Testing Suricata with Wazuh in a VM test environment - Installation

  • For those intersted in testing suricata with wazuh and elk, you need to make sure you have the proper interface configured in the suricata.yaml config file. In my VM environment, I could not get suricata to work because my interface was ens3 instead of eth0 or eth1. Which is the only reason I am pulling down a custom config file in my installation.

    Install Suricata

    cd /root
    apt -y install epel-release wget jq
    curl -O https://copr.fedorainfracloud.org/coprs/jasonish/suricata-stable/repo/epel-7/jasonish-suricata-stable-epel-7.repo
    apt -y install suricata

    Setup custom emerging threat rules

    wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
    tar zxvf emerging.rules.tar.gz
    rm /etc/suricata/rules/* -f
    mv rules/*.rules /etc/suricata/rules/

    Download and copy custom suricata.yaml config file. (note you will need to search and replace eth0 and eth1 if you are using a different ethernet interface. I had to change all those entries to ens3

    wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml

    Start suricata and configure it to start at boot

    systemctl daemon-reload
    systemctl enable suricata
    systemctl start suricata

    Add suricata config to wazuh agent file. You can do this from server or all clients. In my automation script, I just have the clients pull down a new ossec file.

    nano /var/ossec/etc/ossec.conf

    Add to the lines below to ossec.conf just above the last line


    The bottom of ossec.conf should now look like this


    Restart agent and suricata

    systemctl restart suricata
    systemctl restart wazuh-agent

    Trip suricata and check your alert

    curl http://testmyids.com