Step-by-Step Guide to Setting Up Snort as IDS with wazuh (SIEM) Integration!
In this Article we have been configuring Snort as Intrusion Detection System at network level and we will integrate snort with Wazuh Siem to send logs directly to Wazuh for Incident Response and threat detection.
What are IDS?
An intrusion detection system (IDS) is an application that monitors network traffic and searches for known threats and suspicious or malicious activity. The IDS sends alerts to IT and security teams when it detects any security risks and threats.
What is Snort?
SNORT is a free-to-use open-source piece of software that can be deployed by individuals and organizations. The SNORT rule language determines which network traffic should be collected and what should happen when it detects malicious packets.
Step 1 — Install snort on Debian
Start the Virtual Machine — Once the VM is booted the installation process for snort is a single command inside your terminal:
sudo apt-get install snort -y
Once the prerequisites are installed snort will ask to configure the starting setup properly — the first thing you have to do is enter your local network that needs scanning.
Once that is done make sure to check if snort was installed properly by running snort -v.
Step 2 — snort configuration
By Default, snort uses two files one is for configuration and other is for logs collection. Now we will first make configuration as shown below.
sudo nano /etc/snort/snort.conf
The line alert_syslog: LOG_AUTH LOG_ALERT tells snort to log stuff related to authentication and alerts via syslog.
Our Security Information and Event Management System (SIEM) has integrations for syslog so events that are inside the syslog will by default be connected to your SIEM already.
By default, snort stores log data in pcap format — this is a binary format that e.g. Wireshark uses to store network traffic information, so we will use the alert_fast module which stores data in readable text and tell it to use the snort.alert data stream (all the alert data) for logging.
Now we have configured snort for log throwing to SIEM so we will restart snort to adapt changes we have made above.
sudo systemctl restart snortStep 3 Rules and Tests
Now we will configure different rules for traffic analysis and then on the basis of these rules alerts will be forwarded to Wazuh SIEM.
Rules are stored under /etc/snort/rules - the one we are looking for is called local.rules.
We will add this rule for ICMP traffic detection as shown below.
alert icmp any any -> any any (msg:"ICMP connection attempt:"; sid:1000010; rev:1;)Here any mean source and destination ICMP traffic communication between any IP of my network.
Testing local rules
We can show the results of snort capture on Terminal using following command.
sudo snort -q -A console -c /etc/snort/rules/local.rules
Now we have successfully configured snort now we are going to integrating snort with Wazuh in the next section.
Step 4 wazuh linux agent installation
Now we will install wazuh agent on Debian where we have configured snort to get snort logs on Wazuh Server Dashboard.
Step 5 snort + wazuh connection
Note: All changes will be in wzuh agent ossec file.
In order to see the alerts in wazuh we need to modify the /var/ossec/etc/ossec.conf file in agent + add a new localfile entry like below and save the file.
<!-- snort -->
<localfile>
<log_format>snort-full</log_format>
<location>/var/log/snort/snort.alert.fast</location>
</localfile>We will place the section right below the <!-- log analysis --> part in the configuration file.
After making all these changes we will restart the wazuh agent to get changes.
sudo systemctl restart wazuh-agentNow we will check wazuh dashboard and click on the eye symbol next to the agent at the bottom right.
This dashboard holds all the events that our debian wazuh agent has collected.
But We will notice there is snort log on the dashboard so those are behind the next click — security events in the top left.
We will see a lot of alerts from ids - your intrusion detection system.
Now we have successfully configured the Snort Integration with Wazuh SIEM for Log collection and response management.
Conclusion:
Intrusion Detection is very important implementation in network security as this is acting as initial security barrier and through this we analyze the network compromise and other resources. We can configure many rules according to our security policies and monitor them for compliance and implementation of security best practices to secure our interconnected infrastructure.
