Proof Of Concept on Windows platform

204 views
Skip to first unread message

Syed Mohammad Shakib (Wakil)

unread,
Feb 26, 2024, 5:34:51 AM2/26/24
to Wazuh | Mailing List
https://documentation.wazuh.com/current/proof-of-concept-guide/index.html among these proof of concept ,

 -Detecting unauthorized processes

Network IDS integration

Detecting suspicious binaries

Detecting hidden processes

Monitoring execution of malicious commands

On documentation i have found that these mentioned POC's are shown only for Ubuntu.
are all of those mentioned above , working for Windows ? or only for Ubuntu?

Felix Bocco

unread,
Feb 26, 2024, 7:36:28 PM2/26/24
to Wazuh | Mailing List
Hi Syed,

The Proof of Concept document is to show and test different capabilities use cases with a specific system.

If you are asking if those sections are capabilities that Wazuh can handle into a Windows system, the answer is that it can but some settings might change from one system to another.

For example, you can monitor Windows processes and alert for an unauthorized process by following this document. Related to the Network IDS integration, the main differences between doing this process on a Windows machine rather than the shown Ubuntu endpoint are the installation process and paths you need to monitor.

For the installation process of installing Suricata on a Windows machine, you have to do the following:

  1. Install Suricata on the Windows endpoint: https://suricata.io/download/
  2. Once you have successfully installed Suricata, you should now create a folder with your configurations, rules, and test captures. Note that this folder is C:\Suricata. You need to create a folder log, rules, and projects in that folder.

  3. In the Rules folder, you must copy the contents of the rules folder to the Suricata program’s directory. Threshold.config is an empty file. suricata.yaml is a copy of suricata.yaml found in the Suricata application list.

  4. You will then need to install WinPcap, as it is required for Suricata to function on a Windows machine: https://www.winpcap.org/

  5. Download the Emerging threat rules. Then extract the files from the rules folder to the C:\Suricata\rules folder you created previously.

  6. With the installation done,  add the following configuration to the  C:\Program Files (x86)\ossec-agent\ossec.conf file of the Wazuh agent. This allows the Wazuh agent to read the Suricata logs file:

    <ossec_config>
      <localfile>
        <log_format>json</log_format>
        <location>C:\Suricata\log\eve.json</location>
      </localfile>
    </ossec_config>

  7. Restart the agent.
With this, you should have Suricata working on your Windows machine and the Wazuh agent will be able to read the Suricata log file. For a more thorough guide on how to install Suricata, you can follow this link.

These are two examples related to the capabilities which you might check through Windows side.

Let us know how this works for you.
Reply all
Reply to author
Forward
0 new messages