Network IDS integration

You can integrate Wazuh with Suricata, a network-based intrusion detection system (NIDS), to detect threats by monitoring network traffic. This solution can generate JSON logs of NIDS events and provide additional insight into your network’s security with its network traffic inspection capabilities.

To see an example use case of a NIDS integration with Wazuh, go to the Catch suspicious network traffic section of the documentation.

Configuration

Configure your environment as follows to test the POC.

  1. Install Suricata (tested with version 5.0.7) on the CentOS 8 monitored endpoint. This requires EPEL repository that depends on your operating system version.

    yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
    yum -y install suricata-5.0.7
    
  2. Download and extract Emerging rules.

    cd /tmp/
    curl -LO https://rules.emergingthreats.net/open/suricata-5.0.7/emerging.rules.tar.gz
    tar -xvzf emerging.rules.tar.gz && mv rules/*.rules /etc/suricata/rules/
    chown suricata:suricata /etc/suricata/rules/*.rules
    chmod 640 /etc/suricata/rules/*.rules
    
  3. Modify Suricata settings in the /etc/suricata/suricata.yaml file.

    EXTERNAL_NET: "any"
    
    default-rule-path: /etc/suricata/rules
    rule-files:
    - "*.rules"
    
  4. Start Suricata.

    systemctl enable suricata
    systemctl daemon-reload
    systemctl start suricata
    
  5. Configure the Wazuh agent to read Suricata logs file. The following settings need to be added to the /var/ossec/etc/ossec.conf file of the monitored CentOS 8 endpoint.

    <localfile>
        <log_format>syslog</log_format>
        <location>/var/log/suricata/eve.json</location>
    </localfile>
    
  6. Restart the Wazuh agent to apply the changes.

    systemctl restart wazuh-agent
    

Steps to generate the alerts

No action is required. Wazuh automatically parses data from /var/log/suricata/eve.json and generates related alerts.

Query the alerts

You can visualize the alert data in the Wazuh Kibana plugin. To do this, go to the Security events module and add the filters in the search bar to query the alerts.

  • rule.groups:suricata

Troubleshooting

  • Error concerning network interface in Suricata log file /var/log/suricata/suricata.log.

To solve this issue, check the name of your network interface and configure it accordingly in the files /etc/sysconfig/suricata and /etc/suricata/suricata.yaml.