Testing Suricata with Wazuh in a VM test environment - Installation
-
For those intersted in testing suricata with wazuh and elk, you need to make sure you have the proper interface configured in the
suricata.yaml
config file. In my VM environment, I could not get suricata to work because my interface wasens3
instead ofeth0
oreth1
. Which is the only reason I am pulling down a custom config file in my installation.
Install Suricata
cd /root apt -y install epel-release wget jq curl -O https://copr.fedorainfracloud.org/coprs/jasonish/suricata-stable/repo/epel-7/jasonish-suricata-stable-epel-7.repo apt -y install suricata
Setup custom emerging threat rules
wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz tar zxvf emerging.rules.tar.gz rm /etc/suricata/rules/* -f mv rules/*.rules /etc/suricata/rules/
Download and copy custom suricata.yaml config file. (note you will need to search and replace
eth0
andeth1
if you are using a different ethernet interface. I had to change all those entries toens3
wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml
Start suricata and configure it to start at boot
systemctl daemon-reload systemctl enable suricata systemctl start suricata
Add suricata config to wazuh agent file. You can do this from server or all clients. In my automation script, I just have the clients pull down a new ossec file.
nano /var/ossec/etc/ossec.conf
Add to the lines below to ossec.conf just above the last line
<localfile> <log_format>json</log_format> <location>/var/log/suricata/eve.json</location> </localfile>
The bottom of ossec.conf should now look like this
<localfile> <log_format>syslog</log_format> <location>/var/log/kern.log</location> </localfile> <localfile> <log_format>json</log_format> <location>/var/log/suricata/eve.json</location> </localfile> </ossec_config>
Restart agent and suricata
systemctl restart suricata systemctl restart wazuh-agent
Trip suricata and check your alert
curl http://testmyids.com