Integration of alerts from Suricata into the Wazuh dashboard

7 views
Skip to first unread message

Michel Martin

unread,
Jul 2, 2024, 4:03:17 PM (11 hours ago) Jul 2
to Wazuh | Mailing List
Hi,

I have set up a SIEM with two scans for my machines: an in-depth scan with Wazuh and a surface scan with an IDS/IPS, which is Suricata (I have configured Suricata on my pfSense machine). I would like both agents to report alerts on the same dashboard rather than on two separate ones. Currently, I can send my Suricata logs from my pfSense machine to an eve.json file on my Wazuh machine. I have configured my ossec.conf file to include the following:

<localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
</localfile>

Here is a portion of the logs received by my Wazuh machine:

pfsense.martin.domain suricata[83950]: {"timestamp":"2024-07-01T14:35:51.889510+0000","flow_id":2131567616827281,"in_iface":"vtnet3","event_type":"dns","src_ip":"10.95.95.12","src_port":65059,"dest_ip":"10.95.95.1","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"type":"query","id":6946,"rrname":"ForestDnsZones.ad.lab","rrtype":"SOA","tx_id":0,"opcode":0}}

I then changed the rules in the suricata_rules.xml file to set the rule levels to 5 instead of 0. Despite this, I still do not have my Suricata alerts on my Wazuh dashboard, and I am unsure what to modify or add to achieve this. Could you provide guidance to help me resolve this issue? Thank you in advance for your response.

Jose Camargo

unread,
Jul 2, 2024, 6:13:11 PM (9 hours ago) Jul 2
to Wazuh | Mailing List
Hi Michel,

When Wazuh reads JSON logs, it treats them differently as "regular" logs. There is a default JSON decoder (more info here) that will automatically decode the logs, and you only have to create new custom rules for them (this differs from the default Suricata rules and that's why you see no events).

For example, if the event is:

{"timestamp":"2024-07-01T14:35:51.889510+0000","flow_id":2131567616827281,"in_iface":"vtnet3","event_type":"dns","src_ip":"10.95.95.12","src_port":65059,"dest_ip":"10.95.95.1","dest_port":53,"proto":"UDP","pkt_src":"wire/pcap","dns":{"type":"query","id":6946,"rrname":"ForestDnsZones.ad.lab","rrtype":"SOA","tx_id":0,"opcode":0}}

You can create rules like this:

<group name="suricata,">
  <rule id="123456" level="2">
    <decoded_as>json</decoded_as>
     <field name=" flow_id "> 2131567616827281  </field>
    <description>Suricata general event</description>
  </rule>
  <rule id="123457" level="5">
    <if_sid>123456</if_sid>
    <field name=" src_ip">10.95.95.12</field>
    <description>Suricata Event: Event coming from $(src_ip) to $(dest_ip)</description>
  </rule>
</group>

This is just an example, please modify it as needed.

I'll be awaiting your comments.

Regards,
Jose Camargo

Reply all
Reply to author
Forward
0 new messages