Re: Network IDS integration with Suricata
447 views
Skip to first unread message
Message has been deleted
Dhananjay Nagwan
Jan 6, 2023, 9:33:47 AM1/6/23
to Wazuh mailing list
Hi Wenderfirmino,
Thank you for using Wazuh.
If you are not receiving alerts on the Wazuh server, please make sure your agent is connected & the configuration in /etc/suricata/suricata.yaml is correct and you are installing Suricata on Ubuntu endpoint/Wazuh agent.
HOME_NET: "<UBUNTU_IP>" -Your ip address Thank you for using Wazuh.
If you are not receiving alerts on the Wazuh server, please make sure your agent is connected & the configuration in /etc/suricata/suricata.yaml is correct and you are installing Suricata on Ubuntu endpoint/Wazuh agent.
EXTERNAL_NET: "any"
default-rule-path: /etc/suricata/rules
rule-files:
- "*.rules"
# Global stats configuration stats: enabled: no
# Linux high speed capture support
af-packet: - interface: enp0s3
"interface" represents the network interface you want to monitor. Replace the value with the interface name of the Ubuntu endpoint. For example, enp0s3, for UBUNTU it might be eth0.
You can check it with "ip a" or "ip add".
Use "if config" to check the output shown in the image below:
After checking "if config" you can "Restart the Suricata service" using "sudo systemctl restart suricata".
Wazuh automatically parses data from /var/log/suricata/eve.json and generates related alerts on the Wazuh dashboard.
You can Ping the Ubuntu endpoint IP address from the Wazuh server: ping -c 20 "<UBUNTU_IP>"
After a successful ping, you will receive alerts as given in below image:
.png?part=0.2&view=1)
# Global stats configuration stats: enabled: no
# Linux high speed capture support
af-packet: - interface: enp0s3
"interface" represents the network interface you want to monitor. Replace the value with the interface name of the Ubuntu endpoint. For example, enp0s3, for UBUNTU it might be eth0.
You can check it with "ip a" or "ip add".
Use "if config" to check the output shown in the image below:
After checking "if config" you can "Restart the Suricata service" using "sudo systemctl restart suricata".
Wazuh automatically parses data from /var/log/suricata/eve.json and generates related alerts on the Wazuh dashboard.
You can Ping the Ubuntu endpoint IP address from the Wazuh server: ping -c 20 "<UBUNTU_IP>"
After a successful ping, you will receive alerts as given in below image:
On Friday, January 6, 2023 at 4:45:55 PM UTC+5:30 wenderf...@gmail.com wrote:
Hi,I installed wazuh in version 4.3 using quick start option. I want to integrate with suricata, I followed the official documentation (https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html), suricata is already receiving the logs in /var/log/suricata/eve.json and the configuration was made in ossec.conf to also send these logs, but the wazuh server doesn't show them in security events, I don't know what's missing, I don't know if it's necessary enable the json decoder or some configuration, I'm new to wazuh and I'm still learning. Thanks :)
kavin selvan
May 9, 2023, 4:01:39 AM5/9/23
to Wazuh mailing list
for the step:
You can Ping the Ubuntu endpoint IP address from the Wazuh server: ping -c 20 "<UBUNTU_IP>" , does it work in wazuh cloud console(free trial) , couldn't find cli to run the command.
Thank you
Reply all
Reply to author
Forward
0 new messages