I want to inttegration Suricata with Wazuh
1,205 views
Skip to first unread message
Le Sok
Jan 9, 2024, 8:33:20 PM1/9/24
to Wazuh | Mailing List
Hello etam,
If I want to integration Suricata with Wazuh should I Install Suricata and wazuh in 1 server or separate 1 Suricata and 1 Wazuh server ?
and what are the next steps for me to take after setting up Suricata and Wazuh?
Best regards,
If I want to integration Suricata with Wazuh should I Install Suricata and wazuh in 1 server or separate 1 Suricata and 1 Wazuh server ?
and what are the next steps for me to take after setting up Suricata and Wazuh?
Best regards,
Pacome Kemkeu
Jan 9, 2024, 9:00:39 PM1/9/24
to Wazuh | Mailing List
Hello,
You can follow the instructions in this PoC guide(Network IDS integration) which show you how to monitor the network traffic on an endpoint using Suricata and Wazuh.
Let me know if this answers your questions.
You can follow the instructions in this PoC guide(Network IDS integration) which show you how to monitor the network traffic on an endpoint using Suricata and Wazuh.
1. You need:
2. After installing Wazuh and Suricata, the next steps consist in:
- a Wazuh server
- a separate endpoint on which you install the Wazuh agent and Suricata
2. After installing Wazuh and Suricata, the next steps consist in:
- Download and extract the Emerging Threats Suricata ruleset.
- Modify Suricata settings in the /etc/suricata/suricata.yaml file to suit your environment.
- Configure the Wazuh agent to collect Suricata logs from /var/log/suricata/eve.json log file.
You will find all the detailed instructions, commands and configurations to use in the link provided above. Kindly take a close look at it.
Additionally, you can find in these other blog posts, extended use cases of Suricata integration with Wazuh that might interest you:
Additionally, you can find in these other blog posts, extended use cases of Suricata integration with Wazuh that might interest you:
Let me know if this answers your questions.
Le Sok
Jan 9, 2024, 9:04:05 PM1/9/24
to Wazuh | Mailing List
So I need to config suricata on ossec all wazuh agent ?
Pacome Kemkeu
Jan 9, 2024, 10:56:25 PM1/9/24
to Wazuh | Mailing List
In an ideal case if you want to have an accurate and hollistic view of the network traffic for each endpoint in your infrastructure, I recommend you do so.
Note that there are different way to deploy Suricata. It all depends on your infrastructure and requirements.
Take a look at the 2 scenarios in the pictures below (taken from Suricata official documentation)
Note that there are different way to deploy Suricata. It all depends on your infrastructure and requirements.
Take a look at the 2 scenarios in the pictures below (taken from Suricata official documentation)
Scenario 1: Traffic that passes your computer
Scenario 2: Traffic that is generated by your computer.
In the PoC guide I provided, we implemented Scenario 2 which is the recommended
You can also implement scenario 1 and follow the same steps to integrate Suricata logs into Wazuh. However, in this case, you'll have to monitor logs from network interfaces in /var/log/suricata/fast.log. The downside here is that, opposed to eve.json, the level of detail provided by /var/log/suricata/fast.log does not have nearly all of the key value information needed for integration with SIEM and Enterprise Security.
You can also implement scenario 1 and follow the same steps to integrate Suricata logs into Wazuh. However, in this case, you'll have to monitor logs from network interfaces in /var/log/suricata/fast.log. The downside here is that, opposed to eve.json, the level of detail provided by /var/log/suricata/fast.log does not have nearly all of the key value information needed for integration with SIEM and Enterprise Security.
Reply all
Reply to author
Forward
0 new messages