Does Wazuh work on OSSIM?

337 views
Skip to first unread message

Neal Rauhauser

unread,
Jan 24, 2018, 9:45:29 PM1/24/18
to Wazuh mailing list

This evening I decided it would be interesting to see if I could get Wazuh installed on Alien Vault's OSSIM.

I downloaded OSSIM, which seems to be a Debian based system.

When trying to follow install procedures I see funny stuff about not being able to lock the package database.


Broadly speaking, is there any history of people installing Wazuh over the top of OSSIM?

Neal Rauhauser

unread,
Jan 25, 2018, 3:26:07 PM1/25/18
to Wazuh mailing list

After a bit of digging, OSSIM doesn't get a lot of attention any more and installing Wazuh over the top results in a Wazuh instance that needs a manual start and a broken OSSIM that won't start. Yuck.

So is there a solution that puts Wazuh (agent based) on a server that also has a second ethernet port that's monitoring a mirror port on a network at a small/medium business?

That seems to me like a niche that could use some attention, but I'm just at the theoretical stage here, would appreciate a real world reality check.

Santiago Bassett

unread,
Jan 25, 2018, 6:45:43 PM1/25/18
to Neal Rauhauser, Wazuh mailing list
Hi Neal,

if you want to do NIDS, my advice would be to use Suricata. It is a great complement to a HIDS.

I've actually seen prod environments where same attack is detected both at a network level by Suricata (the NIDS), and at a host level by Wazuh (the HIDS). In addition we do have rules and decoders for Suricata, meaning that you can use the Wazuh agents to collect Suricata alerts, the Wazuh managers to enrich them and send them to Elastic, where those would be indexed.

Here you can find Suricata rules:


They make use of the JSON decoder (since Suricata supports JSON output). See also attached an example screenshot of Suricata alerts in Wazuh Kibana plugin.

Inline image 1

Regards,

Santiago.


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
 To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/aeda04e2-dd17-4c77-8a6e-515993669c2b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages