Integration of alerts from Suricata into the Wazuh dashboard
Michel Martin
I have set up a SIEM with two scans for my machines: an in-depth scan with Wazuh and a surface scan with an IDS/IPS, which is Suricata (I have configured Suricata on my pfSense machine). I would like both agents to report alerts on the same dashboard rather than on two separate ones. Currently, I can send my Suricata logs from my pfSense machine to an eve.json file on my Wazuh machine. I have configured my ossec.conf file to include the following:
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
Here is a portion of the logs received by my Wazuh machine:
pfsense.martin.domain suricata[83950]: {"timestamp":"2024-07-01T14:35:51.889510+0000","flow_id":2131567616827281,"in_iface":"vtnet3","event_type":"dns","src_ip":"10.95.95.12","src_port":65059,"dest_ip":"10.95.95.1","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"type":"query","id":6946,"rrname":"ForestDnsZones.ad.lab","rrtype":"SOA","tx_id":0,"opcode":0}}
I then changed the rules in the suricata_rules.xml file to set the rule levels to 5 instead of 0. Despite this, I still do not have my Suricata alerts on my Wazuh dashboard, and I am unsure what to modify or add to achieve this. Could you provide guidance to help me resolve this issue? Thank you in advance for your response.
Jose Camargo
For example, if the event is:
{"timestamp":"2024-07-01T14:35:51.889510+0000","flow_id":2131567616827281,"in_iface":"vtnet3","event_type":"dns","src_ip":"10.95.95.12","src_port":65059,"dest_ip":"10.95.95.1","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"type":"query","id":6946,"rrname":"ForestDnsZones.ad.lab","rrtype":"SOA","tx_id":0,"opcode":0}}
<group name="suricata,">
<rule id="123456" level="2">
<decoded_as>json</decoded_as>
<field name=" flow_id "> 2131567616827281 </field>
<description>Suricata general event</description>
</rule>
<rule id="123457" level="5">
<if_sid>123456</if_sid>
<field name=" src_ip">10.95.95.12</field>
<description>Suricata Event: Event coming from $(src_ip) to $(dest_ip)</description>
</group>
This is just an example, please modify it as needed.
I'll be awaiting your comments.
Michel Martin
Thank you for your response. I have made the changes as you instructed, but it still doesn't work.
I have applied the rules as you requested and set a default decoder. Here are the two texts showing what I have implemented.
<decoder name="json">
<program_name>suricata</program_name>
</decoder>
<decoder name="json_child">
<operation>parent</operation>
<regex>^\s*"src_ip": "(1(6[0-9]|72(.[1-9][0-9])|192.168)(.[1-9][0-9]){2}).\d{1,3}\b</regex>
<order>srcip</order>
</decoder>
<decoder name="json_child">
<operation>parent</operation>
<regex>^\s*"dest_ip": "(1(6[0-9]|72(.[1-9][0-9])|192.168)(.[1-9][0-9]){2}).\d{1,3}\b</regex>
<order>srcip</order>
</decoder>
<decoder name="json_child">
<operation>parent</operation>
<regex>^\s*"proto": "(TCP|UDP|ICMP|IP)"</regex>
<order>proto</order>
</decoder>
<plugin_decoder>JSON_Decoder</plugin_decoder>
[root@wazuh-server rules]# cat local_rules.xml
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>
<group name="suricata,">
<rule id="123456" level="2">
<decoded_as>json/decoded_as</decoded_as>
<field name="flow_id">21315676616827821</field>
<description>Suricata general event</description>
<group>suricata,</group>
</rule>
<rule id="123457" level="5">
<if_sid>123456</if_sid>
<field name="src_ip">10.95.95.12</field>
<description>Suricata Event: Event coming from ${src_ip} to ${dest_ip}</description>
<group>suricata,network,</group>
</rule>
</group>
I have the impression that the problem is related to log processing. As you can see in the following text, it seems that my eve.json file contains JSON logs embedded within syslog.
*.* 35240 pfSense.consul.socat suricata[10955]: {"timestamp":"2024-07-01T19:45:02.018232+00:00","flow_id":2131567667080878940,"in_iface":"vtnet1","event_type":"flow","src_ip":"10.95.95.12","src_port":55251,"dest_ip":"10.128.128.65","dest_port":53,"proto":"UDP","tx_id":0,"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":29,"bytes_toclient":0,"start":"2024-07-01T19:45:02.016232+00:00"}}
*.* 35240 pfSense.consul.socat suricata[10955]: {"timestamp":"2024-07-01T19:45:02.018252+00:00","flow_id":2131567667080878940,"in_iface":"vtnet1","event_type":"flow","src_ip":"10.95.95.12","src_port":55251,"dest_ip":"10.128.128.65","dest_port":53,"proto":"UDP","tx_id":0,"dns":{"type":"query","id":65522,"rrname":"t0.microsoft.com.edgekey.net","rrtype":"A","tx_id":0}}
*.* 35240 pfSense.consul.socat suricata[10955]: {"timestamp":"2024-07-01T19:45:02.018292+00:00","flow_id":2131567667080878940,"in_iface":"vtnet1","event_type":"flow","src_ip":"10.95.95.12","src_port":55251,"dest_ip":"10.128.128.65","dest_port":53,"proto":"UDP","tx_id":0,"dns":{"type":"answer","id":65522,"rrname":"t0.microsoft.com.edgekey.net","rrtype":"CNAME","ttl":47,"rdata":"g0.microsoft.com.edgekey.net"},"timestamp":"2024-07-01T19:45:02.016232+00:00"}}
*.* 35240 pfSense.consul.socat suricata[10955]: {"timestamp":"2024-07-01T19:45:02.018292+00:00","flow_id":2131567667080878940,"in_iface":"vtnet1","event_type":"flow","src_ip":"10.95.95.12","src_port":55251,"dest_ip":"10.128.128.65","dest_port":53,"proto":"UDP","tx_id":0,"dns":{"type":"answer","id":65522,"rrname":"t0.microsoft.com.edgekey.net","rrtype":"A","ttl":47,"rdata":"10.128.128.65"},"timestamp":"2024-07-01T19:45:02.016232+00:00"}}
Despite all this, I manage to get a consistent result with ./wazuh-logtest as you can see below... Sorry for the confusion, I am a bit lost at the moment...
Jul 3 11:21:55 pfsense.cossi.socc suricata[99755]: {"timestamp":"2024-07-03T11:21:54.866267+0000","flow_id":513309333514196,"in_iface":"vtnet3","event_type":"tls","src_ip":"10.95.95.12","src_port":50278,"dest_ip":"40.79.173.40","dest_port":443,"proto":"TCP","pkt_src":"wire/pcap","tls":{"subject":"C=US, ST=WA, L=Redmond, O=Microsoft, OU=WSE, CN=*.events.data.microsoft.com","issuerdn":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","serial":"33:00:00:02:B7:20:37:74:0C:A0:0B:2F:B4:00:00:00:00:02:B7","fingerprint":"c4:e1:11:6a:c5:a8:89:e0:78:2b:9c:a8:c1:32:68:94:6a:31:bf:8c","sni":"v10.events.data.microsoft.com","version":"TLS 1.2","notbefore":"2024-05-16T22:27:19","notafter":"2025-05-16T22:27:19"}}
**Phase 1: Completed pre-decoding.
timestamp: 'Jul 3 11:21:55'
hostname: 'pfsense.cossi.socc'
program_name: 'suricata'
**Phase 2: Completed decoding.
name: 'json'
dest_ip: '40.79.173.40'
dest_port: '443'
event_type: 'tls'
flow_id: '513309333514196.000000'
in_iface: 'vtnet3'
pkt_src: 'wire/pcap'
proto: 'TCP'
src_ip: '10.95.95.12'
src_port: '50278'
timestamp: '2024-07-03T11:21:54.866267+0000'
tls.fingerprint: 'c4:e1:11:6a:c5:a8:89:e0:78:2b:9c:a8:c1:32:68:94:6a:31:bf:8c'
tls.issuerdn: 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011'
tls.notafter: '2025-05-16T22:27:19'
tls.notbefore: '2024-05-16T22:27:19'
tls.serial: '33:00:00:02:B7:20:37:74:0C:A0:0B:2F:B4:00:00:00:00:02:B7'
tls.sni: 'v10.events.data.microsoft.com'
tls.subject: 'C=US, ST=WA, L=Redmond, O=Microsoft, OU=WSE, CN=*.events.data.microsoft.com'
tls.version: 'TLS 1.2'
**Phase 3: Completed filtering (rules).
id: '86604'
level: '0'
description: 'Suricata: TLS.'
groups: '['ids', 'suricata']'
firedtimes: '1'
mail: 'False'
Thanks for answering