Network monitoring

[alas]

Hi, 

Can't find any good info on how to setup a network monitoring for your clients. Maybe dns queries. Not sure if it is possible with Wazuh but just found this platform and wanted to ask. 

Thanks for reading

[alas]

Want to try it on a windows 11 client

[Anthony Faruna]

Hello Alas

Thank you for using Wazuh

There is an interesting guide about integrating Suricata with Wazuh: Catch suspicious network traffic to monitor network trafficIf you want to capture the DNS data, you should add this configuration block to /etc/suricata/suricata.yaml

- dns-log:
      enabled: yes
      filename: dns.log
      append: yes

Then, when an alert is generated, it'll be stored in /var/log/suricata/eve.json. You need to add this file to the ossec.conf file of the agent so Wazuh can monitor it

<localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
</localfile>

Finally, these events might not trigger any rule.

You should define your own as you can see in Custom rules and decoders.

Tell me if you need help with any of these steps.

Best Regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b05e1139-946e-4a02-ac63-de3a4971dd5an%40googlegroups.com.

[alas]

Thank you very much for the fast response haha. All new to me but will try the steps below. 

Thanks again!

[Anthony Faruna]

Hello Alas

I got your other message that you are trying it out for Windows 11 right ?

To achieve this task, you have to install Sysmon on the Windows endpoint 

Follow the steps below to install sysmon on the endpoint:

1. Sysmon is downloaded from the Microsoft Sysinternals page and is installed with the configuration file sysmonconfig.xml.

2. The following command is used to install Sysmon with the downloaded configuration file via command prompt (run as administrator):

sysmon.exe -accepteula -i sysmonconfig.xml

3. Configure the agent to collect Sysmon events by adding the following settings to the agent configuration file in "C:\Program Files (x86)\ossec-agent\ossec.conf":

<localfile>         <location>Microsoft-Windows-Sysmon/Operational</location>  <log_format>eventchannel</log_format> </localfile>

4. Apply the changes by restarting the agent using this PowerShell command:

Restart-Service -Name wazuh

To generate an alert you can define your own  Custom rules and decoders.

See a sample rule added to the  /var/ossec/etc/rules/local_rules.xml file on the Wazuh server to trigger an alert whenever a DNS query occurs.

<rule id="100010" level="5">
<if_sid>61600</if_sid>
<field name="win.system.eventID">^22$</field>
<description>Sysmon - Event 22: DNS Query</description>
</rule>

Ensure to restart Wazuh server after adding this rule 

Please let me know if you need further clarification

Best Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/eb1e00cc-ab7a-4109-84ec-90f65cb40ccfn%40googlegroups.com.

[alas]

thanks will do. will keep you up to date

[the Kosmos]

hi anthony,

Tried it but my defender has been deleting my vm since then. And my wazuh server isn't getting any new ip since then

[the Kosmos]

ip is working now. have to recheck on how to get the network logs in wazuh dashboard

[the Kosmos]

is there a way to view http requests?

[the Kosmos]

like the websites(urls) the clients visit