Argus integrates with a network-based intrusion detection system (NIDS) to improve threat detection by monitoring and analyzing network traffic.
In this use case, we show how to integrate Suricata with Argus. Suricata enhances network security by offering detailed insights through its network traffic inspection features.
Requirements
- Argus manager
- Ubuntu endpoint where we install Suricata.
Ubuntu endpoint
Steps to configure Suricata on the Ubuntu endpoint and send the generated logs to the Argus server.
- Install Suricata on the Ubuntu endpoint.
$ sudo add-apt-repository ppa:oisf/suricata-stable
$ sudo apt-get update
$ sudo apt-get install suricata -y
- Download and extract the Emerging Threats Suricata ruleset
cd /tmp/ && curl -LO https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz
sudo tar -xvzf emerging.rules.tar.gz && sudo mkdir /etc/suricata/rules && sudo mv rules/*.rules /etc/suricata/rules/
sudo chmod 640 /etc/suricata/rules/*.rules
- Modify Suricata settings in the /etc/suricata/suricata.yaml file and set the following variables:
HOME_NET: “<UBUNTU_IP>”
EXTERNAL_NET: “any”
default-rule-path: /etc/suricata/rules
rule-files:
– “*.rules”
# Global stats configuration
stats:
enabled: yes
# Linux high speed capture support
af-packet:
– interface: enp0s3
interface represents the network interface you want to monitor. Replace the value with the interface name of the Ubuntu endpoint.
Ifconfig
- Restart the Suricata service:
sudo systemctl restart suricata
- Add the following configuration to the /var/ossec/etc/ossec.conf file of the Argus agent. This allows the Argus agent to read the Suricata logs file:
<ossec_config>
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
</ossec_config>
- Restart the Argus agent
sudo systemctl restart wazuh-agent
Attack emulation
Argus automatically parses data from /var/log/suricata/eve.json and generates related alerts on the Argus dashboard.
Ping the Ubuntu endpoint IP address from the Argus server:
ping -c 20 “<UBUNTU_IP>”
Monitoring the Alerts
- Navigate to Threat Hunting>> Events
- Add filter rule.groups:suricata
- Save
Troubleshooting
Error log:
16/9/2022 — 12:32:16 – <Notice> – all 2 packet processing threads, 4 management threads initialized, engine started.
16/9/2022 — 12:32:16 – <Error> – [ERRCODE: SC_ERR_AFP_CREATE(190)] – Unable to find iface eth0: No such device
16/9/2022 — 12:32:16 – <Error> – [ERRCODE: SC_ERR_AFP_CREATE(190)] – Couldn’t init AF_PACKET socket, fatal error
16/9/2022 — 12:32:16 – <Error> – [ERRCODE: SC_ERR_FATAL(171)] – thread W#01-eth0 failed
Location: Suricata log – /var/log/suricata/suricata.log
Resolution: To solve this issue, check the name of your network interface and configure it accordingly in the /etc/sysconfig/suricata and /etc/suricata/suricata.yaml files.