Integration of alerts from Suricata into the Wazuh dashboard

748 views
Skip to first unread message

Michel Martin

unread,
Jul 2, 2024, 4:03:17 PM7/2/24
to Wazuh | Mailing List
Hi,

I have set up a SIEM with two scans for my machines: an in-depth scan with Wazuh and a surface scan with an IDS/IPS, which is Suricata (I have configured Suricata on my pfSense machine). I would like both agents to report alerts on the same dashboard rather than on two separate ones. Currently, I can send my Suricata logs from my pfSense machine to an eve.json file on my Wazuh machine. I have configured my ossec.conf file to include the following:

<localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
</localfile>

Here is a portion of the logs received by my Wazuh machine:

pfsense.martin.domain suricata[83950]: {"timestamp":"2024-07-01T14:35:51.889510+0000","flow_id":2131567616827281,"in_iface":"vtnet3","event_type":"dns","src_ip":"10.95.95.12","src_port":65059,"dest_ip":"10.95.95.1","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"type":"query","id":6946,"rrname":"ForestDnsZones.ad.lab","rrtype":"SOA","tx_id":0,"opcode":0}}

I then changed the rules in the suricata_rules.xml file to set the rule levels to 5 instead of 0. Despite this, I still do not have my Suricata alerts on my Wazuh dashboard, and I am unsure what to modify or add to achieve this. Could you provide guidance to help me resolve this issue? Thank you in advance for your response.

Jose Camargo

unread,
Jul 2, 2024, 6:13:11 PM7/2/24
to Wazuh | Mailing List
Hi Michel,

When Wazuh reads JSON logs, it treats them differently as "regular" logs. There is a default JSON decoder (more info here) that will automatically decode the logs, and you only have to create new custom rules for them (this differs from the default Suricata rules and that's why you see no events).

For example, if the event is:

{"timestamp":"2024-07-01T14:35:51.889510+0000","flow_id":2131567616827281,"in_iface":"vtnet3","event_type":"dns","src_ip":"10.95.95.12","src_port":65059,"dest_ip":"10.95.95.1","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"type":"query","id":6946,"rrname":"ForestDnsZones.ad.lab","rrtype":"SOA","tx_id":0,"opcode":0}}

You can create rules like this:

<group name="suricata,">
  <rule id="123456" level="2">
    <decoded_as>json</decoded_as>
     <field name=" flow_id "> 2131567616827281  </field>
    <description>Suricata general event</description>
  </rule>
  <rule id="123457" level="5">
    <if_sid>123456</if_sid>
    <field name=" src_ip">10.95.95.12</field>
    <description>Suricata Event: Event coming from $(src_ip) to $(dest_ip)</description>
  </rule>
</group>

This is just an example, please modify it as needed.

I'll be awaiting your comments.

Regards,
Jose Camargo

Michel Martin

unread,
Jul 3, 2024, 3:16:46 PM7/3/24
to Wazuh | Mailing List

Thank you for your response. I have made the changes as you instructed, but it still doesn't work.

I have applied the rules as you requested and set a default decoder. Here are the two texts showing what I have implemented.

 

<decoder name="json">

    <program_name>suricata</program_name>

</decoder>

 

<decoder name="json_child">

    <operation>parent</operation>

    <regex>^\s*"src_ip": "(1(6[0-9]|72(.[1-9][0-9])|192.168)(.[1-9][0-9]){2}).\d{1,3}\b</regex>

    <order>srcip</order>

</decoder>

 

<decoder name="json_child">

    <operation>parent</operation>

    <regex>^\s*"dest_ip": "(1(6[0-9]|72(.[1-9][0-9])|192.168)(.[1-9][0-9]){2}).\d{1,3}\b</regex>

    <order>srcip</order>

</decoder>

 

<decoder name="json_child">

    <operation>parent</operation>

    <regex>^\s*"proto": "(TCP|UDP|ICMP|IP)"</regex>

    <order>proto</order>

</decoder>

 

<plugin_decoder>JSON_Decoder</plugin_decoder>

 

 

[root@wazuh-server rules]# cat local_rules.xml

<!-- Local rules -->

<!-- Modify it at your will. -->

<!-- Copyright (C) 2015, Wazuh Inc. -->

 

<!-- Example -->

<group name="local,syslog,sshd,">

 

    <rule id="100001" level="5">

        <if_sid>5716</if_sid>

        <srcip>1.1.1.1</srcip>

        <description>sshd: authentication failed from IP 1.1.1.1.</description>

        <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>

    </rule>

</group>

 

<group name="suricata,">

    <rule id="123456" level="2">

        <decoded_as>json/decoded_as</decoded_as>

        <field name="flow_id">21315676616827821</field>

        <description>Suricata general event</description>

        <group>suricata,</group>

    </rule>

 

    <rule id="123457" level="5">

        <if_sid>123456</if_sid>

        <field name="src_ip">10.95.95.12</field>

        <description>Suricata Event: Event coming from ${src_ip} to ${dest_ip}</description>

        <group>suricata,network,</group>

    </rule>

</group>

 

 

I have the impression that the problem is related to log processing. As you can see in the following text, it seems that my eve.json file contains JSON logs embedded within syslog.

 

*.*    35240 pfSense.consul.socat suricata[10955]: {"timestamp":"2024-07-01T19:45:02.018232+00:00","flow_id":2131567667080878940,"in_iface":"vtnet1","event_type":"flow","src_ip":"10.95.95.12","src_port":55251,"dest_ip":"10.128.128.65","dest_port":53,"proto":"UDP","tx_id":0,"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":29,"bytes_toclient":0,"start":"2024-07-01T19:45:02.016232+00:00"}}

 

*.*    35240 pfSense.consul.socat suricata[10955]: {"timestamp":"2024-07-01T19:45:02.018252+00:00","flow_id":2131567667080878940,"in_iface":"vtnet1","event_type":"flow","src_ip":"10.95.95.12","src_port":55251,"dest_ip":"10.128.128.65","dest_port":53,"proto":"UDP","tx_id":0,"dns":{"type":"query","id":65522,"rrname":"t0.microsoft.com.edgekey.net","rrtype":"A","tx_id":0}}

 

*.*    35240 pfSense.consul.socat suricata[10955]: {"timestamp":"2024-07-01T19:45:02.018292+00:00","flow_id":2131567667080878940,"in_iface":"vtnet1","event_type":"flow","src_ip":"10.95.95.12","src_port":55251,"dest_ip":"10.128.128.65","dest_port":53,"proto":"UDP","tx_id":0,"dns":{"type":"answer","id":65522,"rrname":"t0.microsoft.com.edgekey.net","rrtype":"CNAME","ttl":47,"rdata":"g0.microsoft.com.edgekey.net"},"timestamp":"2024-07-01T19:45:02.016232+00:00"}}

 

*.*    35240 pfSense.consul.socat suricata[10955]: {"timestamp":"2024-07-01T19:45:02.018292+00:00","flow_id":2131567667080878940,"in_iface":"vtnet1","event_type":"flow","src_ip":"10.95.95.12","src_port":55251,"dest_ip":"10.128.128.65","dest_port":53,"proto":"UDP","tx_id":0,"dns":{"type":"answer","id":65522,"rrname":"t0.microsoft.com.edgekey.net","rrtype":"A","ttl":47,"rdata":"10.128.128.65"},"timestamp":"2024-07-01T19:45:02.016232+00:00"}}

 

 

Despite all this, I manage to get a consistent result with ./wazuh-logtest as you can see below... Sorry for the confusion, I am a bit lost at the moment...

 

Jul  3 11:21:55 pfsense.cossi.socc suricata[99755]: {"timestamp":"2024-07-03T11:21:54.866267+0000","flow_id":513309333514196,"in_iface":"vtnet3","event_type":"tls","src_ip":"10.95.95.12","src_port":50278,"dest_ip":"40.79.173.40","dest_port":443,"proto":"TCP","pkt_src":"wire/pcap","tls":{"subject":"C=US, ST=WA, L=Redmond, O=Microsoft, OU=WSE, CN=*.events.data.microsoft.com","issuerdn":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","serial":"33:00:00:02:B7:20:37:74:0C:A0:0B:2F:B4:00:00:00:00:02:B7","fingerprint":"c4:e1:11:6a:c5:a8:89:e0:78:2b:9c:a8:c1:32:68:94:6a:31:bf:8c","sni":"v10.events.data.microsoft.com","version":"TLS 1.2","notbefore":"2024-05-16T22:27:19","notafter":"2025-05-16T22:27:19"}}

 

**Phase 1: Completed pre-decoding.

        timestamp: 'Jul  3 11:21:55'

        hostname: 'pfsense.cossi.socc'

        program_name: 'suricata'

 

**Phase 2: Completed decoding.

        name: 'json'

        dest_ip: '40.79.173.40'

        dest_port: '443'

        event_type: 'tls'

        flow_id: '513309333514196.000000'

        in_iface: 'vtnet3'

        pkt_src: 'wire/pcap'

        proto: 'TCP'

        src_ip: '10.95.95.12'

        src_port: '50278'

        timestamp: '2024-07-03T11:21:54.866267+0000'

        tls.fingerprint: 'c4:e1:11:6a:c5:a8:89:e0:78:2b:9c:a8:c1:32:68:94:6a:31:bf:8c'

        tls.issuerdn: 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011'

        tls.notafter: '2025-05-16T22:27:19'

        tls.notbefore: '2024-05-16T22:27:19'

        tls.serial: '33:00:00:02:B7:20:37:74:0C:A0:0B:2F:B4:00:00:00:00:02:B7'

        tls.sni: 'v10.events.data.microsoft.com'

        tls.subject: 'C=US, ST=WA, L=Redmond, O=Microsoft, OU=WSE, CN=*.events.data.microsoft.com'

        tls.version: 'TLS 1.2'

 

**Phase 3: Completed filtering (rules).

        id: '86604'

        level: '0'

        description: 'Suricata: TLS.'

        groups: '['ids', 'suricata']'

        firedtimes: '1'

        mail: 'False'

 

 

Thanks for answering

Jose Camargo

unread,
Jul 3, 2024, 8:38:11 PM7/3/24
to Wazuh | Mailing List
Hi Michel,

You can set the decoders as follows (more info on decoder syntax here)

<decoder name="suricata-custom">
    <program_name>suricata</program_name>
</decoder>

<decoder name="suricata-custom-child">
    <parent>suricata-custom</parent>
    <regex>"src_ip":"(\d+.\d+.\d+.\d+)"</regex>
    <order>src_ip</order>
</decoder>

<decoder name="suricata-custom-child">
    <parent>suricata-custom</parent>
    <regex>"dest_ip":"(\d+.\d+.\d+.\d+)"</regex>
    <order>dest_ip</order>
</decoder>

<decoder name="suricata-custom-child">
<parent>suricata-custom</parent>
<regex>"proto":"(\S+)"</regex>
    <order>proto</order>
</decoder>
<decoder name="suricata-custom-child">
<parent>suricata-custom</parent>
<regex>"flow_id":(\d+),</regex>
    <order>flow_id</order>
</decoder>

Having it named JSON will break any other JSON event not related to Suricata. As a recommendation, if you want to add custom decoders, don't edit the default ones but create new ones with different names.

And also the rules:

<group name="suricata,">

    <rule id="123456" level="2">
        <decoded_as>suricata-custom</decoded_as>
        <description>Suricata general event</description>
        <group>suricata,</group>
    </rule>

    <rule id="123457" level="5">
        <if_sid>123456</if_sid>
        <field name="flow_id">21315676616827821</field>
        <description>Suricata Event: Event coming from $(src_ip) to $(dest_ip)</description>
        <group>suricata,network,</group>
    </rule>

</group>


After this, it should work:

**Phase 1: Completed pre-decoding.
  full event: 'Jul  3 11:21:55 pfsense.cossi.socc suricata[99755]: {"timestamp":"2024-07-03T11:21:54.866267+0000","flow_id":21315676616827821,"in_iface":"vtnet3","event_type":"tls","src_ip":"10.95.95.12","src_port":50278,"dest_ip":"40.79.173.40","dest_port":443,"proto":"TCP","pkt_src":"wire/pcap","tls":{"subject":"C=US, ST=WA, L=Redmond, O=Microsoft, OU=WSE, CN=*.events.data.microsoft.com","issuerdn":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Secure Server CA 2011","serial":"33:00:00:02:B7:20:37:74:0C:A0:0B:2F:B4:00:00:00:00:02:B7","fingerprint":"c4:e1:11:6a:c5:a8:89:e0:78:2b:9c:a8:c1:32:68:94:6a:31:bf:8c","sni":"v10.events.data.microsoft.com","version":"TLS 1.2","notbefore":"2024-05-16T22:27:19","notafter":"2025-05-16T22:27:19"}}'
  timestamp: 'Jul  3 11:21:55'
  hostname: 'pfsense.cossi.socc'
  program_name: 'suricata'

**Phase 2: Completed decoding.
  name: 'suricata-custom'
  dest_ip: '40.79.173.40'
  flow_id: '21315676616827821'
  proto: 'TCP'
  src_ip: '10.95.95.12'

**Phase 3: Completed filtering (rules).
  id: '123457'
  level: '5'
  description: 'Suricata Event: Event coming from 10.95.95.12 to 40.79.173.40'
  groups: '["suricata","suricata","network"]'
  firedtimes: '1'
  mail: 'false'
**Alert to be generated.


Regards,
Jose Camargo

Michel Martin

unread,
Jul 4, 2024, 3:28:12 PM7/4/24
to Wazuh | Mailing List
Hi,

Thank you for your advice. I did what you told me and got the expected result on ./wazuh-logtest, but I still don't have Suricata alerts on my Wazuh dashboard. Do you have any suggestions to help me resolve this?

Regards,
Martin Michel.

Jose Camargo

unread,
Jul 4, 2024, 6:35:45 PM7/4/24
to Wazuh | Mailing List
Hi Michel,

You have to confirm that Wazuh is reading those events. For this, first, enable archives by following the first 2 steps described here. Then, generate Suricata events and search them inside /var/ossec/logs/archives/archives.json. If you see them there, search for them in  /var/ossec/logs/alerts/alerts.json. If you also find events in alerts, then the issue might be in filebeat. To confirm, check the Filebeat logs:    cat /var/log/filebeat/filebeat* | grep -i -E "error|warn"

Please let me know what you find.

Regards,
Jose

Michel Martin

unread,
Jul 7, 2024, 10:10:53 AM7/7/24
to Wazuh | Mailing List
Hi,

I did what you told me; I have the Suricata alerts in archives.json, but they are not in alerts.json.

Regards,
Michel
Reply all
Reply to author
Forward
0 new messages