Suricata Integration with Wazuh [DL Series-6]

Welcome to the 6th part of our Detection Lab(DL) series. In this article, we’ll explore Suricata, a powerful open-source intrusion detection and prevention system (IDS/IPS), and its integration into and its integration into Wazuh .

What is Suricata?

Suricata is a high-performance, versatile, and open-source network threat detection engine developed by the Open Information Security Foundation (OISF). It functions as an intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) tool. Suricata is widely adopted for its ability to analyze network traffic in real-time, inspect protocols, and detect malicious activities using predefined rule sets.

Key Features of Suricata

1. Versatile IDS/IPS Functionality: Suricata functions as both an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS), providing real-time threat detection and the ability to block attacks based on predefined rules.
2. SSL/TLS Traffic Inspection, File Transfer Monitoring, and DNS Traffic Analysis: Suricata also performs deep inspection of SSL/TLS encrypted traffic, monitors file transfer protocols like FTP, SMB, and HTTP for malicious activity, and analyzes DNS traffic to identify malicious domain queries, preventing data exfiltration and DNS-based attacks.
3. Network Security Monitoring (NSM): With full pcap capture support, Suricata provides in-depth traffic analysis, allowing security teams to monitor network activity thoroughly and investigate incidents with precision.
4. Automatic Protocol Detection: Suricata can automatically identify various protocols like HTTP on any port, enhancing its ability to detect malware and Command-and-Control (C&C) communications, even if attackers try to disguise them.
5. Comprehensive Logging and Forensics: Suricata logs detailed HTTP requests, TLS/SSL exchanges, and DNS activities. It also supports file extraction from network flows, enabling further analysis for potential threats.

Installing and Configuring Suricata in the Detection Lab

In our Detection Lab, we set up Suricata on a Linux endpoint running Ubuntu 22.04. Below are the steps to install and configure Suricata and integrate it with the Wazuh server.

Step 1: Install Suricata

First, add the official Suricata repository and install it:

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata -y        

Step 2: Download and Apply Emerging Threats Ruleset

Suricata uses rule sets to detect malicious activities. Download and extract the Emerging Threats ruleset:

cd /tmp/ && curl -LO https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz
sudo tar -xvzf emerging.rules.tar.gz && sudo mkdir /etc/suricata/rules && sudo mv rules/*.rules /etc/suricata/rules/
sudo chmod 640 /etc/suricata/rules/*.rules        

Step 3: Configure Suricata

Identify your network interface by using this command:

ip addr        

Open the suricata.yaml file

vi /etc/suricata/suricata.yaml        

Make the following changes

HOME_NET: "<Linux EP_ip>"
EXTERNAL_NET: "any"

default-rule-path: /etc/suricata/rules
rule-files:
  - "*.rules"

# Global stats configuration
stats:
  enabled: yes

# Linux high-speed capture support
af-packet:
  - interface: enp0s3        

Step 4: Enable Suricata Service

sudo systemctl daemon-reload
sudo systemctl enable suricata.service
sudo systemctl start suricata.service        

Step 5: Configure Wazuh to Monitor Suricata Logs

Edit the Wazuh agent configuration file to read Suricata’s logs by adding the following configuration snippet:

vi /var/ossec/etc/ossec.conf        

<localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
</localfile>        

Restart Wazuh agent

sudo systemctl restart wazuh-agent.service        

Test the Setup

Verify Suricata Installation

To confirm that Suricata is running and logging events, use the following command to tail the fast.log file:

tail -f /var/log/suricata/fast.log        

You should see output similar to below snippet:

Check Logs in the Wazuh Dashboard

Navigate to the Wazuh dashboard and go to the Discover section. Add the following filter to display Suricata logs:

Once filter is applied, you should see Suricata events populated in the Wazuh dashboard as shown in the above snippet, confirming successful integration.

Acknowledgments

I extend my gratitude to the founder of Wazuh - Santiago Bassett for creating an exceptional platform that empowers security professionals with robust monitoring and incident response capabilities. A special acknowledgment also goes to the Suricata Project | Open Information Security Foundation (OISF) for developing Suricata, a powerful and versatile tool that has revolutionized network security monitoring and threat detection.

Upcoming

In our next article, we’ll dive into the power of jq — a versatile tool for parsing and processing JSON data. Using the Suricata logs we set up in this article, we’ll learn how to filter, format, and extract critical insights, turning raw logs into actionable intelligence for effective security monitoring.

Check out the next article here: Suricata Log Parsing using jq [DL Series-7]

Feel free to ask questions or share your feedback in the comments section — I’d love to hear from you! You can also connect with me on Gibin John to to clarify any doubts or continue the conversation.

Follow my Medium profile to stay updated on the full series: Gibin John.

#SuricataIntegration #Wazuh #NetworkSecurity #ThreatDetection #CyberSecurityTools #IntrusionDetection #OpenSourceSecurity #SecurityMonitoring #DetectionLab #CyberThreats #SuricataLogs #SOCEngineering #JSONParsing #CyberDefense #EndpointSecurity #LogAnalysis #SecurityTools #ITSecurity #SIEMIntegration #IncidentResponse