0xBEN
/
Sign up to 0xBEN!
Already have an account? Sign in

Adding a Comprehensive Wazuh SIEM and Network Intrusion Detection System (NIDS) to the VirtualBox Lab

In this module, we will take a look at the process setting up a comprehensive Wazuh SIEM, including a NIDS and some HIDS agents, in our VirtualBox home lab.
0xBEN
16 min read
Adding a Comprehensive Wazuh SIEM and Network Intrusion Detection System (NIDS) to the VirtualBox Lab
In: VirtualBox, VirtualBox Cybersecurity Lab Project, Defend, Home Lab, Wazuh, SIEM
ℹ️
This page is part of a larger series on building a cybersecurity lab using VirtualBox. Click here to be taken back to the project home page.

Previous Step

Adding Another Interface to pfSense in VirtualBox
In this module, we will look at the process of adding an additional interface to the pfSense VM when the VirtualBox GUI only shows four available interfaces.
0xBEN0xBEN



Order of Operations


Click here to view this diagram in a new tab
  1. Add an additional interface to the pfSense VM
  • This interface will serve as the target for all of the SPAN configurations
  • The SPAN configurations will create copies of each Ethernet frame from each interface and send them to the SPAN port
  1. Install the Wazuh Stack as an all-in-one installation
  • Use the quick setup script to install the following services:
    • Wazuh Indexer
    • Wazuh Manager
    • Wazuh Dashboard
  1. Install the NIDS component on the same VM
  • Suricata will capture packets from the SPAN interface
  • It will output logs in JSON format, which will be read by Wazuh Manager
  1. As your lab grows, install Wazuh Agents on your Linux and Windows VMs
  • Install agents on any hosts you want to monitor
  • The hosts need to be able to communicate with the Wazuh Manager's IP address over tcp/1514 and tcp/1515 (can also be configured for UDP if desired)



Desired End State

pfSense VM

  • New interface added and SPAN configurations created

Wazuh Stack + NIDS

  • Configured network interfaces
  • Installed and configured Wazuh Stack
    • Log into Wazuh Dashboards
    • Ensure all connections are working
  • Installed and configured Suricata
    • Capturing packets from SPAN
    • Wazuh Manager is configured to read Suricata logs

Wazuh Agents

  • Wazuh Agent is installed on any host to be monitored
  • Wazuh Agent can communicate with Wazuh Manager IP over tcp/1514 and tcp/1515



Enabling Packet Capture

🚨
Please note that this step is COMPLETELY OPTIONAL. If you'd rather not work through the SIEM setup right now, you can continue on to the next step and come back here later.

pfSense SPAN Port

Overview of the Changes

In this step, we are going to add an additional interface to the pfSense VM, much like we did in the previous step, but in the case of this new interface, it will serve the sole purpose of being a SPAN port to capture packets.


Click here to view this diagram in a new tab

In the case of this diagram, we are doing the following:

  1. Adding a new interface to the pfSense VM called, SPAN
  2. Attaching the SIEM / IDS to the LAN and SPAN interfaces
  3. The LAN interface provides a DHCP address to the SIEM
    1. The SPAN interface does not get any IP assignment and is simply used to receive frames copied from each interface, which in this case is:
      1. LAN
      2. ISOLATED
      3. AD_LAB
      4. SEC_EGRESS
  4. With the Ethernet frames flowing to the SPAN interface
    1. Suricata on the IDS host will analyze the packets and generate logs
    2. Wazuh will be configured to ingest the log file(s)



Adding the SPAN Port

⚠️
Power off the pfSense VM before making these changes
& 'C:\Program Files\Oracle\VirtualBox\VBoxManage.exe' modifyvm "pfSense-CyberRange" --nic6 intnet 
& 'C:\Program Files\Oracle\VirtualBox\VBoxManage.exe' modifyvm "pfSense-CyberRange" --nictype6 virtio 
& 'C:\Program Files\Oracle\VirtualBox\VBoxManage.exe' modifyvm "pfSense-CyberRange" --intnet6 "cyber-range-span" 
& 'C:\Program Files\Oracle\VirtualBox\VBoxManage.exe' modifyvm "pfSense-CyberRange" --nic-promisc6 allow-all

The commands above use 6nic6, nictype6, intnet6, etc — because in a previous article, 5 was already assigned.



Configuring the New Interface

If you haven't already, you may now power on the pfSense VM

Log into the pfSense web configurator and navigate to Interfaces > Assignments.

We can see an available interface, which is the one we added just before
Click the + Add button. Then, click on OPT4.
Configure EXACTLY AS SHOWN here and click Save and Apply Changes



Configure the Span Ports

💡
We need to configure each SPAN port one at a time. If we select all of the target interfaces as member interfaces, this puts them all on the same broadcast domain, which we do not want.

Also, moving forward, if you add any additional subnets to your pfSense cyber range, you'll need to repeat this procedure for the traffic to be captured by the NIDS.

LAN to SPAN

Go to Interfaces > Assignments

Click Bridges and click + Add
Configure as shown and click Save

ISOLATED to SPAN

Configure as shown and click Save

AD_LAB to SPAN

Configure as shown and click Save

VULN_EGRESS to SPAN

Configure as shown and click Save

Desired End State

Separate bridges for each subnet with a SPAN port targeted to our new interface



Adding the Wazuh Stack

Ubuntu Server OVA

We are going to use the same specs that would be configured with the Wazuh OVA appliance:

  • 4 CPU
  • 8 GB RAM
  • 50 GB Disk
⚠️
The requirements are reasonable given the tech stack, but this does add some additional demand and stress to your lab environment. You may need to shut down some other VMs in order to run the SIEM and save resources.

Import the OVA

Ubuntu 24.04 LTS (Noble Numbat) daily [20250626]

Ubuntu Noble Numbat is the current LTS image as of this writing

Download the .ova file, which is ready-made for VMware (and VirtualBox)
Once downloaded, double-click the .ova file and begin the import procedure
Change the "Name", "CPU", and "RAM"
🚨
Do not start the VM

Create a Cloud-Init ISO

ℹ️
The example commands shown here are run on a Windows host in PowerShell.
mkdir "$env:USERPROFILE\Desktop\cloud-init-iso"
[System.IO.File]::WriteAllText("$env:USERPROFILE\Desktop\cloud-init-iso\meta-data", @"
instance-id: wazuh-server
local-hostname: wazuh-server
"@, [System.Text.UTF8Encoding]::new($false))

Create a "meta-data" file and encode in UTF8

[System.IO.File]::WriteAllText("$env:USERPROFILE\Desktop\cloud-init-iso\user-data", @"
#cloud-config
chpasswd:
  list: |
    ubuntu:wazuh
  expire: false
ssh_pwauth: true
"@, [System.Text.UTF8Encoding]::new($false))

Create a "user-data" file and encode in UTF8 -- sets credential "ubuntu:wazuh"

& 'C:\Program Files\Oracle\VirtualBox\vbox-img.exe' createiso `
-o "$env:USERPROFILE\Desktop\cloud-init.iso" `
--volid "cidata" `
"$env:USERPROFILE\Desktop\cloud-init-iso\user-data" `
"$env:USERPROFILE\Desktop\cloud-init-iso\meta-data"

Output the ".iso" file to your desktop


Additional Configurations

Right-click your VM > "Settings"

Network

Adapter 1, gets a DHCP address on the pfSense default LAN, note the MAC address, as we'll be adding a DHCP reservation in a moment
Adapter 2, connected to the new internal network we created for capturing packets. Ensure you set "Promiscuous Mode" to "Allow All".

Attach Cloud-Init ISO

Storage > IDE > Add optical drive
Click "Add"
Click your "cloud-init.iso" file on your Desktop created before using PowerShell
Now, double-click "cloud-init.iso" to attach it
Attached to the VM

Increase the Disk Size

Go to "Tools" > "Media"
Select the target ".vdi" file
Set to "50.00 GB" and click "Apply"
You may now start the VM. During the boot procedure, the cloud-init.iso file should be mounted and the ubuntu user password changed to wazuh.
Successfully logged in with username and password set in the .iso file



Add a DHCP Reservation

Log into pfSense using your Kali VM and go to Status > DHCP Leases...

I've input the MAC address from the previous step, assigned an IP address of 10.0.0.3 and given an appropriate hostname and description.
sudo systemctl restart systemd-networkd

Run this command on Wazuh Server to restart the network stack and pull a new DHCP lease



Installing the Wazuh Stack

Quickstart · Wazuh documentation
User manual, installation and configuration guides. Learn how to get the most out of the Wazuh platform.
Wazuh

Since this is a lab environment, we'll just use the all-in-one installation

Run the install script as shown here
Wait for the installation to complete...

When the installation completes, you should see the password for the admin user printed to the console. However, this VM doesn't support copying to clipboard, so I'm going to use the wazuh-passwords-tool.sh utility to change to something a little easier to type.

sudo /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -u admin -p 'P@$$word123!'

Change P@$$word123! to a new password of your choice

sudo filebeat keystore add password

Update filebeat with your new admin password

sudo systemctl restart filebeat

Restart the filebeat service to use the new password



Logging into Wazuh Dashboard

ℹ️
You can use your Kali VM to log into Wazuh Dashboard, since they're both on the same LAN and there won't be any firewall issues blocking access.
You can reach the login page by navigating to https://10.0.0.3. Ignore any certificate / TLS warnings, as the service is using a self-signed certificate on the web server.

The login for the Wazuh Dashboard server is:

  • Username: admin
  • Password: changed using the wazuh-passwords-tool.sh utility
Initial look at the dashboard. We'll get some agents registered in a bit.



Install the NIDS

Auto-Raise Capture Interface

ip addr show

List IP address configurations

The second interface on the box is not active. We need to modify netplan to bring this interface up at boot.
sudo nano /etc/netplan/50-cloud-init.yaml
network:
  version: 2
  ethernets:
    enp0s3:
      match:
        macaddress: "00:0c:29:1a:e4:84"
      dhcp4: true
      dhcp6: true
      set-name: "enp0s3"

Before...

⚠️
YAML is indentation-based markup, so do be careful with defining the correct number of spaces preceding the configurations.
network:
  version: 2
  ethernets:
    enp0s3:
      match:
        macaddress: "00:0c:29:1a:e4:84"
      dhcp4: true
      dhcp6: true
      set-name: "enp0s3"
    enp0s8:
      dhcp4: false
      dhcp6: false
      optional: true

After (adds "enp0s8")

sudo netplan apply
The interface is now marked "UP"



Packet Capture Test

In the screenshot below, I'm using tcpdump to listen on ens32 for packets coming from or going to 10.0.0.2 — which is Kali's IP address.

  • On the right, we can see Kali pinging 1.1.1.1
  • On the left, we can see the traffic in the packet capture
ℹ️
How does this work?

Kali sends ping requests to 1.1.1.1, which flows up the wire to pfSense, where the bridge0 interface we setup before copies each frame to the SPAN port listening on ens32.



Install and Configure Suricata

sudo apt install -y suricata
sudo nano /etc/suricata/suricata.yaml
⚠️
The suricata.yaml file is large and contains lots of nested configurations. I'm only going to highlight here any required changes to the file.
  # Extensible Event Format (nicknamed EVE) event log in JSON format
  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve.json

enabled: yes should be set by default, but we want to log in JSON format

# Linux high speed capture support
af-packet:
  - interface: enp0s8
    # Number of receive threads. "auto" uses the number of cores
    #threads: auto
    # Default clusterid. AF_PACKET will load balance packets based on flow.
    cluster-id: 99
    # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash.
    # This is only supported for Linux kernel > 3.1
...
...
...

Set to - interface: enp0s8 in order to capture packets on the correct interface

Configuration complete, press CTRL + x and then y to save changes to the suricata.yaml file



Select Suricata Rule Sources

sudo suricata-update update-sources
sudo suricata-update list-sources --free

List Suricata rule sources that do not require a key / token / license

sudo suricata-update enable-source et/open

Enable the et/open source

⚠️
Be aware that the more ruleset you enable, the more RAM and disk space that will be required.
sudo suricata-update enable-source tgreen/hunting
sudo suricata-update enable-source stamus/lateral
sudo suricata-update enable-source aleksibovellan/nmap
sudo suricata-update

Run this command to pull the latest rulesets

sudo crontab -e

Edit the root user's crontab

@reboot /usr/bin/suricata-update
0 2 * * * /usr/bin/suricata-update

Update Suricata rulesets every day at 2 AM and any time the system boots

sudo systemctl enable --now suricata
systemctl status suricata
The service is running
ℹ️
Note that at this point with Suricata running, you're putting some additional stress on the VM. So monitor resources with sudo top or sudo htop and if needed, add more CPU and RAM to the box.



Configure Wazuh Manager

Now that Suricata is analyzing captured network traffic, any events will be written to /var/log/suricata/eve.json. We need to tell the Wazuh Manager to read and ingest the logs from the file.

sudo nano /var/ossec/etc/ossec.conf
⚠️
As previously done, I'll only be highlighting parts where changes are made, as the ossec.conf file is quite large
<ossec_config>
  <global>
    <rotate_interval>1d</rotate_interval>

Add the <rotate_interval></rotate_interval> frequency in the global section. This configuration rotates logs daily.

<ossec_config>
  <localfile>
    <log_format>json</log_format>
    <location>/var/log/suricata/eve.json</location>
  </localfile>
</ossec_config>

Add this ENTIRE block to the BOTTOM of the file

sudo systemctl restart wazuh-manager

Restart the Wazuh Manager service to implement the changes



Trim Logs

sudo crontab -e
# Run every day at 0400
# Find Suricata log files older than 30 days and delete
0 4 * * * find /var/log/suricata -maxdepth 1 -mtime +30 -type f -exec rm -f {} \; > /dev/null

# Run every day at 0400
# Find Wazuh log directories older than 30 days and recursively delete
0 4 * * * find /var/ossec/logs/alerts -type d -mtime +30 -exec rm -rf {} \; > /dev/null 2>&1
0 4 * * * find /var/ossec/logs/archives -type d -mtime +30 -exec rm -rf {} \; > /dev/null 2>&1

Add these entries to root crontab below the one previously created



Prevent Unplanned Upgrades

Wazuh documentation
User manual, installation and configuration guides. Learn how to get the most out of the Wazuh platform.
Wazuh

Link to Wazuh official documentation

When consulting the Wazuh official documentation, you should take note of one key requirement:

🚨
Wazuh agent versions should be lesser than or equal to that of the Wazuh Manager.

We want to avoid unplanned upgrades of the Wazuh Manager stack and the Wazuh agents. So, first we'll take care of this on the Wazuh Manager side.

sudo apt-mark hold wazuh-indexer
sudo apt-mark hold wazuh-dashboard
sudo apt-mark hold wazuh-manager
ℹ️
"Held" pacakges are not upgraded by apt. However, the latest package can still be installed by running sudo apt install -y wazuh-indexer, etc. In that case, you need to re-run sudo apt-mark hold wazuh-indexer, etc again, depending on what was installed.



Installing the Wazuh Agent

Update pfSense Firewall Rules

Log into the pfSense web configuration console and navigate to Firewall > Rules > Floating.

Click the "Add (down)" button
Ensure the "Quick" selection is checked. Currently the lab has four subnets: LAN, SEC_ISOLATED, AD_LAB, and VULN_EGRESS. Select all four (or as many as you have). Press and hold the CTRL key to select multiple entries.
ℹ️
If you add additional subnets to your lab, you will need to come back here and add them to this firewall rule later, in order for them to be able to forward logs to the Wazuh Manager.
Click "Save" and "Apply Changes"
Floating rules desired end state



Example: Installing on Windows

In this example, I'm going to install the Wazuh Agent on a Windows Server 2019 host (the domain controller in my AD_LAB LAN).

Wazuh agent - Installation guide · Wazuh documentation
User manual, installation and configuration guides. Learn how to get the most out of the Wazuh platform.
Installation guide · Wazuh documentationWazuh
Because I want to ensure my Wazuh Agent and Manager on the same version, I'll use the + Deploy new agent button in the Wazuh Manager
Choose Windows and set the IP address to that of the Wazuh Manager's
This setting is OPTIONAL, so I'm going to skip it and use the "Default" group
We'll copy this command...
Then, run it in PowerShell with ADMINISTRATIVE PRIVILEGES
Start-Service WazuhSvc

Once installed, start the service

Wazuh now shows a 1 active agent



Integrate Sysmon

This is a great way to extend the monitoring capabilities on your Windows hosts. In this article, I show you how to:

  • Download the Sysmon ruleset for Wazuh Manager
  • Install Sysmon on Windows hosts
  • Create a Wazuh Agent group and add Windows hosts to the group
  • And ingest the Sysmon logs from your Windows endpoints using the Wazuh Agent
Wazuh: Mapping Sysmon Events to MITRE ATT&CK IDs
In this post, I show how I implemented and worked around some issues while adding an enhanced ruleset mapping Sysmon events to ATT&CK IDs.
0xBEN0xBEN



Testing Capabilities

DC Sync attack on the domain controller
Impacket psexec.py on the domain controller
Simple port scan of the top 50 ports against the domain controller
Go to Menu > Threat Intelligence > Threat Hunting > Click the "Level 12 or above alerts..." > Click "Events" at the top
These are examples of some of the events generated from the DC sync attack
These are examples of some of the events from testing psexec.py
Same alert, but from Sysmon
Remove the "Level 12+" filter at the top. Now, the alerts from the Suricata rules engine are visible. Again, just examples.



Important: Index Management

🛑
Don't skip this part!

You REALLY want to do this now as opposed to later.

  • Save your disk space
  • Reduce stressful troubleshooting hours
  • Trim your indices and improve performance

Do it now! Please.

Wazuh Index Management Policy
In this post, I show how to manage your Wazuh Indexer indices in order to improve performance and manage disk space consumed by indices.
0xBEN0xBEN



Follow-Up Activities

Extending Wazuh's Capabilities

Taylor Walton has done a really fantastic job at creating content that showcases Wazuh's capabilities and ways to extend it with various integrations. I wholeheartedly recommend taking a look.

Taylor Walton
Focusing on Open Source cybersecurity products that provide a robust and scalable solution that can be customized to integrate with any network. Cofounder of the worlds first open source security operations center: https://www.socfortress.co
YouTube

Also, have a look at a some of the additional Wazuh content I've written. If I included, everything here, the guide would quickly grow out of scope.

Wazuh - 0xBEN
Wazuh SIEM
0xBEN0xBEN



Finishing Up the Home Lab Guide

Building a Security Lab in VirtualBox
In this project, broken up into multiple modules, you will build a comprehensive cybersecurity lab using VirtualBox. Upon completion, you will have an environment where you can safely practice penetration testing against a wide variety of targets, including internal and external Active Directory.
0xBEN0xBEN

Click here to be taken to the final stretch of the project

Written by
0xBEN

0xBEN

View all posts
Comments
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.