Testing Suricata with Wazuh in a VM test environment - Installation
- 
 For those intersted in testing suricata with wazuh and elk, you need to make sure you have the proper interface configured in the suricata.yamlconfig file. In my VM environment, I could not get suricata to work because my interface wasens3instead ofeth0oreth1. Which is the only reason I am pulling down a custom config file in my installation.
 Install Suricata 
 cd /root apt -y install epel-release wget jq curl -O https://copr.fedorainfracloud.org/coprs/jasonish/suricata-stable/repo/epel-7/jasonish-suricata-stable-epel-7.repo apt -y install suricata
 Setup custom emerging threat rules 
 wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz tar zxvf emerging.rules.tar.gz rm /etc/suricata/rules/* -f mv rules/*.rules /etc/suricata/rules/
 Download and copy custom suricata.yaml config file. (note you will need to search and replace eth0andeth1if you are using a different ethernet interface. I had to change all those entries toens3
 wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml
 Start suricata and configure it to start at boot 
 systemctl daemon-reload systemctl enable suricata systemctl start suricata
 Add suricata config to wazuh agent file. You can do this from server or all clients. In my automation script, I just have the clients pull down a new ossec file. 
 nano /var/ossec/etc/ossec.conf
 Add to the lines below to ossec.conf just above the last line 
 <localfile> <log_format>json</log_format> <location>/var/log/suricata/eve.json</location> </localfile>
 The bottom of ossec.conf should now look like this 
 <localfile> <log_format>syslog</log_format> <location>/var/log/kern.log</location> </localfile> <localfile> <log_format>json</log_format> <location>/var/log/suricata/eve.json</location> </localfile> </ossec_config>
 Restart agent and suricata 
 systemctl restart suricata systemctl restart wazuh-agent
 Trip suricata and check your alert 
 curl http://testmyids.com
