No alerts for Suricata 8

82 views
Skip to first unread message

Somer Rabee

unread,
Jul 28, 2025, 6:32:09 AM7/28/25
to Wazuh | Mailing List

Hello All,

After successfully integrating Suricata with Wazuh (where the Wazuh agent reads eve.json and forwards its contents to the Wazuh manager), I am able to see alerts on the Wazuh dashboard related to the Suricata host status and other system alerts. However, I am not seeing any actual Suricata-generated alerts.

I have confirmed that the Wazuh manager is receiving the contents of eve.json, as they appear in the archive.json file.

Upon investigation, I noticed the following:

  • Wazuh does not have a dedicated decoder for Suricata logs; instead, it relies on the built-in JSON decoder.

  • Wazuh includes a Suricata rules file: 0475-suricata_rules.xml, which contains rules numbered 86600 to 86604.

  • I tested these rules using a sample JSON log included with the file, but none of the rules were triggered.

Given this, I would like to know:

Is there a way to get Suricata alerts displayed in the Wazuh dashboard using these existing rules, or would I need to define new custom rules?

Thank you in advance for your support.

Somer Rabee

unread,
Jul 28, 2025, 6:47:50 AM7/28/25
to Wazuh | Mailing List
Wazuh version is: 4.12.0

Suricata version is : 8.0.0

suricata

unread,
Jul 28, 2025, 6:50:31 AM7/28/25
to Wazuh | Mailing List
Hí, 

I think that set of rules has a level 0.

I have in etc/rules like this one that I put as an example and it works perfectly


<group name="suricata,suricata_severity2">
        <rule id="100003" level="12">
                <if_sid>86601</if_sid>
                <field name="alert.severity">2</field>
                <options>no_full_log</options>
                <description>Suricata Alert - $(alert.signature). Signature ID: $(alert.signature_id).</description>
        </rule>
</group>

Somer Rabee

unread,
Jul 28, 2025, 7:14:45 AM7/28/25
to Wazuh | Mailing List
This is the content of the "0475-suricata_rules.xml" file on my machine.
<!--
  -  Suricata rules
  -  Created by Wazuh, Inc.
  -  Copyright (C) 2015, Wazuh Inc.
  -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->

<!-- ID: 86600 - 86699 -->

<group name="ids,suricata,">

    <!--
    {"timestamp":"2016-05-02T17:46:48.515262+0000","flow_id":1234,"in_iface":"eth0","event_type":"alert","src_ip":"16.10.10.10","src_port":5555,"dest_ip":"16.10.10.11","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2019236,"rev":3,"signature":"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number","category":"Attempted Administrator Privilege Gain","severity":1},"payload":"abcde","payload_printable":"hi test","stream":0,"host":"suricata.com"}
    -->
    <rule id="86600" level="0">
        <decoded_as>json</decoded_as>
        <field name="timestamp">.+</field>
        <field name="event_type">.+</field>
        <description>Suricata messages.</description>
        <options>no_full_log</options>
    </rule>

    <rule id="86601" level="3">
        <if_sid>86600</if_sid>
        <field name="event_type">^alert$</field>
<description>Suricata: Alert - $(alert.signature)</description>
        <options>no_full_log</options>
    </rule>

    <rule id="86602" level="0">
        <if_sid>86600</if_sid>
        <field name="event_type">^http$</field>
        <description>Suricata: HTTP.</description>
        <options>no_full_log</options>
    </rule>

    <rule id="86603" level="0">
        <if_sid>86600</if_sid>
        <field name="event_type">^dns$</field>
        <description>Suricata: DNS.</description>
        <options>no_full_log</options>
    </rule>

    <rule id="86604" level="0">
        <if_sid>86600</if_sid>
        <field name="event_type">^tls$</field>
        <description>Suricata: TLS.</description>
        <options>no_full_log</options>
    </rule>

</group>


When i tried the sample log provided in this file, no rule get fired, notice that rule 86601 has the level 3, so should i define new custom decoder or new custom rules or there is something missed?

Screenshot from 2025-07-28 14-09-27.png

Bony V John

unread,
Jul 28, 2025, 7:37:43 AM7/28/25
to Wazuh | Mailing List

Hi,

In Wazuh, the 0475-suricata_rules.xml file includes five default rules. Among these, only one rule (ID 86601) is configured with a rule level of 3, while the others are set to level 0. This is why you're not seeing Suricata alerts by default — only rule 86601 is designed to generate an actual alert.

Rule 86601 is triggered when the event_type field in the Suricata JSON log has the value alert. The remaining rules serve as base rules used to group Suricata events but do not raise alerts on their own.

To verify this, I tested rule 86601 using the Wazuh logtest tool with the following sample log (which is also found in the rule file), and it triggered the alert as expected:

{"timestamp":"2016-05-02T17:46:48.515262+0000","flow_id":1234,"in_iface":"eth0","event_type":"alert","src_ip":"16.10.10.10","src_port":5555,"dest_ip":"16.10.10.11","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2019236,"rev":3,"signature":"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number","category":"Attempted Administrator Privilege Gain","severity":1},"payload":"abcde","payload_printable":"hi test","stream":0,"host":"suricata.com"}

If you want to trigger alerts for other types of Suricata events, you'll need to create custom rules in Wazuh based on your use case — similar to the custom rule you mentioned (e.g., rule ID 100003). You can refer to the Wazuh rules syntax documentation to help you create those rules.

Additionally, I recommend checking out Wazuh’s official blog posts that demonstrate network attack detection using Suricata. Many of these examples include ready-to-use custom rules that you can adopt in your own deployment.

Finally, there's no need to create custom decoders for Suricata logs — Wazuh includes built-in decoders that handle Suricata JSON format out of the box. However, writing custom rules can significantly enhance your detection capabilities.

Screenshot 2025-07-28 170708.png

suricata

unread,
Jul 28, 2025, 7:44:08 AM7/28/25
to Wazuh | Mailing List
Apart from what Bony V tells you,

Try the alert I provided as an example. Add it to local_rules and see if it triggers that severity 2 alert. 

Also, since I do a lot of customization, I also disabled this rule in ruleset/rules:

<rule id="20101" level="6"> 
   <category>ids</category> 
   <check_if_ignored>srcip, id</check_if_ignored> 
   <description>IDS event.</description> 
</rule>

Somer Rabee

unread,
Jul 28, 2025, 7:50:17 AM7/28/25
to Wazuh | Mailing List

Thanks for your great reply.

I’ve already tried everything you mentioned, but unfortunately, I still haven’t had any success.

I have just one question:
Why isn't rule 86601 being triggered, even when I use the sample log provided with the rules file?
What could be the possible reason for this?

I'm using Wazuh 4.12.0

suricata

unread,
Jul 28, 2025, 8:10:27 AM7/28/25
to Wazuh | Mailing List
I would check if you actually have any alerts in your traffic. Because it should work. 
Also, test that the Wazuh server is correctly collecting the eve.json data using a <localfile>, for example: 

<localfile> 
    <log_format>json</log_format> 
    <location>/var/log/suricata/eve.json</location> 
     <restrict type="PCRE2">type:alert</restrict> 
</localfile>

Bony V John

unread,
Jul 30, 2025, 6:19:07 AM7/30/25
to Wazuh | Mailing List

Hi,

From the screenshot you shared, it appears that the JSON decoder is being used to decode the log input in the wazuh-logtest tool. However, the log is not being decoded properly by the JSON decoder.

I tested the same log on my end by copying it directly from the rule file, and it worked fine for me. The issue might be due to log formatting getting altered during copy-pasting. You can try using the correctly formatted log below and verify if it works as expected:


{"timestamp":"2016-05-02T17:46:48.515262+0000","flow_id":1234,"in_iface":"eth0","event_type":"alert","src_ip":"16.10.10.10","src_port":5555,"dest_ip":"16.10.10.11","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2019236,"rev":3,"signature":"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number","category":"Attempted Administrator Privilege Gain","severity":1},"payload":"abcde","payload_printable":"hi test","stream":0,"host":"suricata.com"}

When testing logs in the Wazuh Logtest tool (via the dashboard), make sure to click the “Clear session” button before running a new test. This clears any previous session data and helps ensure accurate test results.

For more reliable testing, I recommend using the command line. You can do this by following the steps below on your Wazuh Manager:

1.  Run the following command:

/var/ossec/bin/wazuh-logtest

2.  Paste the sample JSON log above and press Enter.
3.  Check whether the fields are decoded correctly and if the default rule ID 86601 is triggered.

You can refer to the Wazuh Logtest documentation for more detailed guidance.

I've also attached a screenshot of my test result, showing successful decoding and rule matching using the Wazuh Manager command-line tool.

Screenshot 2025-07-30 154835.png
Reply all
Reply to author
Forward
0 new messages