New filters on the Home Feed, take a look!
view details

This post has been de-listed (Author was flagged for spam)

It is no longer included in search results and normal feeds (front page, hot posts, subreddit posts, etc). It remains visible only via the author's post history.

3
Detect Port Scan Attacks with Wazuh & Suricata
Post Body

Hello,

I am using Wazuh 4.7.2 and trying to detect a port scan attack for a Windows endpoint.

My setup is:

  • Wazuh Manager is a .ova VM
  • Wazuh agent (target) is on my Windows laptop where the .ova VM is also running
  • Suricata installed on the same laptop as the Wazuh agent
  • Kali Machine (attacker) is on my Windows laptop, different VM

I followed the documentation from this link: https://wazuh.com/blog/responding-to-network-attacks-with-suricata-and-wazuh-xdr/

Nevertheless, even if I see other Suricata-generated alerts, I cannot see the Nmap scan. Also, as a result, the IP of my Kali machine is not getting blocked as it should happen according to the documentation.

Another issue that I have is that when I try to ping my agent from my Kali machine, there is no alert generated. This should happen since port scanning is somehow similar to a ping.

Any ideas on what I should check/modify?

Thank you.

Author
Account Strength
0%
Account Age
4 years
Verified Email
Yes
Verified Flair
No
Total Karma
220
Link Karma
187
Comment Karma
33
Profile updated: 3 months ago
Posts updated: 3 months ago
ImGyba

Subreddit

r/Wazuh

Post Details

We try to extract some basic information from the post title. This is not always successful or accurate, please use your best judgement and compare these values to the post title and body for confirmation.
Posted
8 months ago
Reddit URL
View post on reddit.com
External URL
reddit.com/r/Wazuh/comme...