Creating a Threat

Hunting Lab with Wazuh

Azhar Ghafoor
Cybersecurity Analyst – MS Scholar

Azhar Ghafoor | LinkedIn

Azharghafoor39@gmail.com
Contents
1. Tools and Techs .....................................................................................................................................................1

a. Google Cloud Platform ........................................................................................................................................1

b. Snort IDS ...................................................................................................................................................................1

c. Wazuh SIEM ..............................................................................................................................................................1

2. Steps To Follow ......................................................................................................................................................1

a. Creating a Virtual Machine on GCP ...............................................................................................................1

b. Installing Snort IDS on VM ................................................................................................................................5

i. To detect ICMP (used for ping) packets, follow these steps: .......................................................... 7

c. Wazuh Integration............................................................................................................................................... 8

i. To access WAZUH SIEM, follow these steps: .......................................................................................... 8

ii. To add an agent, follow these steps: ..........................................................................................................9

Google Cloud Platform (GCP) is a powerful cloud computing platform that enables users to build,
test, and deploy applications on a global scale. Snort IDS is a popular open-source Intrusion
Detection System (IDS) that is capable of detecting and preventing various network-based attacks.
Wazuh is a cloud-based Security Information and Event Management (SIEM) solution that
provides real-time threat detection and response capabilities. In this article, we will discuss how
to set up a virtual machine (VM) on GCP and install Snort IDS on it. We will also cover how to
integrate this cloud-based VM with Snort to connect it to Wazuh.

b. Snort IDS

Snort is a free and open-source network intrusion detection and prevention system. It is capable
of analyzing network traffic and detecting various types of attacks, such as port scans, buffer
overflows, and stealthy probing attempts. Snort uses a rule-based language to define the
conditions under which a particular attack should be detected, making it highly customizable and
adaptable to different network configurations. Snort is a widely used tool in cybersecurity and
plays a crucial role in safeguarding networks against malicious activities.

c. Wazuh SIEM

Wazuh is an open-source security monitoring solution that provides comprehensive visibility into
the security status of an organization's IT infrastructure. Wazuh integrates with various security
tools and technologies, such as Snort, to collect and analyze security data from different sources.
Wazuh provides real-time alerts, visualization dashboards, and compliance reports to help
organizations proactively manage their security posture. Wazuh is highly scalable and can be
deployed on-premises or in the cloud, making it a versatile solution for organizations of different
sizes and industries.

2. Steps To Follow
a. Creating a Virtual Machine on GCP

I. Login to your account at https://cloud.google.com/

Page | 1
III. From the Welcome page, click on Select the Project from the top dropdown menu or
create a new project (in this case, we have already created a project named “Practice”).

IV. Click on “Dashboard” or it will automatically take you to the Dashboard page if you have
created a new project.
V. From here, you can manage your virtual machines and other resources.

VI. From the menu, select “Compute Engine” and then “VM instances”.

Page | 2
VII. It will open a new page. From the top of the page, click on “CREATE INSTANCE”.

VIII. In the new page, you can set VM values such as VM name, region of the server, zone,
machine type, etc.

IX. To select the operating system, click on the CHANGE button under “Boot disk”.

X. It will open a new window. From here, select your desired OS, such as Ubuntu OS.

Page | 3
 XI. Under “Access scopes”, select Allow default access and under “Firewall”, check both
checkboxes to allow both HTTP and HTTPS traffic for the instance.

XII. Once all values are selected as per the need, navigate to the bottom and click on “CREATE”
to create a new VM.

XIII. It will open a new window of VM Instances where you can find your newly created VM with
IPs (hidden for secrecy).

XIV. Your VM is now ready to be used, and you can use SSH to connect to it.

Page | 4
 b. Installing Snort IDS on VM

I. Click on SSH option to start using it. It will open a new browser tab and establish a
connection with the VM.

II. Now, you can use it as a simple Ubuntu terminal. First, update the packages using the
command “sudo apt-get update”.

III. Snort installation will ask to enter an interface, so it is better to first check the interface
using the ifconfig command.
a. Note the IP address of the interface that you want to use for monitoring traffic. In
this case, we will use X.X.X.X

IV. Now use command “sudo apt install snort -y” to install the Snort IDS.

Page | 5
 V. After installation is complete, use the command shown in the image below to check the
version of Snort.

VI. Snort is installed in the /etc/snort/ directory, and all of its files and folders are placed in
there. To check them, use the command below:

a. In these files, snort.conf is the most important file which allows enabling and
disabling rules, changing the mode of Snort, etc.
VII. Let's open (using the command “sudo nano /etc/snort/snort.conf”) the snort.conf file and
change the HOME_NET address. This is the value that makes Snort either Host-based IDS
or Network-based IDS. By default, it is set to any, which means Snort inspects all of the
traffic in that particular subnet in which it is installed. If you want to modify it so it only
inspects a single device, then modify the highlighted value from any to IP (or IP range).

Page | 6
VIII. By default, most of the rules of Snort are enabled that detect intrusions. If you want to
create custom rules, that can also be done under the rules directory.
IX. Now, let's start Snort, but before we start it, it is best practice to always test for errors after
making changes to the config file. Use this command sudo snort -T -i ens4 -c
/etc/snort/snort.conf to test for successful compilation of Snort.

X. So, if validation of configurations is successful, now let's start the Snort IDS. Use the
following command “sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf
-i ens4”
• -A console: When you choose the 'console' option, alerts concerning fast mode will
be sent to the stdout stream.
• -q: This is the silent mode, in which both the banner and the status report will not be
shown.
• -u snort: After the operating system has finished booting up, you should execute Snort
as the following user.
• -g snort: After the computer has finished booting up, you should start Snort while
logged in as the following group.
• -c /etc/snort/snort.conf: We are able to define the path of our snort.conf file by using
this flag.
• -i ens4: The medium that one might use in order to listen on (change to your interface
if different).

XI. After running the command, Snort will start looking for intrusions.

i. To detect ICMP (used for ping) packets, follow these steps:

XII. To begin, access any system and ping the IP address, preferably the public IP address
displayed under "External IP".

Page | 7
XIII. Check the SNORT console, and you will see that it has successfully detected the ICMP
packets.

c. Wazuh Integration
i. To access WAZUH SIEM, follow these steps:

i. Go to https://console.cloud.wazuh.com/.
ii. Click on the "SIGN UP" button.
iii. Enter the necessary details and verify your email.
iv. After verification, log in to your account.

v. Click on "Environments" to create a new environment.

Page | 8
 vi. Add the environment's name and choose a tier, such as 100 GB.
vii. Select the region and fill in other details.
viii. Click on the "View Summary" button at the bottom and then on the "Create" button.

ix. The new environment will be created, and you can access the main dashboard by clicking
on the "Open Wazuh" button on the top left corner of the screen.

x. Enter the default credentials by clicking on the "Default Credentials" button located
alongside the "Open Wazuh" button.

ii. To add an agent, follow these steps:

i. Click on the "Add agent" link displayed on the main dashboard.

ii. Select the operating system on which you want to install the agent and select its
architecture.

Page | 9
iii. Copy the command shown at step-5 of Wazuh agent installation windows and paste it into
the terminal of the Ubuntu GCP VM to install the Wazuh agent.

iv. Follow step-6 to start the agent in Ubuntu by entering the provided commands.

Page | 10
 v. Use the "status" command to check if the Wazuh agent is working in Ubuntu.

vi. After starting the Wazuh agent, proceed to verify the Wazuh dashboard by taking the
following steps:
a. Access the updated dashboard.

vii. Reactivate the SNORT IDS and proceed to perform a ping or SSH connection. Observe that
the statistics for these actions are updated in the SIEM dashboard.

Page | 11
With this successful integration of SIEM Wazuh with GCP VM, intrusions are detected by Snort
installed on the VM, and their corresponding events are displayed on the Wazuh dashboard.

Page | 12