Skip to content

Latest commit

 

History

History
308 lines (190 loc) · 7 KB

File metadata and controls

308 lines (190 loc) · 7 KB

Suricata Integration with Wazuh

Overview

This Proof of Concept (PoC) demonstrates the integration of Suricata IDS with Wazuh to provide network intrusion detection and centralized security monitoring.

In this setup, Suricata runs on the Wazuh Agent machine and monitors network traffic for suspicious activity. The generated alerts are stored in Suricata's eve.json log file, which is then ingested by Wazuh for analysis, correlation, and visualization through the Wazuh Dashboard.


Architecture

Attacker Machine
       │
       ▼
Nmap Scan Traffic
       │
       ▼
Suricata IDS (Agent Machine)
       │
       ▼
eve.json Logs
       │
       ▼
Wazuh Agent
       │
       ▼
Wazuh Manager & Dashboard

Step 1: Install Suricata on the Agent Machine

Suricata is an open-source Intrusion Detection and Prevention System (IDS/IPS) that inspects network traffic and generates alerts whenever suspicious or malicious activity is detected.

Commands

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata -y

1


Step 2: Download and Configure Detection Rules

By default, Suricata contains limited rules. To improve detection capabilities, we download the Emerging Threats ruleset, which contains thousands of community-maintained signatures for identifying scans, exploits, malware activity, command-and-control traffic, and other suspicious behaviors.

Commands

cd /tmp/ && curl -LO https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz

sudo tar -xvzf emerging.rules.tar.gz

sudo mv rules/*.rules /etc/suricata/rules/

sudo chmod 640 /etc/suricata/rules/*.rules

2

The image below shows the difference between the original rule set and the expanded rule repository after importing the Emerging Threats rules.


Step 3: Modify Suricata Configuration

Open the Suricata configuration file:

nano /etc/suricata/suricata.yaml

Several settings must be adjusted so that Suricata properly monitors the local network and loads the imported rules.


Change 1: Configure HOME_NET

The HOME_NET variable represents the network or host that Suricata should protect.

Change:

HOME_NET: "[...]"

To:

HOME_NET: "[Current IP]"

This ensures alerts are generated relative to the monitored machine.


Change 2: Configure EXTERNAL_NET

By default, traffic originating from HOME_NET may be excluded from certain detections.

Change:

EXTERNAL_NET: "!$HOME_NET"
#EXTERNAL_NET: "any"

To:

#EXTERNAL_NET: "!$HOME_NET"
EXTERNAL_NET: "any"

This allows Suricata to inspect all traffic sources and destinations.


Change 3: Set Rule Directory

Change:

default-rule-path: ...

To:

default-rule-path: /etc/suricata/rules

This tells Suricata where the downloaded rules are stored.


Change 4: Load All Rules

Set:

rule-files:
  - "*.rules"

This automatically loads every rule file present in the rules directory.


Change 5: Enable Statistics

If disabled, enable statistics collection.

Set:

stats:
  enabled: yes

This provides additional visibility into Suricata's operation and event generation.


Change 6: Verify Network Interface

If your interface is different, replace it accordingly.

Set:

af-packet:
  - interface: eth0

This ensures Suricata listens on the correct network adapter.


Step 4: Configure Wazuh to Read Suricata Logs

Suricata stores alerts in the eve.json file. Wazuh must be instructed to monitor this file so that generated events appear in the dashboard.

Open:

nano /var/ossec/etc/ossec.conf

Add the following block immediately before the closing </ossec_config> tag:

Configuration

<localfile>
   <log_format>json</log_format>
   <location>/var/log/suricata/eve.json</location>
</localfile>

This configuration tells Wazuh to continuously parse Suricata's JSON-formatted alerts and forward them for analysis.


Step 5: Restart Services

After making all configuration changes, restart both services to apply the updates.

Commands

systemctl restart suricata.service

systemctl restart wazuh-agent.service

Step 6: Generate Detection Events

To validate the integration, perform a SYN scan against the Agent machine.

Payload

nmap -sS <AGENT_IP>

A SYN scan sends TCP SYN packets to discover open ports while avoiding a full TCP handshake. Suricata contains signatures capable of detecting various reconnaissance activities, making this a simple and effective validation test.

3


Step 7: View Alerts in Wazuh

Once the scan is detected, navigate to:

Wazuh Dashboard
 └── Agents
      └── Threat Hunting

The dashboard provides a high-level overview of events generated by Suricata and processed by Wazuh.

4


Step 8: Investigate Events

The Events tab contains detailed information about every alert, including:

  • Rule ID
  • Alert severity
  • Source IP
  • Destination IP
  • Protocol information
  • Event timestamps
  • Full Suricata alert details

This allows analysts to investigate detected activity and understand exactly why an event was triggered.

5


Results

The integration was successfully validated by generating network reconnaissance traffic using Nmap. Suricata detected the activity, logged the event to eve.json, and Wazuh successfully ingested and displayed the alert within the Threat Hunting dashboard.

This demonstrates how Wazuh can leverage Suricata as a network-based detection source to provide centralized visibility and monitoring of suspicious network activity.


Final Thoughts

This PoC demonstrates how Suricata and Wazuh can work together to provide both network-level detection and centralized security monitoring.

While the lab focuses on detecting a simple Nmap SYN scan, the same integration can be used to identify a wide variety of threats including port scans, exploit attempts, malware communication, brute-force activity, command-and-control traffic, and other indicators of compromise.

By combining Suricata's packet inspection capabilities with Wazuh's log analysis, correlation, and visualization features, security teams gain greater visibility into their environments and can investigate threats more effectively.

This foundational setup closely mirrors real-world SOC environments where multiple security tools continuously generate telemetry that is aggregated, analyzed, and transformed into actionable security insights.


Outro

If this walkthrough helped you, feel free to connect with me:

GitHub: https://github.com/AdityaBhatt3010
LinkedIn: https://www.linkedin.com/in/adityabhatt3010/
Medium: https://medium.com/@adityabhatt3010

More writeups soon. Cleaner, deeper and built from too many late-night labs.

If you found this useful, consider starring the repository and following my cybersecurity journey.