Discovering Unmanaged Devices with Python, Nagios, and Wazuh SIEM: The Spy Who PING’d Me

Hi friends,

a couple of months without writing any post, the truth is that I've been pretty busy, you know those moments when suddenly ... the time for your “shits” disappears!!! As usual I leave you a musical recommendation to move your ass... “Played-A-Live (The Bongo Song)” (2000) - Safri Duo, listen to them in a live video...three, two, one, GOOOOO!!!

Let’s talk about a challenge that keeps network and (cyber)security admins awake at night: unmanaged devices. They lurk in the shadows of your subnet, dodging updates, ignoring security policies, and possibly moonlighting as rogue endpoints. But fret not—Python, armed with python-nmap, is here to save the day! And yes, it comes with a couple of friends: Nagios and Wazuh SIEM.

Here’s how we built a solution to sniff out these digital fugitives and keep your network safe.

Meet the Tool/Script

Our script is like a secret agent infiltrating your network. Let’s break down its gadgets:

1. Subnet Scanner: It starts by scanning the subnet with a ping sweep (-sn) to find active hosts. Think of it as sonar for IP addresses.
2. Host Name Resolver: For each discovered IP, we call DNS to get its hostname. If the device insists on being mysterious, we call it "Unknown" (cue spy music).
3. Service Investigator: For unmatched IPs, we use -sT -sV scans to uncover running services. It’s like shaking down a suspect to find out what they’re hiding.
4. JSON Detective: The script cross-references discovered IPs with known devices from a JSON file. Any impostors (unmatched IPs) are flagged for detailed scrutiny.
5. CSV Reporter: All findings are saved in a CSV file, because documentation is everything—unless you’re in a spy movie.
6. Syslog Whisperer: For every discovery, it whispers sweet nothings (or critical alerts) to your Wazuh SIEM via Syslog.

The Workflow

1. Scan Subnet: The script starts with a python script.py <subnet> <json_file>. It’s on a mission to unmask the unknown in <subnet>.
2. Match and Unmatch: Discovered IPs are matched against a JSON file of known devices. The script then creates two lists:
3. Deep Dive on Unmatched Devices: Each unmatched IP gets a detailed scan to uncover:
4. Save Results: Findings are stored in a CSV file for analysis and shared with Nagios and Wazuh. Nagios keeps tabs on these devices, and Wazuh raises alarms if necessary.
5. Raise the Alarm: If unmatched devices are found, the script sends a Critical Syslog alert. Otherwise, it logs a reassuring INFO message that all is well.

Integration with Nagios and Wazuh

Here’s where the team comes in:

• Nagios keeps watch over your devices 24/7. By importing the script’s output, Nagios can add the new devices to its monitoring list, so nothing escapes its radar.

Here goes the output of this tool used by nagios:

And...What happens if unmanaged equipment is detected?

Do not forget to analyze all networks:

• Wazuh SIEM processes the Syslog alerts, visualizes the data, and can even correlate these discoveries with other security events.

Stay informed of what's going on:

Why Python-Nmap?

Sure, Nmap is great on its own, but python-nmap lets us automate scans like pros. Instead of manually running nmap commands, the script does it all in one go. Plus, its multi-threading capabilities mean faster results—no more waiting an eternity to scan a /24 network.

Code in Action

Want to try it? Here’s how it plays out:

Conclusion

This Python Nmap script integrates seamlessly with Nagios and Wazuh, ensuring that nothing escapes your watchful eyes. Whether it’s rogue Raspberry Pis or mystery laptops, this tool has your back.

While python-nmap is a fantastic library for automating Nmap, it's worth noting that there are other Python libraries available on pip that can also enhance or complement network scanning tasks. Exploring these options might open up even more advanced use cases!

So go ahead and implement it, because reconnaissance tasks are essential in any network. And remember, in the world of network security, it's better to scan and know than to be completely ignorant.

Documentation

https://nmap.org/

https://github.com/NagiosEnterprises/nagioscore

https://wazuh.com/