OSSEC-agent monitoring eth0 for network attacks - Detecting port scans

[Stephen]

Hi, I have installed wazuh-ossec agent on one of my Linux systems. I would like to monitor one of the ethernet ports for unusual network activities like port scans or vulnerability scans. 

I've found this article on the ossec website.

http://ossec-docs.readthedocs.io/en/latest/manual/notes/portscan_detection.html

Can I use this feature with wazuh agent? 

[Borja Arroba]

Hi Stephen, sorry for late response.

I have tried to do something similar to what is done in the article you mentioned but I have used the 'psad' application. You can find documentation in:

http://cipherdyne.org/psad/docs/

For psad configuration, in '/etc/psad/psad/psad.conf' I changed following lines:

HOSTNAME wazuh_node1;
IPT_SYSLOG_FILE /var/log/syslog;
ENABLE_AUTO_IDS Y;
IGNORE_PORTS NONE;

For actualize configuration execute:
psad --sig-update
systemctl restart psad

For this you will need to configure iptables with respect to your needs, for testing I have configured it in the following way for simplicity:

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

Also, I configured a decoder and rule as follow:

<decoder name="psad">
    <program_name>psad</program_name>
    <prematch>^scan detected</prematch>
    <regex offset="after_prematch">(\S+)\s->\s(\S+)\s(\w+):\s[(\S+)]</regex>
    <order>srcip,dstip,protocol,port</order>
</decoder>

<rule id="100001" level="10">
    <decoded_as>psad</decoded_as>
    <description>Port scan $(protocol) detected: from $(srcip) to $(dstip) ports:$(port)</description>
    <group>pci_dss_10.6.1,gdpr_IV_35.7.d,gdpr_IV_30.1.g,</group>
</rule>

For generating events in 'syslog' output, I ran:

nmap -PN -sS 192.168.1.59

And I can see in syslog the following output:

Jul 10 18:09:04 ag-ubuntu psad: scan detected ( -sU scan): 192.168.1.59 -> 192.168.1.59 udp: [2-65024] udp pkts: 1066 icmp pkts: 1064 DL: 4
Jul 10 18:09:09 ag-ubuntu psad: scan detected ( -sU scan): 192.168.1.59 -> 192.168.1.59 udp: [68] udp pkts: 1 DL: 4
Jul 10 18:09:15 ag-ubuntu psad: scan detected ( -sU scan): 192.168.1.66 -> 192.168.1.255 udp: [17500] udp pkts: 1 DL: 1

And finally executing '/var/ossec/bin/ossec-logtest' we can view alert generated:

Jul 10 18:09:04 ag-ubuntu psad: scan detected ( -sU scan): 192.168.1.59 -> 192.168.1.59 udp: [2-65024] udp pkts: 1066 icmp pkts: 1064 DL: 4


**Phase 1: Completed pre-decoding.
       full event: 'Jul 10 18:09:04 ag-ubuntu psad: scan detected ( -sU scan): 192.168.1.59 -> 192.168.1.59 udp: [2-65024] udp pkts: 1066 icmp pkts: 1064 DL: 4'
       timestamp: 'Jul 10 18:09:04'
       hostname: 'ag-ubuntu'
       program_name: 'psad'
       log: 'scan detected ( -sU scan): 192.168.1.59 -> 192.168.1.59 udp: [2-65024] udp pkts: 1066 icmp pkts: 1064 DL: 4'

**Phase 2: Completed decoding.
       decoder: 'psad'
       srcip: '192.168.1.59'
       dstip: '192.168.1.59'
       protocol: 'udp'
       port: '2-65024'

**Phase 3: Completed filtering (rules).
       Rule id: '100001'
       Level: '10'
       Description: 'Port scan udp detected: from 192.168.1.59 to 192.168.1.59 ports:2-65024'
**Alert to be generated.

I hope it will be helpful, if you have any further questions, please do not hesitate to write to us.

Regards.

Borja Arroba.

[Open Source User]

Hello Borja,

When I went this location I did not get any file as like name /etc/psad/psad/psad.conf

Please clarify about it my wazuh version 3.12 OS CentOS7. Please give your advice.

Thanks 

OSU 

[Borja Arroba]

Hi User,

Maybe I’m on the wrong path, try /etc/psad/psad.conf.

After install psad on Ubuntu System (apt install psad), I found it there.

Regards. And sorry for late response.