Boosting Cybersecurity with Suricata & Wazuh Integration

Listen to this Post

This article explores the integration of Suricata (an open-source IDS/IPS) with Wazuh (a SIEM solution) to enhance real-time threat detection and network security.

Key Highlights of the Integration

✅ Installing & configuring Suricata on Kali Linux

✅ Creating custom detection rules for suspicious traffic and unauthorized access

✅ Implementing real-time log monitoring & alerting

✅ Integrating Suricata alerts into Wazuh for centralized security analysis

✅ Automating security responses to detected threats

You Should Know: Practical Implementation Steps

1. Installing Suricata on Kali Linux

sudo apt update && sudo apt install suricata -y 

Verify installation:

suricata --build-info 

2. Configuring Suricata

Edit the Suricata configuration file:

sudo nano /etc/suricata/suricata.yaml 

Enable EVE JSON logs (for Wazuh integration):

eve-log: 
enabled: yes 
filetype: regular 
filename: eve.json 
types: 
- alert 
- http 
- dns 

Start Suricata:

sudo systemctl start suricata 
sudo systemctl enable suricata 

3. Creating Custom Suricata Rules

Add custom rules to `/etc/suricata/rules/local.rules`:

alert tcp any any -> any any (msg:"Suspicious TCP Traffic Detected"; flow:to_server; threshold:type threshold, track by_src, count 5, seconds 60; sid:1000001;) 

Reload Suricata rules:

sudo suricata -T -c /etc/suricata/suricata.yaml -v 
sudo systemctl restart suricata 

4. Integrating Suricata with Wazuh

Install the Wazuh agent on the Suricata host:

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a 

Configure Wazuh to monitor Suricata logs (`/var/log/suricata/eve.json`):

sudo nano /var/ossec/etc/shared/default/agent.conf 

Add the following:

<localfile> 
<log_format>json</log_format> 
<location>/var/log/suricata/eve.json</location> 
</localfile> 

Restart Wazuh agent:

sudo systemctl restart wazuh-agent 

5. Automating Alerts & Responses

Use Wazuh’s active response to block malicious IPs:

sudo nano /var/ossec/etc/ossec.conf 

Add:

<active-response> 
<command>firewall-drop</command> 
<location>local</location> 
<level>7</level> 
</active-response> 

What Undercode Say

This integration strengthens real-time threat detection by combining Suricata’s network monitoring with Wazuh’s log analysis. Key takeaways:
– Use custom Suricata rules for tailored threat detection.
– EVE JSON logs ensure seamless Wazuh integration.
– Automated blocking of malicious IPs enhances security.

For further learning:

Expected Output:

  • Real-time alerts in Wazuh dashboard.
  • Automated IP blocking for detected threats.
  • Enhanced visibility into network attacks.

References:

Reported By: Muhammad Gulraiz – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image