots.
Thanks
OSU
Open Source User
Apr 10, 2020, 9:42:52 AM4/10/20
to Wazuh mailing list
hi,
This URL does not work curl http://testmyids.com also I attach a reference document screenshot That did not work. need your help
Franco Giovanolli
Apr 10, 2020, 5:08:24 PM4/10/20
to Wazuh mailing list
Hi OSU, your Wazuh app is still broken?
The correct response of test URL is:
What response do you have?
Regards,
The correct response of test URL is:
$ curl http://testmyids.com
uid=0(root) gid=0(root) groups=0(root)
What response do you have?
Regards,
Franco.
Open Source User
Apr 11, 2020, 10:23:46 AM4/11/20
to Wazuh mailing list
Hello Franco,
Thanks
OSU
Franco Giovanolli
Apr 16, 2020, 12:16:28 AM4/16/20
to Open Source User, Wazuh mailing list
Hi OSU, can you share your suricata.yaml file?
The /var/log/suricata/eve.json should be a log file, not a config file. Please, check steps in https://documentation.wazuh.com/3.12/learning-wazuh/suricata.html
Also, in your print, I see:
The /var/log/suricata/eve.json should be a log file, not a config file. Please, check steps in https://documentation.wazuh.com/3.12/learning-wazuh/suricata.html
Regards!
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/890d0e39-dbe8-4365-8b09-6a773f01843b%40googlegroups.com.
 | Franco Giovanolli Cloud Team  The Open Source Security Platform |
Open Source User
Apr 18, 2020, 4:14:21 AM4/18/20
to Wazuh mailing list
Hello Franco,
Thank you so much for your reply.
Sure, I attached the file as per your requirement. Please check the attached file.
I follow this instruction: https://documentation.wazuh.com/3.12/learning-wazuh/suricata.html?highlight=nids
Note: curl http://testmyids.com output below.
uid=0(root) gid=0(root) groups=0(root)
Thank by
OSU
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/890d0e39-dbe8-4365-8b09-6a773f01843b%40googlegroups.com.
Franco Giovanolli
Jul 22, 2020, 8:03:39 AM7/22/20
to Wazuh mailing list
Hi OSU, sorry for the late response.
The file "/var/log/suricata/eve.json" is an output log file from Suricata service, not a Wazuh configuration file.
Please check this step of the documentation https://documentation.wazuh.com/3.13/learning-wazuh/suricata.html?highlight=nids#get-the-suricata-json-data-to-wazuh to configure Wazuh agents to read the Suricata output.
Franco.
The file "/var/log/suricata/eve.json" is an output log file from Suricata service, not a Wazuh configuration file.
Please check this step of the documentation https://documentation.wazuh.com/3.13/learning-wazuh/suricata.html?highlight=nids#get-the-suricata-json-data-to-wazuh to configure Wazuh agents to read the Suricata output.
Kind regards,
Franco.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages