Network IDS integration

342 views
Skip to first unread message

the Kos

unread,
Dec 9, 2022, 3:23:37 AM12/9/22
to Wazuh mailing list
hi,

In the wazuh guide, they only made the guide for a linux agent. Trying to get it to work on a windows agent but i can't see any suricata alerts.

Thanks for reading

the Kos

unread,
Dec 9, 2022, 3:43:01 AM12/9/22
to Wazuh mailing list
sorry its a windows 10

Gonzalo Membrillo Solbes

unread,
Dec 21, 2022, 5:00:27 AM12/21/22
to Wazuh mailing list
Hello,

The main differences between doing this process on a Windows machine rather than the shown  Ubuntu endpoint are the installation process and paths you need to monitor.

For the installation process of installing Suricata on a Windows machine, you need only do a few things:

  1. Install Suricata on the Windows endpoint: https://suricata.io/download/
  2. Once you have successfully installed Suricata, you should now create a folder with your configurations, rules, and test captures. Note that this folder is C:\Suricata. You need to create a folder log, rules, and projects in that folder.

  3. In the Rules folder, you must copy the contents of the Rules folder to the Suricata program’s directory. Threshold.config is an empty file. suricata.yaml is a copy of suricata.yaml found in the Suricata application list.

  4. You will then need to install WinPcap, as it is required for Suricata to function on a Windows machine: https://www.winpcap.org/

  5. Download the Emerging threat rules. Then extract the files from the rules folder to the C:\Suricata\rules folder you created previously.

  6. With the installation done,  add the following configuration to the  C:\Program Files (x86)\ossec-agent\ossec.conf file of the Wazuh agent. This allows the Wazuh agent to read the Suricata logs file:

    <ossec_config>
      <localfile>
        <log_format>json</log_format>
        <location>C:\Suricata\log\eve.json</location>
      </localfile>
    </ossec_config>

  7. Restart the agent.
With this, you should have Suricata working on your Windows machine and the Wazuh agent will be able to read the Suricata log file. FOr a more thorough guide on how to install Suricata, you can follow this link.

I hope you fins this helpful. Feel free to reach out to us again should you require anything.

Best regards,
Gonzalo
Reply all
Reply to author
Forward
0 new messages