Listen to this Post
This article explores the integration of Suricata (an open-source IDS/IPS) with Wazuh (a SIEM solution) to enhance real-time threat detection and network security.
Key Highlights of the Integration
✅ Installing & configuring Suricata on Kali Linux
✅ Creating custom detection rules for suspicious traffic and unauthorized access
✅ Implementing real-time log monitoring & alerting
✅ Integrating Suricata alerts into Wazuh for centralized security analysis
✅ Automating security responses to detected threats
You Should Know: Practical Implementation Steps
1. Installing Suricata on Kali Linux
sudo apt update && sudo apt install suricata -y
Verify installation:
suricata --build-info
2. Configuring Suricata
Edit the Suricata configuration file:
sudo nano /etc/suricata/suricata.yaml
Enable EVE JSON logs (for Wazuh integration):
eve-log: enabled: yes filetype: regular filename: eve.json types: - alert - http - dns
Start Suricata:
sudo systemctl start suricata sudo systemctl enable suricata
3. Creating Custom Suricata Rules
Add custom rules to `/etc/suricata/rules/local.rules`:
alert tcp any any -> any any (msg:"Suspicious TCP Traffic Detected"; flow:to_server; threshold:type threshold, track by_src, count 5, seconds 60; sid:1000001;)
Reload Suricata rules:
sudo suricata -T -c /etc/suricata/suricata.yaml -v sudo systemctl restart suricata
4. Integrating Suricata with Wazuh
Install the Wazuh agent on the Suricata host:
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
Configure Wazuh to monitor Suricata logs (`/var/log/suricata/eve.json`):
sudo nano /var/ossec/etc/shared/default/agent.conf
Add the following:
<localfile> <log_format>json</log_format> <location>/var/log/suricata/eve.json</location> </localfile>
Restart Wazuh agent:
sudo systemctl restart wazuh-agent
5. Automating Alerts & Responses
Use Wazuh’s active response to block malicious IPs:
sudo nano /var/ossec/etc/ossec.conf
Add:
<active-response> <command>firewall-drop</command> <location>local</location> <level>7</level> </active-response>
What Undercode Say
This integration strengthens real-time threat detection by combining Suricata’s network monitoring with Wazuh’s log analysis. Key takeaways:
– Use custom Suricata rules for tailored threat detection.
– EVE JSON logs ensure seamless Wazuh integration.
– Automated blocking of malicious IPs enhances security.
For further learning:
Expected Output:
- Real-time alerts in Wazuh dashboard.
- Automated IP blocking for detected threats.
- Enhanced visibility into network attacks.
References:
Reported By: Muhammad Gulraiz – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅