Scribd
Upload
520 views9 pages

Suricata, Pfsense and WAZUH

Uploaded by

ctofabioborges
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
520 views9 pages

Suricata, Pfsense and WAZUH

Uploaded by

ctofabioborges
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Suricata, Pfsense and WAZUH

Introduction:
In this task, I demonstrated how to set up Suricata in pfsense and push its logs to the Wazuh
dashboard. To accomplish this, I configured pfsense in my environment and performed the
installation and deployment of Wazuh.

Pfsense:
pfsense is an open-source firewall based on FreeBSD. It provides robust network security and
routing features, making it ideal for both small home networks and large enterprise environments.
pfsense offers a user-friendly web interface, advanced networking capabilities, and support for
add-on packages, making it a versatile choice for managing and securing network traffic.

Wazuh:
Wazuh is an open-source SIEM solution offering integrated security monitoring, threat detection,
and compliance management. It supports real-time data analysis across endpoints, servers,
networks, and clouds, enabling robust incident response and regulatory compliance. Wazuh's
scalability, user-friendly interface, and comprehensive documentation cater to diverse
organizational needs, from small businesses to large enterprises seeking heightened IT
infrastructure visibility and security.

Suricata:
Suricata is an open-source intrusion detection system (IDS) and intrusion prevention system (IPS)
that provides network security monitoring. It uses deep packet inspection, pattern matching, and
advanced logging to detect and mitigate threats in real-time. Suricata is highly scalable,
customizable, and integrates well with other security tools.

Profile link: https://www.linkedin.com/in/areeba-israr/


Pre Requisite

1. Wazuh:

Deploy and set up Wazuh in your network.

2. Pfsense:

Deployed and configured pfsense according to your environmental requirements.

Profile link: https://www.linkedin.com/in/areeba-israr/


3. Wazuh agent on Pfsense

Deployed an agent on pfsense and ensured it sends logs to Wazuh for monitoring.

Deployment of Suricata:

Interface and Mode Setup for Suricata in pfSense

Configure Suricata in IDS or IPS mode on the desired port to monitor and block traffic. For testing
purposes, I have configured Suricata as IDS on the LAN port and as IPS on the WAN port.

Profile link: https://www.linkedin.com/in/areeba-israr/


Rule settings configuration:
Configure rule sets for Suricata by selecting from basic rules provided in the Suricata package.
Additionally, you can enhance detection capabilities by providing links to other rule sets for
downloading additional rules.

Set the time period for rule updates. How frequently do you want to update the rules.

You can manually update the rule list from there.

Profile link: https://www.linkedin.com/in/areeba-israr/


Rule tuning:
Rule categories:
Here, you can view the rule categories applied to the port. You have the option to add or remove
rule categories based on your requirements. I enable the basic rules category by default.

Profile link: https://www.linkedin.com/in/areeba-israr/


To get details of the category visit the Description link:
https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf

Managing Rules:
You can view all the rules contained in each category. Additionally, you can enable or disable
rules according to your environment.

Set the log retention time period:

Profile link: https://www.linkedin.com/in/areeba-israr/


Disable, enable, or drop traffic:
You can add SSID or rule categories in the files to enable, disable, or drop specific rules.

Profile link: https://www.linkedin.com/in/areeba-israr/


Alerts:
Go to the alert options and select the interface for which you want to view alerts

Profile link: https://www.linkedin.com/in/areeba-israr/


For Suricta alerts in wazuh:
Check in this option in pfsense
Services  Suricata  Interface Settings

Ensuring Logs are Saved in Suricata Log File on pfSense


Open the relevant file in the pfSense backend and make sure logs are being saved in the
/var/log/suricata/*/eve.json file.

Including Suricata Log File in Wazuh Agent Configuration


After ensuring logs are being saved in the /var/log/suricata/*/eve.json file, include this file location
in the Wazuh agent’s configuration

After ensuring logs are being saved in the file restart the agent (service wazuh-agent restart)

Alerts on wauzh:

Profile link: https://www.linkedin.com/in/areeba-israr/

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy