Install Wazuh into Vmware workstation Pro 15 and analyze Pcaps though Wazuh
897 views
Skip to first unread message
fadi abusafat
Oct 8, 2019, 5:26:36 AM10/8/19
to Wazuh mailing list
Hi Sir.
I am looking to use pre-image Virtual Machine image OVA that has Wazuh system due to I got some troubles in install Wazuh into Virtual machine.
I would like to use it into VMware workstation Pro 15 and I just like to ask how it is possible to analyze pcap files that includes attacks. I have several pcaps files and I would like to analyze it through Wazuh.
Thank you so much.
Many Thanks.
Fadi !!!
I am looking to use pre-image Virtual Machine image OVA that has Wazuh system due to I got some troubles in install Wazuh into Virtual machine.
I would like to use it into VMware workstation Pro 15 and I just like to ask how it is possible to analyze pcap files that includes attacks. I have several pcaps files and I would like to analyze it through Wazuh.
Thank you so much.
Many Thanks.
Fadi !!!
Emiliano Ortiz
Oct 11, 2019, 7:52:39 PM10/11/19
to Wazuh mailing list
Hello, Fadi,
Please tell us what problems you encountered when installing Wazuh in a virtual machine. We will help you.
Also you can also use OVA or OVF to deploy if you wish.
If you need to update your OVA virtual machine, you can check out this article. We also recommend updating the repositories using the
https://documentation.wazuh.com/3.7/installation-guide/upgrading/latest_wazuh3_minor.html#upgrading-latest-minor
On the other hand, wazuh have natively supported Suricata alerts. You can use Suricata to analyze your pcap files and then Wazuh will get them on the fly.
Suricata is one such NIDS solution, which is open source and can be quickly deployed either on dedicated hardware for monitoring one or more transit points on your network, or directly on existing *nix hosts to monitor just their own network traffic. Because Suricata is capable of generating JSON logs of NIDS events, it integrates perfectly with Wazuh.
Here is an example to and a lab to integrate Wazuh and Suricata
https://documentation.wazuh.com/3.10/learning-wazuh/suricata.html?highlight=suricata
Leet's try a PoC using .pcap sample of emotet malware:
Once the Suricata and Wazuh are configured to work together, you can pointSuricata to analyze all the files that are in a specific folder. You can do this by using the -r parameter
At the same time you can control the log file of suricata
Then search Kibana for rule.id:86601. That is the rule that notices Suricata alerts.
Here you can check our documentation about the JSON decoder functionality:.
https://documentation.wazuh.com/3.10/user-manual/ruleset/json-decoder.html?highlight=suricata
Let me know if you have any question.
Regards
Emiliano
Please tell us what problems you encountered when installing Wazuh in a virtual machine. We will help you.
Also you can also use OVA or OVF to deploy if you wish.
If you need to update your OVA virtual machine, you can check out this article. We also recommend updating the repositories using the
yum update command.https://documentation.wazuh.com/3.7/installation-guide/upgrading/latest_wazuh3_minor.html#upgrading-latest-minor
On the other hand, wazuh have natively supported Suricata alerts. You can use Suricata to analyze your pcap files and then Wazuh will get them on the fly.
Suricata is one such NIDS solution, which is open source and can be quickly deployed either on dedicated hardware for monitoring one or more transit points on your network, or directly on existing *nix hosts to monitor just their own network traffic. Because Suricata is capable of generating JSON logs of NIDS events, it integrates perfectly with Wazuh.
Here is an example to and a lab to integrate Wazuh and Suricata
https://documentation.wazuh.com/3.10/learning-wazuh/suricata.html?highlight=suricata
Leet's try a PoC using .pcap sample of emotet malware:
Once the Suricata and Wazuh are configured to work together, you can pointSuricata to analyze all the files that are in a specific folder. You can do this by using the -r parameter
# suricata -r Downloads/pcap/ -c /etc/suricata/suricata.yaml
At the same time you can control the log file of suricata
# tail -n1 -f /var/log/suricata/fast.log
https://documentation.wazuh.com/3.10/user-manual/ruleset/json-decoder.html?highlight=suricata
Let me know if you have any question.
Regards
Emiliano
Reply all
Reply to author
Forward
0 new messages