Integrating Open Source WAF with Wazuh(Part 1)
Carrie
Posted on October 12, 2024
This article is written by a SafeLine WAF user, 曼联小胖子
Background
As a cybersecurity engineer in a small and medium-sized enterprise, I often face limited resources (no SOC/SOAR) and understaffing, with one person potentially responsible for operating all the company’s security products (like myself). To improve the efficiency of security operations, we need to address the following issues:
- Avoid frequently switching between security systems to view logs
- Avoid the cumbersome task of manually blocking IPs
- Ensure that attack details and alert handling notifications are promptly notified to relevant personnel for further discussion.
This article mainly introduces how to integrate Wazuh with SafeLine WAF and Lark for alert notification.
Introduction
Wazuh
Wazuh is a SIEM platform that can be understood as a security version of ELK, featuring log aggregation and analysis, visualization, and host monitoring. Currently, it has 9.2k stars on GitHub and is available in both SaaS and open-source versions.
Wazuh consists of a Server and Agent, with the Agent capable of log monitoring, vulnerability detection, security compliance baseline scanning, and process collection on servers. With the Virus Total integration, it can also detect malicious files on disk.
In this article, we use the self-deployed open-source version 4.7.3, primarily providing log monitoring and automated handling capabilities.
SafeLine Community Edition
SafeLine, developed by Chaitin Technology over nearly ten years, is a WAF driven by intelligent semantic analysis algorithms. It offers Community and Professional editions for global users.
This article uses the self-deployed community edition 5.4.0, which mainly provides web security detection and protection capabilities and generates security logs.
Lark
Lark is a collaborative work platform and IM software developed by ByteDance in China. If your company uses DingTalk or WeCom, similar results can be achieved.
We use the commercial version 7.15.9 in this article, primarily for receiving alert notifications and work communication, which is more efficient than traditional email communication.
Workflow Diagram & Effect Diagrams
Prerequisites
Two Servers
Wazuh Server: Operating system example in this article is CentOS 7.6. This server needs to deploy the Wazuh Server and handling Python scripts. Refer to the official documentation and the figure below for CPU, memory, and disk requirements:
SafeLine WAF Server: 32GB memory, 4-core CPU, 100GB disk, with Rocky Linux 9.3 as the operating system in this article, replacing the soon-to-be-discontinued CentOS7. This server needs to deploy SafeLine WAF and the Wazuh Agent.
Installing Wazuh Server
The components and functions of the Wazuh Server are extensive and also support cluster deployment. This article will not elaborate and aims to quickly deploy the environment.
Run the official one-click installation script, and it is recommended to use a proxy to avoid installation failures.
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
Upon completion, the web access address and admin password will be output. Enter https://ip to access the Wazuh web interface.
If access fails, check if port 443 is open in the firewall.
INFO: --- Summary ---
INFO: You can access the web interface https://<wazuh-dashboard-ip>
User: admin
Password: <ADMIN_PASSWORD>
INFO: Installation finished.
For further installation issues, refer to the official installation documentation and troubleshoot based on the prompts and logs.
Installing SafeLine WAF
Install Docker
Remove old versions of Docker:
sudo yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-engine
Install the latest version of Docker:
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo systemctl start docker
sudo systemctl enable docker
Install SafeLine WAF
bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"
After installation, ensure port 9443 is open in the firewall. The initial account is admin, and the password is randomly generated after WAF installation.
For further installation issues, refer to the official installation documentation.
Installing Wazuh Agent
Log in to the Wazuh web management interface using a local browser:
Enter the deployment interface:
Generate the Wazuh Agent deployment command:
Log in to the SafeLine WAF server and execute the following command to install the Wazuh Agent. Ensure ports 1514 and 1515 of the Wazuh Server are open for access by the SafeLine WAF server.
curl -o wazuh-agent-4.7.4-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.7.4-1.x86_64.rpm && sudo WAZUH_MANAGER='192.168.31.24' WAZUH_AGENT_NAME='waf' rpm -ihv wazuh-agent-4.7.4-1.x86_64.rpm
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
Installing Lark
Download and install Lark directly from the official website.
To be continued...
Posted on October 12, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.