Wazuh URLHAUS
212 views
Skip to first unread message
Allan Patrick
Sep 27, 2022, 9:10:40 PM9/27/22
to Wazuh mailing list
Hello. I use Wazuh 4.3.8 with great results, with custom rules. On
clients I'm using suricata.
Resource usage:
https://wazuh.com/blog/detecting-malicious-urls-using-wazuh-and-urlhaus/
Can it generate access slow query on client or slow results to internet
access? Is it necessary to customize extra policies in suricata?
I accept suggestions for others integrations.
Thanks.
clients I'm using suricata.
Resource usage:
https://wazuh.com/blog/detecting-malicious-urls-using-wazuh-and-urlhaus/
Can it generate access slow query on client or slow results to internet
access? Is it necessary to customize extra policies in suricata?
I accept suggestions for others integrations.
Thanks.
Damian Nicastro
Sep 28, 2022, 4:11:45 PM9/28/22
to Wazuh mailing list
Hello
allanpatrickk:
I hope you are fine.
Suricata is a NIDS (Network Intrusion Detection System) solution, which is open source and can be quickly deployed either on dedicated hardware for monitoring one or more transit points on your network, or directly on existing Unix-like hosts to monitor just their own network traffic. Because Suricata is capable of generating JSON logs of NIDS events, it can be easily integrated with Wazuh.
In the link below, you can see detailed instructions to use Suricata to catch suspicious traffic and get the Alerts in Wazuh:
This can be done with the default rules existent in Suricata. If you want to trigger alerts in Wazuh when Suricata detects some traffic slowness, you need to check first if some event is logged in Suricata (/var/log/suricata/eve.json). If nothing is found there, you have to create some rules in Suricata to generate some event that can be read by the Wazuh agent. To crate rules in Suricata, please, go over the Suticata manual here:
6. Suricata Rules — Suricata 6.0.0 documentation
6. Suricata Rules — Suricata 6.0.0 documentation
Once you have the proper events generated in Suricata log, those can sent by the Wazuh agent installed in the Suricata clients to the Wazuh manager. Since these events are new, no rule will match with them to eventually be fired and trigger an alert in the Wazuh dashboard. For that, you will need to create new custom rules in the Wazuh manager. For this, please follow this documentation:
Custom rules and decoders - Ruleset · Wazuh documentation
Custom rules and decoders - Ruleset · Wazuh documentation
Please, have in mind that no new decoder is needed because the Suricata logs can be generated in JSON format. You can also create your new Suricata rules using the default Suricata ruleset present here:
wazuh/0475-suricata_rules.xml at master · wazuh/wazuh (github.com)
wazuh/0475-suricata_rules.xml at master · wazuh/wazuh (github.com)
I hope this helps.
Thanks
Reply all
Reply to author
Forward
0 new messages