Lab: Building a Network IDS with Active Response via Wazuh and Suricata

 Wazuh 整合 Suricata 達成網路入侵偵測與自動回應實驗

Wazuh Server 安裝  (192.168.100.10)

https://documentation.wazuh.com/current/quickstart.html

curl -sO https://packages.wazuh.com/4.14/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Wazuh Agent  安裝

 ( client interface ens160 192.168.100.20/24  / suricata monitor interface ens224  192.168.100.30/32)

curl -o wazuh-agent-4.14.4-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.14.4-1.x86_64.rpm && sudo WAZUH_MANAGER='192.168.100.10' rpm -ihv wazuh-agent-4.14.4-1.x86_64.rpm

https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html

[root@Wazuh-Client01 suricata]# ip add | grep ens

2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

    inet 192.168.100.20/24 brd 192.168.100.255 scope global noprefixroute ens160

3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

    inet 192.168.100.30/32 scope global noprefixroute ens224

參考 URL

Suricata 安裝 

https://docs.suricata.io/en/suricata-7.0.15/install.html#rpm-packages

https://copr.fedorainfracloud.org/coprs/g/oisf/suricata-7.0/

Suricata Rule 

https://rules.emergingthreats.net/open/suricata-7.0.15/

https://rules.emergingthreats.net/open/suricata-7.0.15/rules/

Suricata 重要設定

vi /etc/sysconfig/suricata

OPTIONS="-i eth0" -->  OPTIONS="-i ens224" 

vi /etc/suricata/suricata.yaml

interface: eth0 ---> interface: ens224

可以用

sed -i 's/interface: eth0/interface: ens224/g' /etc/suricata/suricata.yaml

運行 rule 宣告 

vi /etc/suricata/suricata.yaml

## Configure Suricata to load Suricata-Update managed rules.

default-rule-path: /var/lib/suricata/rules

rule-files:

  - suricata.rules

觸發log檢查

[root@Wazuh-Client01 rules]# cat /var/log/suricata/fast.log

04/11/2026-20:01:05.711058  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 217.160.0.187:80 -> 192.168.100.20:59428

04/11/2026-20:07:12.072266  [**] [1:2039584:2] ET FILE_SHARING Observed DNS Query to Filesharing Service (mega .co .nz) [**] [Classification: Misc activity] [Priority: 3] {UDP} 192.168.100.99:52525 -> 8.8.8.8:53

04/11/2026-20:07:12.072339  [**] [1:2039584:2] ET FILE_SHARING Observed DNS Query to Filesharing Service (mega .co .nz) [**] [Classification: Misc activity] [Priority: 3] {UDP} 192.168.100.99:52525 -> 8.8.8.8:53

04/11/2026-20:07:13.250532  [**] [1:2039584:2] ET FILE_SHARING Observed DNS Query to Filesharing Service (mega .co .nz) [**] [Classification: Misc activity] [Priority: 3] {UDP} 192.168.100.99:52525 -> 8.8.8.8:53

04/11/2026-20:07:13.250583  [**] [1:2039584:2] ET FILE_SHARING Observed DNS Query to Filesharing Service (mega .co .nz) [**] [Classification: Misc activity] [Priority: 3] {UDP} 192.168.100.99:52525 -> 8.8.8.8:53

04/11/2026-20:15:53.248125  [**] [1:2047866:4] ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI) [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.100.99:53705 -> 8.8.8.8:443

04/11/2026-20:16:25.147099  [**] [1:2039584:2] ET FILE_SHARING Observed DNS Query to Filesharing Service (mega .co .nz) [**] [Classification: Misc activity] [Priority: 3] {UDP} 192.168.100.99:52525 -> 8.8.8.8:53

04/11/2026-20:16:25.147133  [**] [1:2039584:2] ET FILE_SHARING Observed DNS Query to Filesharing Service (mega .co .nz) [**] [Classification: Misc activity] [Priority: 3] {UDP} 192.168.100.99:52525 -> 8.8.8.8:53

04/11/2026-20:16:25.741758  [**] [1:2062715:1] ET INFO Observed UA-CPU Header [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.100.99:53720 -> 66.203.127.11:80

04/11/2026-20:19:40.406579  [**] [1:2027695:5] ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) [**] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.100.99:52061 -> 104.16.248.249:443

04/11/2026-21:08:39.787225  [**] [1:1000001:1] DEBUG SQL Injection Attempt [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.100.10:51566 -> 192.168.100.30:80

 

Demo

Client 端自我測試

curl http://testmyids.com

在 Server 端發向 Client 端的 SQL Injection 測試. 

echo "UNION SELECT 1,2,3" | nc -w 1 192.168.100.30 80

SQL Injection rules

cat /var/lib/suricata/rules/local.rules

alert tcp any any -> any any (msg:"DEBUG SQL Injection Attempt"; content:"UNION SELECT"; nocase; sid:1000001; rev:1;)