This Proof of Concept (PoC) demonstrates the integration of Suricata IDS with Wazuh to provide network intrusion detection and centralized security monitoring.
In this setup, Suricata runs on the Wazuh Agent machine and monitors network traffic for suspicious activity. The generated alerts are stored in Suricata's eve.json log file, which is then ingested by Wazuh for analysis, correlation, and visualization through the Wazuh Dashboard.
Attacker Machine
│
▼
Nmap Scan Traffic
│
▼
Suricata IDS (Agent Machine)
│
▼
eve.json Logs
│
▼
Wazuh Agent
│
▼
Wazuh Manager & Dashboard
Suricata is an open-source Intrusion Detection and Prevention System (IDS/IPS) that inspects network traffic and generates alerts whenever suspicious or malicious activity is detected.
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata -yBy default, Suricata contains limited rules. To improve detection capabilities, we download the Emerging Threats ruleset, which contains thousands of community-maintained signatures for identifying scans, exploits, malware activity, command-and-control traffic, and other suspicious behaviors.
cd /tmp/ && curl -LO https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz
sudo tar -xvzf emerging.rules.tar.gz
sudo mv rules/*.rules /etc/suricata/rules/
sudo chmod 640 /etc/suricata/rules/*.rulesThe image below shows the difference between the original rule set and the expanded rule repository after importing the Emerging Threats rules.
Open the Suricata configuration file:
nano /etc/suricata/suricata.yamlSeveral settings must be adjusted so that Suricata properly monitors the local network and loads the imported rules.
The HOME_NET variable represents the network or host that Suricata should protect.
Change:
HOME_NET: "[...]"To:
HOME_NET: "[Current IP]"This ensures alerts are generated relative to the monitored machine.
By default, traffic originating from HOME_NET may be excluded from certain detections.
Change:
EXTERNAL_NET: "!$HOME_NET"
#EXTERNAL_NET: "any"To:
#EXTERNAL_NET: "!$HOME_NET"
EXTERNAL_NET: "any"This allows Suricata to inspect all traffic sources and destinations.
Change:
default-rule-path: ...To:
default-rule-path: /etc/suricata/rulesThis tells Suricata where the downloaded rules are stored.
Set:
rule-files:
- "*.rules"This automatically loads every rule file present in the rules directory.
If disabled, enable statistics collection.
Set:
stats:
enabled: yesThis provides additional visibility into Suricata's operation and event generation.
If your interface is different, replace it accordingly.
Set:
af-packet:
- interface: eth0This ensures Suricata listens on the correct network adapter.
Suricata stores alerts in the eve.json file. Wazuh must be instructed to monitor this file so that generated events appear in the dashboard.
Open:
nano /var/ossec/etc/ossec.confAdd the following block immediately before the closing </ossec_config> tag:
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>This configuration tells Wazuh to continuously parse Suricata's JSON-formatted alerts and forward them for analysis.
After making all configuration changes, restart both services to apply the updates.
systemctl restart suricata.service
systemctl restart wazuh-agent.serviceTo validate the integration, perform a SYN scan against the Agent machine.
nmap -sS <AGENT_IP>A SYN scan sends TCP SYN packets to discover open ports while avoiding a full TCP handshake. Suricata contains signatures capable of detecting various reconnaissance activities, making this a simple and effective validation test.
Once the scan is detected, navigate to:
Wazuh Dashboard
└── Agents
└── Threat Hunting
The dashboard provides a high-level overview of events generated by Suricata and processed by Wazuh.
The Events tab contains detailed information about every alert, including:
- Rule ID
- Alert severity
- Source IP
- Destination IP
- Protocol information
- Event timestamps
- Full Suricata alert details
This allows analysts to investigate detected activity and understand exactly why an event was triggered.
The integration was successfully validated by generating network reconnaissance traffic using Nmap. Suricata detected the activity, logged the event to eve.json, and Wazuh successfully ingested and displayed the alert within the Threat Hunting dashboard.
This demonstrates how Wazuh can leverage Suricata as a network-based detection source to provide centralized visibility and monitoring of suspicious network activity.
This PoC demonstrates how Suricata and Wazuh can work together to provide both network-level detection and centralized security monitoring.
While the lab focuses on detecting a simple Nmap SYN scan, the same integration can be used to identify a wide variety of threats including port scans, exploit attempts, malware communication, brute-force activity, command-and-control traffic, and other indicators of compromise.
By combining Suricata's packet inspection capabilities with Wazuh's log analysis, correlation, and visualization features, security teams gain greater visibility into their environments and can investigate threats more effectively.
This foundational setup closely mirrors real-world SOC environments where multiple security tools continuously generate telemetry that is aggregated, analyzed, and transformed into actionable security insights.
If this walkthrough helped you, feel free to connect with me:
GitHub: https://github.com/AdityaBhatt3010
LinkedIn: https://www.linkedin.com/in/adityabhatt3010/
Medium: https://medium.com/@adityabhatt3010
More writeups soon. Cleaner, deeper and built from too many late-night labs.
If you found this useful, consider starring the repository and following my cybersecurity journey.




