Network IDS integration

You can integrate Wazuh with Suricata, a network-based intrusion detection system (NIDS), to detect threats by monitoring network traffic. This solution can generate JSON logs of NIDS events and provide additional insight into your network's security with its network traffic inspection capabilities.

To see an example use case of a NIDS integration with Wazuh, go to the Catch suspicious network traffic section of the documentation.

Configuration

Configure your environment as follows to test the PoC.

  1. Install Suricata (tested with version 5.0.8) on the Ubuntu 20 monitored endpoint. This process can take over 10 minutes.

    add-apt-repository ppa:oisf/suricata-5.0
    apt-get update
    apt-get install suricata -y
    
  2. Download and extract Emerging rules.

    cd /tmp/
    curl -LO https://rules.emergingthreats.net/open/suricata-5.0.8/emerging.rules.tar.gz
    tar -xvzf emerging.rules.tar.gz && mv rules/*.rules /etc/suricata/rules/
    chmod 640 /etc/suricata/rules/*.rules
    
  3. Modify Suricata settings in the /etc/suricata/suricata.yaml file.

    EXTERNAL_NET: "any"
    
    default-rule-path: /etc/suricata/rules
    rule-files:
    - "*.rules"
    
  4. Start Suricata.

    systemctl enable suricata
    systemctl daemon-reload
    systemctl start suricata
    
  5. Configure the Wazuh agent to read Suricata logs file. The following settings need to be added to the /var/ossec/etc/ossec.conf file of the monitored Ubuntu 20 endpoint.

    <localfile>
        <log_format>syslog</log_format>
        <location>/var/log/suricata/eve.json</location>
    </localfile>
    
  6. Restart the Wazuh agent to apply the changes.

    systemctl restart wazuh-agent
    

Steps to generate the alerts

No action is required. Wazuh automatically parses data from /var/log/suricata/eve.json and generates related alerts. If desired, when rules are loaded and interface entered in promiscuous (sniffing mode), you can ping your manager to generate an alert from suricata.

Query the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Security events module and add the filters in the search bar to query the alerts.

  • rule.groups:suricata

Troubleshooting

  • Error concerning network interface in Suricata log file /var/log/suricata/suricata.log.

To solve this issue, check the name of your network interface and configure it accordingly in the files /etc/sysconfig/suricata and /etc/suricata/suricata.yaml.