Submit
Icon for SuricataIcon for Wazuh

Suricata + Wazuh: Network IDS meets host-based SIEM

Integrates withCurated

Overview

Suricata and Wazuh form the backbone of many open-source OT security deployments. Suricata watches the wire — detecting threats at the network level via signature matching and protocol analysis. Wazuh watches the hosts — monitoring file integrity, collecting system logs, and correlating events across the environment. Together they close the gap between network visibility and endpoint awareness.

Integration Architecture

Suricata outputs alerts and protocol metadata in EVE JSON format to a log file or Unix socket. Wazuh's agent or a Filebeat shipper picks up these JSON events and forwards them to the Wazuh manager, where they're parsed, enriched with threat intelligence, and correlated against host-level events.

Network Traffic → Suricata (IDS/IPS) → EVE JSON logs
                                          ↓
                               Wazuh Agent / Filebeat
                                          ↓
                               Wazuh Manager (SIEM)
                                          ↓
                               Wazuh Dashboard (Kibana)

Use Cases

  • OT network anomaly detection: Suricata catches Modbus function code abuse or unauthorized DNP3 commands; Wazuh correlates with PLC configuration changes on the host
  • Lateral movement detection: Suricata flags suspicious SMB/RDP traffic between network segments; Wazuh detects the corresponding login events on target hosts
  • Compliance monitoring: Combined network + host visibility satisfies IEC 62443 zone/conduit monitoring requirements
  • Incident response: Suricata provides packet-level evidence while Wazuh supplies the timeline of host-level changes

Configuration and Getting Started

  1. Install Suricata on a network sensor with access to a SPAN port or TAP
  2. Configure EVE JSON output in suricata.yaml (default: /var/log/suricata/eve.json)
  3. Install the Wazuh agent on the Suricata sensor, or configure Filebeat to ship EVE logs
  4. Add Suricata decoder rules in the Wazuh manager (built-in since Wazuh 4.x)
  5. Create custom Wazuh rules to escalate alert severity when Suricata network alerts correlate with host events

Tradeoffs and Considerations

  • Suricata generates high-volume JSON logs on busy networks — size your Wazuh indexer storage accordingly
  • IPS inline mode adds latency; many OT deployments start with IDS-only and graduate to inline blocking on non-critical segments
  • Rule tuning is essential — out-of-the-box Suricata rules generate false positives on industrial protocols that reuse common ports
Icon for SuricataSuricataView →Icon for WazuhWazuhView →