Rule to detect port scans?
1,097 views
Skip to first unread message
PentesterD
Jan 2, 2023, 5:16:27 AM1/2/23
to Wazuh mailing list
Is there any rule to detect port scans ? Currently I am testing with nmap, but I am not getting any alerts. The command I am testing with is: nmap -n -sT 192.168.1.10.
Sebastian Falcone
Jan 2, 2023, 6:18:38 AM1/2/23
to Wazuh mailing list
Hello! How are you?
I've found an interesting implementation of the Wazuh integrations for this issue. https://socfortress.medium.com/using-wazuh-stack-to-run-network-scans-e12525c60712.
Let me know if you think this will solve the issue, and I've will help you to implement it.
I've found an interesting implementation of the Wazuh integrations for this issue. https://socfortress.medium.com/using-wazuh-stack-to-run-network-scans-e12525c60712.
Let me know if you think this will solve the issue, and I've will help you to implement it.
PentesterD
Jan 2, 2023, 6:29:21 AM1/2/23
to Wazuh mailing list
Thanks. I'll read through this to understand it.
Sebastian Falcone
Jan 2, 2023, 9:05:20 AM1/2/23
to Wazuh mailing list
I think I misunderstood your question. You want to detect scans for open ports over your network right? Or just to check for open ports?
PentesterD
Jan 3, 2023, 2:03:12 AM1/3/23
to Wazuh mailing list
I want to detect port scans. Not necessarily over the whole network, just to the server where the agent is running.
PentesterD
Jan 3, 2023, 3:09:25 AM1/3/23
to Wazuh mailing list
Not over the whole network. I want to detect port scan just to a particular server where the agent is running.
Sebastian Falcone
Jan 3, 2023, 6:19:51 AM1/3/23
to Wazuh mailing list
Okay, I am testing out this program scanlogd. If you found some other program or way to test for port scanning let me know and we can work together to create rules and decoders if necessary
Sebastian Falcone
Jan 3, 2023, 6:30:33 AM1/3/23
to Wazuh mailing list
I've successfully detected a port scan with scanlogd
systemctl status scanlogd.service
● scanlogd.service - LSB: Portscan Detection Daemon
Loaded: loaded (/etc/init.d/scanlogd; generated)
Active: active (running) since Tue 2023-01-03 08:06:26 -03; 16min ago
Docs: man:systemd-sysv-generator(8)
Process: 23065 ExecStart=/etc/init.d/scanlogd start (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 26167)
Memory: 240.0K
CPU: 239ms
CGroup: /system.slice/scanlogd.service
└─23072 /usr/sbin/scanlogd
Jan 03 08:06:26 pop-os systemd[1]: Starting LSB: Portscan Detection Daemon...
Jan 03 08:06:26 pop-os scanlogd[23065]: Starting scanlogd: scanlogd.
Jan 03 08:06:26 pop-os systemd[1]: Started LSB: Portscan Detection Daemon.
Jan 03 08:06:40 pop-os scanlogd[23072]: 192.168.0.116 to 192.168.0.116 ports 80, 1720, 8888, 22, 256, 143, 111, 8080, ..., f?rp?uxy, TOS 00, TTL 64 @11:06:40
Jan 03 08:20:04 pop-os scanlogd[23072]: 192.168.0.116 to 192.168.0.116 ports 80, 53, 139, 256, 25, 1720, 443, 1723, ..., fSrpauxy, TOS 00, TTL 64 @11:20:04
Jan 03 08:20:15 pop-os scanlogd[23072]: 192.168.0.116 to 192.168.0.116 ports 25, 3306, 22, 587, 21, 256, 139, ..., fSrpauxy, TOS 00, TTL 64 @11:20:15
Now I'm trying to see where it saves the logs (documentation is a bit obscure)
systemctl status scanlogd.service
● scanlogd.service - LSB: Portscan Detection Daemon
Loaded: loaded (/etc/init.d/scanlogd; generated)
Active: active (running) since Tue 2023-01-03 08:06:26 -03; 16min ago
Docs: man:systemd-sysv-generator(8)
Process: 23065 ExecStart=/etc/init.d/scanlogd start (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 26167)
Memory: 240.0K
CPU: 239ms
CGroup: /system.slice/scanlogd.service
└─23072 /usr/sbin/scanlogd
Jan 03 08:06:26 pop-os systemd[1]: Starting LSB: Portscan Detection Daemon...
Jan 03 08:06:26 pop-os scanlogd[23065]: Starting scanlogd: scanlogd.
Jan 03 08:06:26 pop-os systemd[1]: Started LSB: Portscan Detection Daemon.
Jan 03 08:06:40 pop-os scanlogd[23072]: 192.168.0.116 to 192.168.0.116 ports 80, 1720, 8888, 22, 256, 143, 111, 8080, ..., f?rp?uxy, TOS 00, TTL 64 @11:06:40
Jan 03 08:20:04 pop-os scanlogd[23072]: 192.168.0.116 to 192.168.0.116 ports 80, 53, 139, 256, 25, 1720, 443, 1723, ..., fSrpauxy, TOS 00, TTL 64 @11:20:04
Jan 03 08:20:15 pop-os scanlogd[23072]: 192.168.0.116 to 192.168.0.116 ports 25, 3306, 22, 587, 21, 256, 139, ..., fSrpauxy, TOS 00, TTL 64 @11:20:15
Now I'm trying to see where it saves the logs (documentation is a bit obscure)
Sebastian Falcone
Jan 4, 2023, 8:20:28 AM1/4/23
to Wazuh mailing list
Good morning
The logs for this application are located at /var/log/syslog. This file is monitored by default so we just need to create the decoder and the rule for the logs, they look like this:
Jan 4 10:15:33 pop-os scanlogd: 127.0.0.1 to 127.0.0.1 ports 80, 443, 995, 256, 8888, 554, 5900, 135, ..., fSrpauxy, TOS 00, TTL 64 @13:15:33
The logs for this application are located at /var/log/syslog. This file is monitored by default so we just need to create the decoder and the rule for the logs, they look like this:
Jan 4 10:15:33 pop-os scanlogd: 127.0.0.1 to 127.0.0.1 ports 80, 443, 995, 256, 8888, 554, 5900, 135, ..., fSrpauxy, TOS 00, TTL 64 @13:15:33
Reply all
Reply to author
Forward
0 new messages