Wazuh Not Detecting Nmap Port Scan Attack

Question

I am currently using Wazuh version 4.5.1 for intrusion detection, and I've encountered an issue where it does not seem to be detecting Nmap port scan attacks. I have performed a port scan using Nmap (version 7.93) on my system, and Wazuh does not raise any alerts. I've checked both logs file on wazih manager and agent there is no issue

Checked the Wazuh logs for any relevant alerts. Verified the Nmap scan command and confirmed it's targeting the correct IP.

Because I've Installed both wazuh manager and wazuh agent on aws vm I've ensured that all security groups and all ports are open

Answer 1

In order to generate an alert for a port scan, you must validate that the following entry is found in the ossec.conf file:

 <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\) :\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[ [:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | thirst 1,2d</command>
    <alias>netstat listening ports</alias>
    <frequency>360</frequency>
  </localfile>

This configuration comes by default in the ossec.conf file. You should have it in your ossec.conf to achieve the alert in Wazuh.