DEV Community

Carrie
Carrie

Posted on

Integrating Open Source WAF with Wazuh(Part 1)

This article is written by a SafeLine WAF user, 曼联小胖子

Background

As a cybersecurity engineer in a small and medium-sized enterprise, I often face limited resources (no SOC/SOAR) and understaffing, with one person potentially responsible for operating all the company’s security products (like myself). To improve the efficiency of security operations, we need to address the following issues:

  • Avoid frequently switching between security systems to view logs
  • Avoid the cumbersome task of manually blocking IPs
  • Ensure that attack details and alert handling notifications are promptly notified to relevant personnel for further discussion.

This article mainly introduces how to integrate Wazuh with SafeLine WAF and Lark for alert notification.

Introduction

Wazuh

Wazuh is a SIEM platform that can be understood as a security version of ELK, featuring log aggregation and analysis, visualization, and host monitoring. Currently, it has 9.2k stars on GitHub and is available in both SaaS and open-source versions.

Wazuh consists of a Server and Agent, with the Agent capable of log monitoring, vulnerability detection, security compliance baseline scanning, and process collection on servers. With the Virus Total integration, it can also detect malicious files on disk.

In this article, we use the self-deployed open-source version 4.7.3, primarily providing log monitoring and automated handling capabilities.

SafeLine Community Edition

SafeLine, developed by Chaitin Technology over nearly ten years, is a WAF driven by intelligent semantic analysis algorithms. It offers Community and Professional editions for global users.

This article uses the self-deployed community edition 5.4.0, which mainly provides web security detection and protection capabilities and generates security logs.

Lark

Lark is a collaborative work platform and IM software developed by ByteDance in China. If your company uses DingTalk or WeCom, similar results can be achieved.

We use the commercial version 7.15.9 in this article, primarily for receiving alert notifications and work communication, which is more efficient than traditional email communication.

Workflow Diagram & Effect Diagrams

Image description

Image description

Image description

Prerequisites

Two Servers

Wazuh Server: Operating system example in this article is CentOS 7.6. This server needs to deploy the Wazuh Server and handling Python scripts. Refer to the official documentation and the figure below for CPU, memory, and disk requirements:

Image description

SafeLine WAF Server: 32GB memory, 4-core CPU, 100GB disk, with Rocky Linux 9.3 as the operating system in this article, replacing the soon-to-be-discontinued CentOS7. This server needs to deploy SafeLine WAF and the Wazuh Agent.

Installing Wazuh Server

The components and functions of the Wazuh Server are extensive and also support cluster deployment. This article will not elaborate and aims to quickly deploy the environment.
Run the official one-click installation script, and it is recommended to use a proxy to avoid installation failures.

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
Enter fullscreen mode Exit fullscreen mode

Upon completion, the web access address and admin password will be output. Enter https://ip to access the Wazuh web interface.

If access fails, check if port 443 is open in the firewall.

INFO: --- Summary ---
INFO: You can access the web interface https://<wazuh-dashboard-ip>
    User: admin
    Password: <ADMIN_PASSWORD>
INFO: Installation finished.
Enter fullscreen mode Exit fullscreen mode

For further installation issues, refer to the official installation documentation and troubleshoot based on the prompts and logs.

Installing SafeLine WAF

Install Docker

Remove old versions of Docker:

sudo yum remove docker \
        docker-client \
        docker-client-latest \
        docker-common \
        docker-latest \
        docker-latest-logrotate \
        docker-logrotate \
        docker-engine

Install the latest version of Docker:

sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo systemctl start docker
sudo systemctl enable docker
Enter fullscreen mode Exit fullscreen mode

Install SafeLine WAF

bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"
Enter fullscreen mode Exit fullscreen mode

After installation, ensure port 9443 is open in the firewall. The initial account is admin, and the password is randomly generated after WAF installation.

For further installation issues, refer to the official installation documentation.

Installing Wazuh Agent

Log in to the Wazuh web management interface using a local browser:
Image description

Enter the deployment interface:
Image description

Generate the Wazuh Agent deployment command:
Image description

Log in to the SafeLine WAF server and execute the following command to install the Wazuh Agent. Ensure ports 1514 and 1515 of the Wazuh Server are open for access by the SafeLine WAF server.

curl -o wazuh-agent-4.7.4-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.7.4-1.x86_64.rpm && sudo WAZUH_MANAGER='192.168.31.24' WAZUH_AGENT_NAME='waf' rpm -ihv wazuh-agent-4.7.4-1.x86_64.rpm
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
Enter fullscreen mode Exit fullscreen mode

Installing Lark

Download and install Lark directly from the official website.

To be continued...

Top comments (0)