Suricata integration with wazuh server

[shiyas s]

hi ,

 could guide me any one , how can i integrate Suricata with wazuh server, i am using 4.9.2 version and planning to install Suricata on same wazuh server to monitor network intrusion detection.

Thanks.

[Md. Nazmur Sakib]

Hi Shiyas,


First, install and configure Suricta on the Wazuh manager’s server to detect network intrusions
https://docs.suricata.io/en/latest/install.html
https://docs.suricata.io/en/latest/

You can forward the logs from Suricata to the Wazuh manager. The EVE output from the Suricta facility outputs alerts, anomalies, metadata, file info and protocol specific records through JSON if you want to forward the eve.json log to the Wazuh manager the configuration will look something like this

<ossec_config>

  <localfile>

    <log_format>json</log_format>

    <location>/var/log/suricata/eve.json</location>

  </localfile>

</ossec_config>

Read this document to learn more about <localfile> configuration.
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html


Next, you might need to write decoders and rules to trigger alerts from these logs. Check this document for writing decoders and rules

https://documentation.wazuh.com/current/user-manual/ruleset/index.html


You can also check these documents on Suricta for monitoring endpoint network-based attacks


https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html


https://wazuh.com/blog/responding-to-network-attacks-with-suricata-and-wazuh-xdr/

I hope you find this information useful.

[shiyas s]

Dear,

   many Thanks for your reply, during installation and integration of suricata I am facing some issues. suricata status is failed , and some error are coming, all are i attached, could you please guide me..

root@SEP-WAZUH:~# sudo systemctl status suricata
× suricata.service - Suricata IDS/IDP daemon
     Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Tue 2025-01-07 14:06:29 +03; 1min 8s ago
   Duration: 22ms
       Docs: man:suricata(8)
             man:suricatasc(8)
             https://suricata.io/documentation/
    Process: 72063 ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid (code=exited, status=0/SUCCESS)
   Main PID: 72064 (code=exited, status=1/FAILURE)
        CPU: 103ms

Jan 07 14:06:29 SEP-WAZUH systemd[1]: suricata.service: Scheduled restart job, restart counter is at 5.
Jan 07 14:06:29 SEP-WAZUH systemd[1]: suricata.service: Start request repeated too quickly.
Jan 07 14:06:29 SEP-WAZUH systemd[1]: suricata.service: Failed with result 'exit-code'.
Jan 07 14:06:29 SEP-WAZUH systemd[1]: Failed to start suricata.service - Suricata IDS/IDP daemon.
root@SEP-WAZUH:~# sudo nano /etc/suricata/suricata.yaml
root@SEP-WAZUH:~# sudo systemctl restart suricata
root@SEP-WAZUH:~# sudo systemctl status suricata
× suricata.service - Suricata IDS/IDP daemon
     Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Tue 2025-01-07 14:08:41 +03; 3s ago
   Duration: 22ms
       Docs: man:suricata(8)
             man:suricatasc(8)
             https://suricata.io/documentation/
    Process: 72130 ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid (code=exited, status=0/SUCCESS)
   Main PID: 72131 (code=exited, status=1/FAILURE)
        CPU: 101ms

Jan 07 14:08:41 SEP-WAZUH systemd[1]: suricata.service: Scheduled restart job, restart counter is at 5.
Jan 07 14:08:41 SEP-WAZUH systemd[1]: suricata.service: Start request repeated too quickly.
Jan 07 14:08:41 SEP-WAZUH systemd[1]: suricata.service: Failed with result 'exit-code'.
Jan 07 14:08:41 SEP-WAZUH systemd[1]: Failed to start suricata.service - Suricata IDS/IDP daemon.
root@SEP-WAZUH:~# sudo tail -f /var/log/suricata/suricata.log
[72125 - Suricata-Main] 2025-01-07 14:08:41 Info: ioctl: enp0s25: MTU 1500
[72126 - Suricata-Main] 2025-01-07 14:08:41 Info: logopenfile: fast output device (regular) initialized: fast.log
[72126 - Suricata-Main] 2025-01-07 14:08:41 Error: output-json: Invalid JSON output option: json
[72130 - Suricata-Main] 2025-01-07 14:08:41 Notice: suricata: This is Suricata version 7.0.3 RELEASE running in SYSTEM mode
[72130 - Suricata-Main] 2025-01-07 14:08:41 Info: cpu: CPUs/cores online: 4
[72130 - Suricata-Main] 2025-01-07 14:08:41 Info: suricata: Setting engine mode to IDS mode by default
[72130 - Suricata-Main] 2025-01-07 14:08:41 Info: exception-policy: master exception-policy set to: auto
[72130 - Suricata-Main] 2025-01-07 14:08:41 Info: ioctl: enp0s25: MTU 1500
[72131 - Suricata-Main] 2025-01-07 14:08:41 Info: logopenfile: fast output device (regular) initialized: fast.log
[72131 - Suricata-Main] 2025-01-07 14:08:41 Error: output-json: Invalid JSON output option: json

 sudo nano /etc/suricata/suricata.yaml  configuration for suricata

  - eve-log:

      enabled: yes
      filetype: json
      filename: /var/log/suricata/eve.json
      types:
        - alert
        - dns
        - http
        - tls
        - ssh
        - stats
        - fileinfo
        - anomaly

Thanks & regards

SHIYAS

: 00966549184899

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/RL7eTyE0xU8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/8c4991b9-8d58-4652-8491-1f594b9d63cen%40googlegroups.com.

[Md. Nazmur Sakib]

Hi shiyas,

Sorry for the late response.

Please configure your Suricata configuration following this document:
https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html



Modify Suricata settings in the /etc/suricata/suricata.yaml file and set the following variables:

HOME_NET: "<UBUNTU_IP>"

EXTERNAL_NET: "any"

default-rule-path: /etc/suricata/rules

rule-files:

- "*.rules"

# Global stats configuration

stats:

enabled: yes

# Linux high speed capture support

af-packet:

 - interface: enp0s3

- interface represents the network interface you want to monitor. Replace the value with the interface name of the Ubuntu endpoint.

And restart the service.

sudo systemctl restart suricata

If this doesnt solve the issue.

You can check suricata.log for potential hint

cat /var/log/suricata/suricata.log

Let me know if you need any further assistance.

[shiyas s]

hi Nazmur,

       I checked this document for the Ubuntu endpoint, do you have any documents for Windows endpoints. my endpoints are Windows PCs.

Thanks & regards

SHIYAS

: 00966549184899

To view this discussion visit https://groups.google.com/d/msgid/wazuh/21b60765-0838-42db-86f2-46168e2dbf90n%40googlegroups.com.

[Md. Nazmur Sakib]

We do not have any reference document for the Suricata configuration for Windows.

Based on the Suricata document you can install and configure it on a Windows machine as well.

https://suricata.io/download/
https://suricata.io/documentation/

After configuring Suricata you can install an agent on the Windows endpoint and configure <localfile> mentioning the eve.json file path to forward the Suricata logs to Wazuh.

https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html


Next, you might need to write custom rules to trigger alerts.

https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html

https://documentation.wazuh.com/current/user-manual/ruleset/index.html

I hope you find this information useful.