How to detect rogue scanning in wazuh

640 views
Skip to first unread message

ektadhu...@gmail.com

unread,
Apr 1, 2021, 1:21:31 AM4/1/21
to Wazuh mailing list
Hi Team,

We are running nessus scanners to scan the network for vulnerabilities.  But we want to alert when the scan has been performed from any ip other than the nessus ip.

How to achieve it? Please assist.

Regards,
Ekta

Daniel Folch

unread,
Apr 5, 2021, 4:28:18 AM4/5/21
to Wazuh mailing list

Hello Ekta,

An option to do this would be to monitor the logs from your scanner and create a set of decoders and rules that generate an alert if the IP of the scanner is not allowed.

Here you have documents where we explain the rule creation process:

Let us know if you need help with this process, it would be helpful if you could share some log examples, please be mindful of any sensitive information such as IP addresses and hide it.

Regards,
Daniel Folch

Daniel Folch

unread,
Apr 5, 2021, 11:05:05 AM4/5/21
to Wazuh mailing list

Hello again,

I have been toying a bit with Wazuh + Nessus and I have found that when launching an scan Wazuh reports the following alert:

Here you can see the alert in JSON format:

{   "_index": "wazuh-alerts-4.x-2021.04.05",   "_type": "_doc",   "_id": "sRxnongB-AhiUNxvyVhc",   "_version": 1,   "_score": null,   "_source": {     "predecoder": {       "hostname": "ubuntu-bionic",       "program_name": "sshd",       "timestamp": "Apr  5 14:20:09"     },     "input": {       "type": "log"     },     "agent": {       "ip": "10.0.2.15",       "name": "ubuntu18LTS",       "id": "001"     },     "data": {       "srcip": "172.16.1.17",       "srcport": "56904"     },     "manager": {       "name": "manager"     },     "rule": {       "firedtimes": 1,       "mail": false,       "level": 6,       "pci_dss": [         "11.4"       ],       "tsc": [         "CC6.1",         "CC6.8",         "CC7.2",         "CC7.3"       ],       "description": "sshd: insecure connection attempt (scan).",       "groups": [         "syslog",         "sshd",         "recon"       ],       "mitre": {         "technique": [           "Commonly Used Port"         ],         "id": [           "T1043"         ],         "tactic": [           "Command and Control"         ]       },       "id": "5706",       "nist_800_53": [         "SI.4"       ],       "gpg13": [         "4.12"       ],       "gdpr": [         "IV_35.7.d"       ]     },     "location": "/var/log/auth.log",     "id": "1617632410.562389",     "decoder": {       "parent": "sshd",       "name": "sshd"     },     "full_log": "Apr  5 14:20:09 ubuntu-bionic sshd[5579]: Did not receive identification string from 172.16.1.17 port 56904",     "timestamp": "2021-04-05T14:20:10.958+0000"   },   "fields": {     "timestamp": [       "2021-04-05T14:20:10.958Z"     ]   },   "highlight": {     "agent.id": [       "@kibana-highlighted-field@001@/kibana-highlighted-field@"     ],     "manager.name": [       "@kibana-highlighted-field@manager@/kibana-highlighted-field@"     ]   },   "sort": [     1617632410958   ] }

As you can see we can this alert is generated by rule 5706, with this we can create a simple child rule that will fire if the scan comes from an unathorized IP:

<group name="recon,syslog,sshd">  <rule id="100001" level="12">
    <if_sid>5706</if_sid>
    <srcip>![NESUS_IP]</srcip>
    <description>scan from unathorized IP</description>
  </rule></group>

You just need to add this rule to /var/ossec/etc/rules/local_rules.xml and restart your manager.

With this rule if an scan comes from an IP different from the one used by Nessus you will receive an alert like this:

Screenshot_2021-04-05 Wazuh - Elastic(1).png

Here you can see it in JSON format:


{   "_index": "wazuh-alerts-4.x-2021.04.05",   "_type": "_doc",   "_id": "zRx7ongB-AhiUNxvkViv",   "_version": 1,   "_score": null,   "_source": {     "predecoder": {       "hostname": "ubuntu-bionic",       "program_name": "sshd",       "timestamp": "Apr  5 14:41:46"     },     "input": {       "type": "log"     },     "agent": {       "ip": "10.0.2.15",       "name": "ubuntu18LTS",       "id": "001"     },     "data": {       "srcip": "172.16.1.17",       "srcport": "57282"     },     "manager": {       "name": "manager"     },     "rule": {       "firedtimes": 2,       "mail": true,       "level": 12,       "description": "scan from unathorized IP",       "groups": [         "recon",         "syslog",         "sshd"       ],       "id": "100001"     },     "location": "/var/log/auth.log",     "id": "1617633708.569931",     "decoder": {       "parent": "sshd",       "name": "sshd"     },     "full_log": "Apr  5 14:41:46 ubuntu-bionic sshd[5665]: Did not receive identification string from 172.16.1.17 port 57282",     "timestamp": "2021-04-05T14:41:48.355+0000"   },   "fields": {     "timestamp": [       "2021-04-05T14:41:48.355Z"     ]   },   "highlight": {     "agent.id": [       "@kibana-highlighted-field@001@/kibana-highlighted-field@"     ],     "manager.name": [       "@kibana-highlighted-field@manager@/kibana-highlighted-field@"     ]   },   "sort": [     1617633708355   ] }

Regards,
Daniel Folch

ektadhu...@gmail.com

unread,
Apr 9, 2021, 4:28:11 AM4/9/21
to Wazuh mailing list
Hi Daniel,

Thanks for the support.

But this scan you did is from linux box but what alert we will receive for windows machine?
Please assist.

Thanks and Regards,
Ekta

Daniel Folch

unread,
Apr 9, 2021, 12:14:00 PM4/9/21
to Wazuh mailing list

Hello Ekta,

Windows seems to be a bit more tricky but it seems that when running a scan using Nessus the agent reports a bunch of logon and logoff alerts:

Screenshot_2021-04-09 Wazuh - Elastic.png

I received around 30 of each in a single scan. Seeing this a possibility to detect a scan may be to create a rule to check if multiple logon attempts were made with an IP different than the Nessus scanner one. First, create a rule for logons with different IP:

<group name="authentication_success, windows, windows_security">
  <rule id="100001" level="10">
    <if_sid>60106</if_sid>
    <field negate="yes" name="win.eventdata.ipAddress">!1.1.1.1</field>
    <description>Unathorized logon attempt</description>
  </rule>

</group>

And then using if_matched_sid we can check if that rule triggered multiple times during an interval:

<rule id="100002" level="10" frequency="5" timeframe="120">
  <if_matched_sid>100001</if_matched_sid>
  <description>Multiple unathorized logons possible SCAN</description>

</rule>

With this, you will obtain an alert like this one:

Screenshot_2021-04-09 Wazuh - Elastic(1).png

Finally, I would recommend you check which alerts trigger in your system whenever you run a scan and try to adapt these steps to them.


Hope you found this useful, do not hesitate to ask again if you have further questions.

Regards,
Daniel Folch

ektadhu...@gmail.com

unread,
Apr 12, 2021, 5:47:38 AM4/12/21
to Wazuh mailing list
Hi Daniel,

I am using wazuh version 3.10 which do not support negate option in field.

How to implement it?
Regards,
Ekta

Daniel Folch

unread,
Apr 13, 2021, 7:09:37 AM4/13/21
to Wazuh mailing list

Hello Ekta,

Then, we have to options, the first one is to create a level 0 rule for a logon attempt coming from your Nessus IP so you can ignore those alerts and then use if_matched_sid to produce an alert from rule 60106 firing multiple times:

<group name="authentication_success, windows, windows_security">
  <rule id="100001" level="0">
      <if_sid>60106</if_sid>
      <field name="win.eventdata.ipAddress">[NESSUS_IP]</field>
      <description>Authorized logon attempt</description>
    </rule>

    <rule id="100003" level="10" frequency="5" timeframe="120">
      <if_matched_sid>60106</if_matched_sid>
    <description>Multiple unathorized logons possible SCAN</description>
  </rule>
</group>

The second option would be to use match for the first rule instead of field,

<group name="authentication_success, windows, windows_security">
  <rule id="100002" level="0">
    <if_sid>60106</if_sid>
    <match>![NESSUS_IP]</match>
    <description>Unathorized logon attempt</description>
  </rule>

  <rule id="100003" level="10" frequency="5" timeframe="120">
    <if_matched_sid>60106</if_matched_sid>
  <description>Multiple unathorized logons possible SCAN</description>

</rule>
</group>

Regards,
Daniel Folch

ektadhu...@gmail.com

unread,
Apr 14, 2021, 12:14:44 AM4/14/21
to Wazuh mailing list
Hi Daniel,

The first option you suggested how we will verify if it is triggering from same ip as we are only checking the rule id. It might be possible the rule can trigger from multiple ip in that case the rule will not provide the correct alert.

Regards,
Ekta

Daniel Folch

unread,
Apr 14, 2021, 3:34:45 AM4/14/21
to Wazuh mailing list

Hello,

For that, you can use the same_field option whit this you can check if the field has been repeated multiple times. The rules will look like this:

<group name="authentication_success, windows, windows_security">
  <rule id="100001" level="0">
    <if_sid>60106</if_sid>
    <field name="win.eventdata.ipAddress">[NESSUS_IP]</field>
    <description>Unathorized logon attempt</description>
  </rule>

  <rule id="100002" level="10" frequency="5" timeframe="120">
    <if_matched_sid>60106</if_matched_sid>
    <same_field>win.eventdata.ipAddress</same_field>
  <description>Multiple unathorized logons possible SCAN</description>

</rule>
</group>

Regards,
Daniel Folch

ektadhu...@gmail.com

unread,
Apr 14, 2021, 7:20:18 AM4/14/21
to Wazuh mailing list
Hi Daniel,

I created this rule :

<rule id="100181" level="4" frequency="4" timeframe="120">
  <if_matched_sid>60106</if_matched_sid>
   <same_field>win.eventdata.ipAddress</same_field>
  <description>Multiple unathorized logons possible SCAN</description>

</rule>
But it is not triggering. Could you please help

Regards,
Ekta

ektadhu...@gmail.com

unread,
Apr 19, 2021, 3:56:04 AM4/19/21
to Wazuh mailing list
Hi Daniel,

Any update?

Regards,
Ekta

Daniel Folch

unread,
Apr 19, 2021, 9:23:59 AM4/19/21
to Wazuh mailing list

Hello Ekta,

Sorry for the late response, lets check this.

First of all, let’s clarify what the rules do:

<group name="authentication_success, windows, windows_security">     <rule id="100001" level="0">         <if_sid>60106</if_sid>
        <field name="win.eventdata.ipAddress">[NESSUS_IP]</field>
        <description>Athorized logon attempt from nessus IP</description>    </rule>    <rule id="100002" level="10" frequency="4" timeframe="120">
             <if_matched_sid>60106</if_matched_sid>         <same_field>win.eventdata.ipAddress</same_field>         <description>Multiple unathorized logons possible SCAN</description>
   </rule> </group>

The first rule, 100001, will trigger when rule 60106 Windows Logon Success is triggered with a win.eventdata.ipAddress corresponding with the Nessus one, this rule has level 0 so the alert will be ignored.

The second rule will trigger if rule 60106 has been triggered 4 times in 120 seconds, with the same value for win.eventdata.ipAddress. So if rule 60106 is not triggering in your system you will not get this alert.

Please check if the alerts you receive when launching a scan from with Nessus correspond to the ones I showed you in previous messages, in case they don’t we may need a different approach.

Remember that after changing the rules you need to restart the manager.

Regards.

Reply all
Reply to author
Forward
0 new messages