idps-escape

Guide for IDPS and SIEM integrated deployment

IDPS-ESCAPE, short for Intrusion Detection and Prevention Systems for Evading Supply Chain Attacks and Post-compromise Effects, focuses on developing a sophisticated Security Information and Event Management (SIEM) system tailored for cloud-edge networks. This solution includes agents capable of seamless installation on systems earmarked for monitoring, along with a cutting-edge Intrusion Detection and Prevention System (IDPS) infused with machine learning capabilities.

This folder explains the integration of Suricata, an open-source Intrusion Detection System (IDS) renowned for its robust network security capabilities, and Wazuh, a cybersecurity platform that integrates SIEM and XDR capabilities, which play a crucial role in enhancing the capabilities of the IDPS-ESCAPE solution and are the building blocks for the IDPS-ESCAPE prototype.

A complete and installation of the signature-based intrusion detection subsystem and SIEM of IDPS-ESCAPE comprise of the following steps

  1. Suricata, to enable network monitoring capabilities:

    a. installation in a containerized environment

    b. configuration to local network

  2. Wazuh central components installation, for SIEM&XDR:

    a. installation in containerized environment of Dashboard, Manager and Indexer

    b. configuration to local system

  3. Installation Wazuh agent to enable host monitoring capabilities.
  4. Possibly, deployment of additional agents on other remote hosts (system endpoints). Same as 3.
  5. Possibly, enable remote traffic monitoring.
  6. Follow integration procedure of Suricata and Wazuh.

Context

Deployment strategy

The procedure above describes the full deployment. Lighter options are possible, but we advice to deploy all the subsystems to achieve full potential.

DeployCC

This site is open source. Improve this page.