How to instruct Wazuh to send a mail when Suricata message contains alert.severity > 3

259 views
Skip to first unread message

mauro....@cmcc.it

unread,
Jun 8, 2021, 6:38:32 AM6/8/21
to Wazuh mailing list
Hi all,

I just deployed Suricata in order to cooperate with Wazuh.
It seems that it is working as expected. It's sending the information I need to Wazuh.

Anyway, I would like to know if there is a way to instruct Wazuh to send a mail message when Suricata messages contain an alert severity level >= 3.

Thank you in advance,
Mauro

Rafael Antonio Rodriguez Otero

unread,
Jun 8, 2021, 11:42:02 AM6/8/21
to mauro....@cmcc.it, Wazuh mailing list
hello mauro, here again. he he

Friend, explain better, do you want to send emails by criteria => 3 of wazuh log level? or Suricata's log level?

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5f52895f-2223-4d23-b778-3fbbceaf935dn%40googlegroups.com.

Jose Antonio Izquierdo

unread,
Jun 8, 2021, 1:08:25 PM6/8/21
to Wazuh mailing list
Hi Mauro, 
I think I would try something like this:

    <rule id="186601" level="3">
        <if_sid>86601</if_sid>
        <field name="alert.severity">^[3-15]$</field>
        <description>Suricata: Alert - $(alert.signature), email notificacition</description>
        <options>no_full_log,alert_by_email</options>
    </rule>

Of course, you must have your email notifications enabled and configured as needed.
Ping me if you need any further detail.

Thanks

Mauro Tridici

unread,
Jun 8, 2021, 7:14:02 PM6/8/21
to Rafael Antonio Rodriguez Otero, Wazuh mailing list
Hello Rafael :) welcome back.

I would like to receive email when suricata alert level is >=3.

Jose give me the solution:

   <rule id="186601" level="3">
        <if_sid>86601</if_sid>
        <field name="alert.severity">^[3-15]$</field>
        <description>Suricata: Alert - $(alert.signature), email notificacition</description>
        <options>no_full_log,alert_by_email</options>
    </rule>

Anyway, I think that level=3 is very low (I have a lot of occurences) and it is causing “heap error” during wazuh-manager restart. So, I modified the rule as follows:

   <rule id="186601" level=“10">
        <if_sid>86601</if_sid>
        <field name="alert.severity">^[10-15]$</field>
        <description>Suricata: Alert - $(alert.signature), email notificacition</description>
        <options>no_full_log,alert_by_email</options>
    </rule>

But, now I should understand how to test mail notification. I need to "create" a suricata alert with level >=10 and I don’t know how to do it...
At this moment, Suricata detects only multiple alert 3 level events.

Thank you,
Mauro

Mauro Tridici

unread,
Jun 8, 2021, 7:15:10 PM6/8/21
to Jose Antonio Izquierdo, Wazuh mailing list
Hello Jose,

thank you very much.

You give me the solution:

   <rule id="186601" level="3">
        <if_sid>86601</if_sid>
        <field name="alert.severity">^[3-15]$</field>
        <description>Suricata: Alert - $(alert.signature), email notificacition</description>
        <options>no_full_log,alert_by_email</options>
    </rule>

Anyway, I think that level=3 is very low (I have a lot of occurences) and it is causing “heap error” during wazuh-manager restart. So, I modified the rule as follows:

   <rule id="186601" level=“10">
        <if_sid>86601</if_sid>
        <field name="alert.severity">^[10-15]$</field>
        <description>Suricata: Alert - $(alert.signature), email notificacition</description>
        <options>no_full_log,alert_by_email</options>
    </rule>
But, now I should understand how to test mail notification. I need to "create" a suricata alert with level >=10 and I don’t know how to do it...
At this moment, Suricata detects only multiple alert 3 level events.

Thank you,
Mauro
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/0JLrcDYSF1c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4bd9f97e-5b86-4769-8282-9f9626903b53n%40googlegroups.com.


Jeff Dyke

unread,
Jun 8, 2021, 7:26:04 PM6/8/21
to Mauro Tridici, Jose Antonio Izquierdo, Wazuh mailing list
Can i take a slight step back and ask....what mode is suricata in?  Suricata can alert, or you can hack it super easily to do so.  I use Suricata as an IPS and Wazuh/OSSEC as an IDS. I don't get the reason to marry the two when you can deploy Suricata as an IDS as well.

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3E1FB30A-AB02-414A-9918-BF9407E4E06D%40cmcc.it.

Mauro Tridici

unread,
Jun 8, 2021, 7:36:24 PM6/8/21
to Jeff Dyke, Jose Antonio Izquierdo, Wazuh mailing list
Hello Jeff,

thank you for your answer.
At this moment, suricata is running as IDS.
In my case, Wazuh is working as HIDS (at host level): it blocks attacks and it provides some interesting statistics using ELK stack.
Suricata is working as NIDS (at network level): it analyses network traffic and send the information to Wazuh.
So, I can see all the information from a single and centralyzed point of view (wazuh dashboards).

Maybe I’m wrong, I’m a newbie and I’m starting using these tools together to evaluate them.

Now, I can see Suricata logs/events in Wazuh dashboards, but I didn’t receive any alert mail since the suricata alert are equal to 3 (and Wazuh is sending mail only when Wazuh alert level is >= 10).

So, as suggested by Jose, I created this local rule:

   <rule id="186601" level=“10">
        <if_sid>86601</if_sid>
        <field name="alert.severity">^[10-15]$</field>
        <description>Suricata: Alert - $(alert.signature), email notificacition</description>
        <options>no_full_log,alert_by_email</options>
    </rule>


Anyway, in order ot test it, I needs to “cause” a Sucirata alert.serverity>=10 event and see what happens.
But I dont know how to do it. Moreover, I0m not so sure that Suricata alert level can reach 10 or 15 level.

Please, sorry for the confusion that my question/needs are creating.

Thanks,
Mauro

Jeff Dyke

unread,
Jun 8, 2021, 8:40:24 PM6/8/21
to Mauro Tridici, Jose Antonio Izquierdo, Wazuh mailing list
That all makes sense, and also gives me more questions.  Although b/c I never have run Suricata in anything but IPS mode, in which i would use curl to fake events, Suricata does have this capability, but does not make it simple for you, https://suricata.readthedocs.io/en/suricata-6.0.0/rule-management/adding-your-own-rules.html.  You can make a rule that detects a new file in your home directory cause a signature.alert == 3.  Note the link the rule for format of local.rules as much as the intent of the main page.

Good Luck!
Reply all
Reply to author
Forward
0 new messages