Port scan, rule - alert
540 views
Skip to first unread message
TheMTG
Apr 17, 2023, 1:59:29 PM4/17/23
to Wazuh mailing list
Hey! I wanna make a rule that fires if someone tries to do a portscan on my environment. I have 15 endpoints running Windows. And 10 Cisco devices (router, asa, switch) Does anyone know how to make that kind of rule? i found this snort rule, but i seem to legacy to work in the new version of wazuh.
<group name="portscan">
<rule id="9999" level="10">
<decoded_as>network</decoded_as>
<description>Port scanning detection: %srcip%</description>
<options>no_email_alert</options>
<frequency>10</frequency>
<scan_interval>60</scan_interval>
<scan_ports>1-65535</scan_ports>
<group>srcip,dstip,scan_type,scan_port,scan_proto,scan_duration,scan_count</group>
<scan_type>SYN</scan_type>
<group name="portscan">
<rule id="9999" level="10">
<decoded_as>network</decoded_as>
<description>Port scanning detection: %srcip%</description>
<options>no_email_alert</options>
<frequency>10</frequency>
<scan_interval>60</scan_interval>
<scan_ports>1-65535</scan_ports>
<group>srcip,dstip,scan_type,scan_port,scan_proto,scan_duration,scan_count</group>
<scan_type>SYN</scan_type>
</rule>
</group>
</group>
Jose Camargo
Apr 17, 2023, 8:36:07 PM4/17/23
to Wazuh mailing list
Hi,
To do this you have to get first the events related to the portscan, as the rule solely won't work without the correct decoder. With the logs, we can then help you work out a simple set of rules and decoders to get alerted on these events. So, can you please send me some logs so I can help you with this.
You can also review this document that gets a similar result to what you want, but using Suricata: https://wazuh.com/blog/responding-to-network-attacks-with-suricata-and-wazuh-xdr/#:~:text=Suricata%20is%20an%20intrusion%20detection,XDR%20feature%20in%20their%20environment.
I'll be awaiting your comments.
Regards,
TheMTG
Apr 18, 2023, 10:22:52 AM4/18/23
to Wazuh mailing list
Hey Jose. I have tried to run some scans inside my network "Nmap" xx.xx.xx.x/24 -A -T4 -vv
xx.xx.xx.x/24 -sS -T4 -vv
But it doesn't think there are any portscan rules in warzuh. I have downloaded SOCFortess rules etc.
xx.xx.xx.x/24 -sS -T4 -vv
But it doesn't think there are any portscan rules in warzuh. I have downloaded SOCFortess rules etc.
Jose Camargo
Apr 18, 2023, 7:42:44 PM4/18/23
to Wazuh mailing list
Hi,
Indeed, there are no specific rules related to this. That is why you will have to get a NIDS that can generate logs when these events happen so Wazuh can ingest them and then create alerts. Were you able to check the Suricata integration? You can see the PoC here: https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html
With Suricata, you can detect scan events and then create alerts/take action depending on the generated events.
You can also use another program like scanlogd to detect portscans as the logs are saved in /var/log/syslog and this file is monitored by default, so you will only have to create some custom decoders and rules to create alerts; logs look like this:
Jan 4 10:15:33 pop-os scanlogd: 127.0.0.1 to 127.0.0.1 ports 80, 443, 995, 256, 8888, 554, 5900, 135, ..., fSrpauxy, TOS 00, TTL 64 @13:15:33
I'll be awaiting your comments.
Regards,
Reply all
Reply to author
Forward
0 new messages