Testing Suricata with Wazuh in a VM test environment - Installation



  • For those intersted in testing suricata with wazuh and elk, you need to make sure you have the proper interface configured in the suricata.yaml config file. In my VM environment, I could not get suricata to work because my interface was ens3 instead of eth0 or eth1. Which is the only reason I am pulling down a custom config file in my installation.


    Install Suricata


    cd /root
    apt -y install epel-release wget jq
    curl -O https://copr.fedorainfracloud.org/coprs/jasonish/suricata-stable/repo/epel-7/jasonish-suricata-stable-epel-7.repo
    apt -y install suricata
    

    Setup custom emerging threat rules


    wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
    tar zxvf emerging.rules.tar.gz
    rm /etc/suricata/rules/* -f
    mv rules/*.rules /etc/suricata/rules/
    

    Download and copy custom suricata.yaml config file. (note you will need to search and replace eth0 and eth1 if you are using a different ethernet interface. I had to change all those entries to ens3


    wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml
    
    

    Start suricata and configure it to start at boot


    systemctl daemon-reload
    systemctl enable suricata
    systemctl start suricata
    

    Add suricata config to wazuh agent file. You can do this from server or all clients. In my automation script, I just have the clients pull down a new ossec file.


    nano /var/ossec/etc/ossec.conf
    

    Add to the lines below to ossec.conf just above the last line


      <localfile>
        <log_format>json</log_format>
        <location>/var/log/suricata/eve.json</location>
    </localfile>
    
    

    The bottom of ossec.conf should now look like this


      <localfile>
        <log_format>syslog</log_format>
        <location>/var/log/kern.log</location>
      </localfile>
    
      <localfile>
        <log_format>json</log_format>
        <location>/var/log/suricata/eve.json</location>
    </localfile>
    
    </ossec_config>
    
    
    

    Restart agent and suricata


    systemctl restart suricata
    systemctl restart wazuh-agent
    

    Trip suricata and check your alert


    curl http://testmyids.com