libpcap VS Wazuh

As long as your custom service used the rpcap protocol I'd expect it to be possible. You may find this GitHub page informative, since it includes some rpcap source code and one of the main Wireshark developers appears to be a contributor there.

mitmproxy can be used to find the HTTP request with the needed data in addition browser dev tools. At some point, I'll explore tcpdump and wireshark to reverse engineer websites for web scraping and share the learnings with you.

(Of course, this consideration should be appropriately downweighted by YAGNI, as threading memory management through prototype or internal utility code can by itself easily force it into very non-prototype amounts of effort.)

[1] https://github.com/the-tcpdump-group/libpcap/blob/2180b6e56a...

I am working with libpcap, a library that parses packets captured from tcpdump, which I have cIncluded from Zig.

Nmap and Wireshark, tcpdump tools can be used to scan networks and packets.

Also definitely start looking at tcpdump and wireshark. These are invaluable tools for the non-network engineer that is perhaps a sysadmin or analyst to use for network troubleshooting.

For future reference, libpcap is a library that Wireshark and many other network analysis tools use to record network traffic. It has its own file format that it can use to save the recorded network traffic to disk.

A lot is covered here and here, sar might be useful, getfacl and tcpdump and probably hundred more tools I am not even aware of. The easiest to learn those is to have a problem and identify and solve it with those tools, but to do that you need to know roughly what those tools can do.

For example, gopacket uses libpcap by default for capturing the traffic. Libpcap doesn't support network namespaces and we can't ask it to listen to traffic on a different namespace. However, we can change the network namespace of the calling thread and then start libpcap to see the traffic on a different namespace.

There is currently no feature for excluding specific SCA rules however this feature has been requested here and would be added to the roadmap for future releases.

I use Wazuh instead. Greenbone CE is severely limited and requires payment for anything beyond the very basic. Super simple installation more features.

Seems like something that should be documented somewhere more official than a random reddit post for sure. Added it to https://github.com/wazuh/wazuh/issues/1112 for good measure.

Hmm, I've really been wanting to try Wazuh but since all our endpoints (Win10/11) are running a German locale I've run into https://github.com/wazuh/wazuh/issues/16842 when checking the compliance checks (CIS benchmarks) on a test installation of 4.6.

Monitoring & Active Measures - Exporting firewall events to an external time-series database like I describe above is good to see who is touching your firewall or accessing your web site. Using an Intrusion Detection System / Intrusion Prevention System (IDS/IPS) such as open-source Suricata, which is a free package on pfSense, and deploying file system integrity monitoring, such as the open-source Wazuh on the exposed server are also good approaches to protecting yourself.

We are actively working on enhancing the system to allow users to mark vulnerabilities as "not vulnerable" or hide them. You can track the progress of this enhancement on the following GitHub issue: (Enhancement - Mark Vulnerabilities as Not Vulnerable).

Hello, thanks for using Wazuh, I will try to answer your questions: 1- I am going to check with the team in charge to see if there is a way. 2- Untriaged is a default value that is placed on vulnerabilities that do not have low, medium or high values https://github.com/wazuh/wazuh/issues/12675 3- As in the previous point, the providers of vulnerability lists have not provided the data.

Agents getting frequently pending and disconnecting