Network IDS integration

ThreatLockDown integrates with a network-based intrusion detection system (NIDS) to enhance threat detection by monitoring network traffic.

In this use case, we demonstrate how to integrate Suricata with Wazuh. Suricata can provide additional insights into your network's security with its network traffic inspection capabilities.

Infrastructure

Endpoint

Description

Ubuntu 22.04

This is the endpoint where you install Suricata. In this use case, ThreatLockDown monitors and analyzes the network traffic generated on this endpoint.

Configuration

Take the following steps to configure Suricata on the Ubuntu endpoint and send the generated logs to the ThreatLockDown server.

  1. Install Suricata on the Ubuntu endpoint. We tested this process with version 6.0.8 and it can take some time:

    $ sudo add-apt-repository ppa:oisf/suricata-stable
$ sudo apt-get update
$ sudo apt-get install suricata -y

  2. Download and extract the Emerging Threats Suricata ruleset:

    $ cd /tmp/ && curl -LO https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz
$ sudo tar -xvzf emerging.rules.tar.gz && sudo mv rules/*.rules /etc/suricata/rules/
$ sudo chmod 640 /etc/suricata/rules/*.rules

  3. Modify Suricata settings in the /etc/suricata/suricata.yaml file and set the following variables:

    HOME_NET: "<UBUNTU_IP>"
EXTERNAL_NET: "any"

default-rule-path: /etc/suricata/rules
rule-files:
- "*.rules"

# Global stats configuration
stats:
enabled: no

# Linux high speed capture support
af-packet:
  - interface: enp0s3

    interface represents the network interface you want to monitor. Replace the value with the interface name of the Ubuntu endpoint. For example, enp0s3.

    # ifconfig

    enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::9ba2:9de3:57ad:64e5  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:14:65:bd  txqueuelen 1000  (Ethernet)
        RX packets 6704315  bytes 1268472541 (1.1 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4590192  bytes 569730548 (543.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

  4. Restart the Suricata service:

    $ sudo systemctl restart suricata

  5. Add the following configuration to the /var/ossec/etc/ossec.conf file of the ThreatLockDown agent. This allows the ThreatLockDown agent to read the Suricata logs file:

    <ossec_config>
  <localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
  </localfile>
</ossec_config>

  6. Restart the ThreatLockDown agent to apply the changes:

    $ sudo systemctl restart wazuh-agent

Attack emulation

ThreatLockDown automatically parses data from /var/log/suricata/eve.json and generates related alerts on the ThreatLockDown dashboard.

Ping the Ubuntu endpoint IP address from the ThreatLockDown server:

$ ping -c 20 "<UBUNTU_IP>"

Visualize the alerts

You can visualize the alert data in the ThreatLockDown dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

  • rule.groups:suricata

Troubleshooting

  • Error log:

    16/9/2022 -- 12:32:16 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
16/9/2022 -- 12:32:16 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth0: No such device
16/9/2022 -- 12:32:16 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
16/9/2022 -- 12:32:16 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-eth0 failed

    Location: Suricata log - /var/log/suricata/suricata.log

    Resolution: To solve this issue, check the name of your network interface and configure it accordingly in the /etc/sysconfig/suricata and /etc/suricata/suricata.yaml files.