Ask about snort and OwlH

[Daniel Hinojo]

Good evening Dear, please if you could help me by telling me if the snort and OwlH is already integrated in the Wazuh 4.0, if so I would like to know if you have to activate something else or integrate I have not found much information on the internet. Thanks for the support

[jose antonio izquierdo lopez]

Hi Daniel, 

We are working on that integration, it should happen by end of the year. Anyway, right now OwlH can be integrated with Wazuh. In OwlH we do provide Suricata and Zeek support, Snort is on the roadmap, but there is no ETA for release. 

Happy to help and discuss your integration with wazuh needs. Also, if you did not join yet, feel free to be part of our OwlH Slack

Thanks 

Jose Antonio Izquierdo 

jizqu...@owlh.net

jizqu...@wazuh.com

[Daniel Hinojo]

Thank you very much for your answer, so would you have to first install an owlh server and then do the integration? And how would I do it, is there documentation on that?

[jose antonio izquierdo lopez]

Hi Daniel, 

Owlh deploys multiple components: OwlH Node (where suricata and zeek will run), OwlH Master, and UI. 

• if you are going to have a single point of analysis then you can run an all-in-one installation 
• If you have a distributed deployment with. multiple analysis points then you will deploy OwlH Nodes as needed and a central Master and UI
• After that, you will integrate with your Wazuh infrastructure. 

Here you have multiple ways to run this deployment and integration. Ping me if you need any help. 

Thanks, 

Jose Antonio Izquierdo

jizqu...@owlh.net

jizqu...@wazuh.com

[Daniel Hinojo]

Buenas noches José, Gracias por el soporte que actualmente tengo versión 4.1 de Wazuh, ¿el Snort o Búho ya está integrado? . Estaba tratando de entrar en el enlace que me envió, pero aparentemente el enlace está abajo  

[Jose Antonio Izquierdo]

Hi Daniel, 

To join slack use this link - join OwlH slack. Invitation links are valid for a time period, sorry. 

About integration, OwlH right now support Suricata and Zeek as NIDS solutions we can manage. Snort is not supported yet. 

Happy help with your 4.1 integration. Just ping me. 

Thanks a lot. 

Jose Antonio Izquierdo 

jizqu...@owlh.net

jizqu...@wazuh.com

[Daniel Hinojo]

Thanks for your reply, a query: Wazuh 4.1 doesn't have its own IDS module?  

[Jose Antonio Izquierdo]

Hi Daniel, no at this point. 

Wazuh relays on Suricata, Zeek, Snort nids solutions integration. You can choose integrate them to Wazuh or with Suricata and Zeek you can use OwlH to help you integrating and managing.

Hope this helps.  

[Daniel Hinojo]

Good morning Dear, I was looking for information regarding the configuration of interfaces of communication equipment such as switches, router, AP with OwlH but I cannot find it, is it possible to do it?

[Jose Antonio Izquierdo]

Hi Daniel, 

In your OwlH Node you must/should use a different interface for sniffing than management, I suppose you have this config. 

About performance configuration. for less than 1G mostly physical interfaces will work properly, for 10G this should help a bit 

sysctl -w net.core.optmem_max=134217728

sysctl -w net.core.rmem_max=134217728

sysctl -w net.core.wmem_max=134217728

sysctl -w net.ipv4.tcp_rmem='4096 87380 134217728'

sysctl -w net.ipv4.tcp_wmem='4096 65536 134217728'

sysctl -w net.core.netdev_max_backlog=300000

sysctl -w net.ipv4.tcp_moderate_rcvbuf=1

sysctl -w net.ipv4.tcp_no_metrics_save=1

sysctl -w net.ipv4.tcp_congestion_control=htcp

sysctl -w net.ipv4.tcp_mtu_probing=1

anyway, interface fine tuning is something you should do and will vary depending on Physical vs Virtual or traffic bandwidth.

If you have some specific scenario let me know. 

Thanks