Integrating Suricata into my Home Lab
For today’s project, I am going to be installing and integrating Suricata into my home SOC. Suricata is a Network Intrusion Detection System (NIDS) that is based on and configured by rules. And, would you look at that, it’s fully compatible with Wazuh!
It’s important to note that I am using Suricata 7.0.1; many of the instructions you will find online will not work with this version or you will just need to edit the command lines with whatever version you may be using.
Now, for ease of lab management, I have temporarily removed the Windows machines from my home SOC environment, so the only agent active within my Wazuh dashboard is my Kali machine.
So, the first thing we have to do is to install Suricata onto my Kali endpoint with:
sudo apt-get update
sudo apt-get install suricata -y
Now that suricata 7.0.1 is installed onto my Kali machine, I need to make sure that it has a ruleset to enforce. Different versions of suricata import rulesets in different ways; for my version, all I had to do was the following on the command line:
sudo suricata-update
This downloads the Emerging Threats Open ruleset into the /var/lib/suricata/rules/ directory.
After downloading the ruleset, it’s good practice to make sure that suricata is configured to use the correct directory to pull rules from. The configuration file is /etc/suricata/suricata.yaml
These are the lines we’re looking for; they were already configured the way that I need them to be, so I’ll leave them.
There is a section of the config file for Linux high speed capture: it’s important to note that I had to change the network interface associated with this line from eth0 to eth1 since eth1 is my externally-facing interface.
So now I have suricata installed, and a ruleset configured. Now all I need to do to have it running is start the service with:
sudo systemctl start suricata.service
And we’re running. From now on, if I want to update my rules, I just need to do another sudo suricata-update and I know that everything is pointed to the correct files and directories. It’s good practice to update the rules frequently, because the rules themselves will be updated regularly.
Now we have to enable Wazuh to read the logs from Suricata. To do this, we need to edit the /var/ossec/etc/ossec.conf file and add the following:
There are many localfile entries for various methods to read log files, so this section can just be appended and saved using your text editor of choice.
Then we do a quick sudo systemctl restart wazuh-agent to apply the changes.
To test that Suricata is logging data correctly, and to make sure that Wazuh is correctly parsing said data and integrating it into the dashboard, I pinged the Kali machine using the Wazuh manager device.
Then, we go to the Security Events module in Wazuh, and filter “rule.groups:suricata”
Now we have a recorded DHCP request, and the description of the rule is that the Kali VM’s hostname may have been in the response to said request. Cool!