View Categories

Network IDS integration

3 min read

Argus integrates with a network-based intrusion detection system (NIDS) to improve threat detection by monitoring and analyzing network traffic.

In this use case, we show how to integrate Suricata with Argus. Suricata enhances network security by offering detailed insights through its network traffic inspection features.

Requirements

  • Argus manager
  • Ubuntu endpoint where we  install Suricata.

Ubuntu endpoint

Steps to configure Suricata on the Ubuntu endpoint and send the generated logs to the Argus server.

  1. Install Suricata on the Ubuntu endpoint. 

$ sudo add-apt-repository ppa:oisf/suricata-stable

$ sudo apt-get update

$ sudo apt-get install suricata -y

  • Download and extract the Emerging Threats Suricata ruleset

cd /tmp/ && curl -LO https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz

sudo tar -xvzf emerging.rules.tar.gz && sudo mkdir /etc/suricata/rules && sudo mv rules/*.rules /etc/suricata/rules/

sudo chmod 640 /etc/suricata/rules/*.rules

  • Modify Suricata settings in the /etc/suricata/suricata.yaml file and set the following variables:

   HOME_NET: “<UBUNTU_IP>”

EXTERNAL_NET: “any”

default-rule-path: /etc/suricata/rules

rule-files:

– “*.rules”

# Global stats configuration

stats:

enabled: yes

# Linux high speed capture support

af-packet:

  – interface: enp0s3

interface represents the network interface you want to monitor. Replace the value with the interface name of the Ubuntu endpoint.

Ifconfig

  • Restart the Suricata service:

       sudo systemctl restart suricata

  • Add the following configuration to the /var/ossec/etc/ossec.conf file of the Argus agent. This allows the Argus agent to read the Suricata logs file:

  <ossec_config>

                  <localfile>

                  <log_format>json</log_format>

        <location>/var/log/suricata/eve.json</location>

        </localfile>

</ossec_config>

  • Restart the Argus agent

                 sudo systemctl restart wazuh-agent

Attack emulation

Argus automatically parses data from /var/log/suricata/eve.json and generates related alerts on the Argus dashboard.

Ping the Ubuntu endpoint IP address from the Argus server:

                   ping -c 20 “<UBUNTU_IP>”

Monitoring the Alerts

  1. Navigate to Threat Hunting>> Events
  2. Add filter   rule.groups:suricata
  3. Save

Troubleshooting

Error log:

16/9/2022 — 12:32:16 – <Notice> – all 2 packet processing threads, 4 management threads initialized, engine started.

16/9/2022 — 12:32:16 – <Error> – [ERRCODE: SC_ERR_AFP_CREATE(190)] – Unable to find iface eth0: No such device

16/9/2022 — 12:32:16 – <Error> – [ERRCODE: SC_ERR_AFP_CREATE(190)] – Couldn’t init AF_PACKET socket, fatal error

16/9/2022 — 12:32:16 – <Error> – [ERRCODE: SC_ERR_FATAL(171)] – thread W#01-eth0 failed

Location: Suricata log – /var/log/suricata/suricata.log

Resolution: To solve this issue, check the name of your network interface and configure it accordingly in the /etc/sysconfig/suricata and /etc/suricata/suricata.yaml files.

Leave a Reply

Your email address will not be published. Required fields are marked *