ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Testing Suricata with Wazuh in a VM test environment - Installation

    IT Discussion
    suricata wazuh wazuh-manager nids hids elk
    1
    1
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • IRJI
      IRJ
      last edited by

      For those intersted in testing suricata with wazuh and elk, you need to make sure you have the proper interface configured in the suricata.yaml config file. In my VM environment, I could not get suricata to work because my interface was ens3 instead of eth0 or eth1. Which is the only reason I am pulling down a custom config file in my installation.

      Install Suricata

      cd /root
apt -y install epel-release wget jq
curl -O https://copr.fedorainfracloud.org/coprs/jasonish/suricata-stable/repo/epel-7/jasonish-suricata-stable-epel-7.repo
apt -y install suricata

      Setup custom emerging threat rules

      wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
tar zxvf emerging.rules.tar.gz
rm /etc/suricata/rules/* -f
mv rules/*.rules /etc/suricata/rules/

      Download and copy custom suricata.yaml config file. (note you will need to search and replace eth0 and eth1 if you are using a different ethernet interface. I had to change all those entries to ens3

      wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml

      Start suricata and configure it to start at boot

      systemctl daemon-reload
systemctl enable suricata
systemctl start suricata

      Add suricata config to wazuh agent file. You can do this from server or all clients. In my automation script, I just have the clients pull down a new ossec file.

      nano /var/ossec/etc/ossec.conf

      Add to the lines below to ossec.conf just above the last line

        <localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
</localfile>

      The bottom of ossec.conf should now look like this

        <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/kern.log</location>
  </localfile>

  <localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
</localfile>

</ossec_config>

      Restart agent and suricata

      systemctl restart suricata
systemctl restart wazuh-agent

      Trip suricata and check your alert

      curl http://testmyids.com
      1 Reply Last reply Reply Quote 3
      • 1 / 1
      • First post
        Last post