What is Wazuh?

Wazuh alerts

In popular intrusion detection systems (IDS), such as Wazuh or Suricata, a signature-based approach to threat detection is applied. That is, patterns found in files, logs and network traffic are compared against a database of patterns known to be linked to malicious activity and alerts are issued when a match is found. These systems provide rule sets for analyzing and correlating data, and typically issue thousands or millions of alerts per day in a production environment.

On the other hand, Suricata is a free open source network threat detection engine with real-time network intrusion detection (NIDS), online intrusion prevention (NIPS), network security monitoring (NSM) and offline pcap processing capabilities. Suricata inspects network traffic using its rules and signature language to look for matches with known threats, policy violations and malicious behavior, and offers scripting support for complex threat detection.

Tutorial wazuh

OSSEC is a system monitoring and control platform. It is a HIDS (Host Intrusion Detection System), i.e. an intrusion detection system. It is also considered a SIM (Security Incident Managament). However, it has more functions, since it has a centralized log service, an alert and notification system, among many other functions.

The OSSEC client is multiplatform, since it can be installed on GNU Linux, Solaris, Microsoft Windows, MAC OS X, WMWARE, *BSD, AIX and HP-UX systems. It is free software, using a GPL license, version 2.

Wazuh incident response

In 2019, more than 700 vulnerabilities were discovered in Microsoft operating systems. As soon as they are in Microsoft’s hands, they start planning, developing and releasing patches that fix them.  In addition, all Windows software manufacturers must know about all affected vulnerabilities in their Windows software.

Read more  Can you bill for documentation time?

Wazuh 3.11 introduced a new capability: the Vulnerability Detector for Windows.  Using the National Vulnerability Database, Wazuh can detect vulnerabilities in Windows hosts by looking at installed software and Windows updates.

Once we have Wazuh manager and Elastic stack configured (you can learn how to install Wazuh manager and Elastic stack , or you can download the entire stack in OVA format , which will be used in this example), we can import it using Vmware , VirtualBox or other provider of your choice.  After importing it, get access to it via SSH.

The vulnerability scanner works on the administrator side because it stores the inventory of connected agents.  Let’s see how we can make it work.  The /var/ossec/etc/ossec.conf file contains the following section:

Wazuh ids

Wazuh is a free, open source, enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

The Wazuh server is responsible for analyzing data received from agents, processing events through decoders and rules, and using threat intelligence to look for known IOCs (Indicators of Compromise). A single Wazuh server can analyze data from hundreds or thousands of agents, and scale horizontally when configured in cluster mode.

The server is also used to manage the agents, configuring and updating them remotely when necessary. In addition, the server is able to send commands to the agents, for example, to trigger a response when a threat is detected.

The alerts generated by Wazuh are sent to Elasticsearch, where they are indexed and stored. The Wazuh Kibana plugin provides a powerful user interface for data visualization and analysis, which can also be used to manage and monitor agent configuration and status.

Read more  What are the 5 pedagogical approaches?