Home Lab#4: Detecting Abnormal Network Traffic using Suricata and Wazuh

Hello Everyone,

Welcome to our fourth Home-lab! In this edition, we will learn to detect Abnormal and Malicious Network traffic using Suricata IDS(Intrusion Detection Systems) and Wazuh. Suricata IDS helps to detect threats in real-time and improve detection capabilities. If you are a SOC analyst, security analyst, Architect, or an aspirant Security engineer, this home-lab will help you build a powerful threat detection capability in your network.

Outline

• What is IDS, and how is it different from Antivirus solutions?
• What is Suricata IDS?
• Home-Lab Requirement
• Setting up Wazuh Manager
• Adding Ubuntu Agent
• Installing Suricata IDS on Ubuntu
• Testing
• Visualizing Alerts
• Need help?

What is IDS, and how is it different from Antivirus solutions?

Intrusion Detection System, or IDS for short, is a security tool that keeps an eye on system or network activity and detects unusual activity or possible security threats. In order to function, it analyzes all incoming and outgoing network information, identifying any anomalies or patterns that could point to malicious activity, unauthorized?access, or intrusion attempts.

IDS focuses primarily focus?on?identifying unusual or suspicious activity occurring within a system or network. Antivirus programs focus on locating and blocking particular known malware threats. IDS monitors?system activity and network traffic, searching for unusual patterns or behaviors that?indicate a potential security threat. Antivirus software uses behavior-based or signature-based detection techniques to find and remove known risks, focusing on particular categories of dangerous software.

In short, Antivirus solutions are designed to be preventive tools; once you install them, you have to believe in them, whereas IDS solutions detect anomalies and inform the security team to take further actions.

What is Suricata IDS?

Suricata is an open-source intrusion prevention and detection system (IDS/IPS), helping security team to do?real-time network traffic analysis, threat detection, and security issue alerting for administrators. Some of the key features of Suricata IDS are:

• Real-Time Monitoring: Constantly watches HTTP, HTTPS, DNS, FTP, and other network traffic for suspicious activities or anomalies.
• Signature-Based Detection: Identifies known threats in protocols like SMTP, IMAP, POP3, and others, based on their unique signatures or patterns.
• Behavioral Analysis: Detects new or emerging threats in protocols such as SSH, Telnet, and more by spotting unusual behavior patterns.
• Protocol Inspection: Examines network protocols like HTTP, TLS, SIP, and SMB deeply, checking for vulnerabilities or threats.
• Community-Driven Updates: Regularly updated by a vast community of experts for the latest threat intelligence across various protocols.
• Scalability and Customization: Adaptable to various network environments with customizable rule sets.

Home-Lab Requirement

• Kali Linux(Attacker)
• Ubuntu Server(Wazuh agent)
• Wazuh Server OVA

Setting up Wazuh Manager

For Home-lab, it is convenient to use Wazuh OVA file. Visit their official website the file https://documentation.wazuh.com/current/deployment-options/virtual-machine/virtual-machine.html

Open the file in Virtualbox and start the Virtual Machine

Now, log in to Wazuh CLI and run ifconfig to get the IP address.

The default Wazuh CLI credential is

username: wazuh-user

password: wazuh

Once, you have the IP address, open your favourite browser and submit the URL https://<WAZUH_IP_ADDRESS>

Next, enter the Wazuh GUI credential as shown below

username: admin

password: admin

Adding Ubuntu Agent

You can download te Ubuntu server ISO from official website or you can download the Virtual machine OVA file . Next, you can follow below steps:

Step1: Deploy new agent

Once your Ubuntu server is ready, you can visit Wazuh manager using GUI. Go to Agents section and click on deploy new agents as shown below.

Step2: Enter the required information

Next, select an Operating system, enter your Wazuh Server address, and set your agent name as shown below.

Step3: Download the Wazuh package

Step4: Activate Wazuh agent service

Step5: Verify the agent

Installing Suricata IDS on Ubuntu

Installing Suricata IDS on Ubuntu and integrating it with Wazuh for enhanced security monitoring involves a seamless process. Begin by installing Suricata on your Ubuntu system using the package manager or compiling from the source. Configure Suricata to monitor network traffic, define rule sets, and set up logging. Next, integrate Suricata with Wazuh by configuring Suricata to send its logs to the Wazuh manager or agent. Lets go through some important steps as mentioned below

Step1: Install Suricata on Ubuntu endpoint

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata -y
        

Step2: Install Emerging Threat Rule-set

Install the Emerging Threats ruleset. This is one of the popular projects developed suricata rulesets for the community.

cd /tmp/ && curl -LO <https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz
sudo tar -xvzf emerging.rules.tar.gz && sudo mv rules/*.rules /etc/suricata/rules/
sudo chmod 640 /etc/suricata/rules/*.rules
        

Step3: Modify configuration

Update the Suricata Settings in the /etc/suricata/suricata.yaml

OME_NET: "<AGENT_IP>"
EXTERNAL_NET: "any"

default-rule-path: /etc/suricata/rules
rule-files:
- "*.rules"

# Global stats configuration
stats:
enabled: no

# Linux high speed capture support
af-packet:
  - interface: eth01 
        

Step4: Restart the Suricata Services

$ sudo systemctl restart suricata
        

Step5: Integrate with Wazuh

Add the following configuration to the?/var/ossec/etc/ossec.conf?file of the Wazuh agent. This allows the Wazuh agent to read the Suricata logs file:

ossec_confi>
  <localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
  </localfile>
</ossec_config>
        

Step6: Restart the Wazuh agent

$ sudo systemctl restart wazuh-agent        

Testing

To test our Suricata IDS against abnormal traffic. We will initiate Nmap SYN scan from Kali Linux to our Ubuntu server(running Wazuh + Suricata IDS). This can be accomplished using the below steps.

Step1: Launch SYN Scan

Access your Kali Linux and type Nmap SYN Scan(-sS) as shown below

$ nmap -sS -Pn 192.168.29.172        

Step2: Check the output

With the output shown below, you can see the Status as Open, meaning the TCP port 22 is opened on the server side.

nmap -sS -Pn 192.168.29.246
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-11 00:33 IST
Nmap scan report for 192.168.29.246
Host is up (0.0030s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds        

Visualize the Alert

To view the security alerts, navigate to Security alerts module and then select agent.

You can apply filter rule.groups:suricata

That's all for today.

See you next week.

Need help?

Whenever you're ready, there are 2 ways I can help you."

1. If you are an Aspirant Cybersecurity engineer or Cybersecurity beginner, I'd recommend my:-> Ultimate SOC Analyst Bundle : A set of 11+ courses to transform your career into the most in-demand Cybersecurity job with real-world tools, assessments, and labs.
2. Need help in building Open-Source SOC, SOAR, Automated Threat Intelligence, Red Team, and security integration? DM me on Linkedin directly.