idps-escape

Getting started: Full stack deployment guide

This guide provides step-by-step instructions for deploying the complete IDPS-ESCAPE stack, including signature-based intrusion detection (Suricata), SIEM & XDR (Wazuh), and anomaly detection components (SONAR/ADBox).

Deployment options

For rapid deployment of RADAR with integrated Wazuh manager and agents:

cd radar
./build-radar.sh <scenario> --agent <local|remote> --manager <local|remote> --manager_exists false

See the RADAR README for detailed usage and scenario options.

Option 2: Manual step-by-step integration

Use this approach if you have existing Wazuh infrastructure or need custom configuration.

Step-by-step manual deployment

Step-by-step manual deployment

Prerequisites

Step 1: Deploy Suricata (Network IDS)

Purpose: Enable network-level monitoring and intrusion detection.

Installation options:

a. Containerized environment: Follow Suricata installation guide

b. Configuration: Adapt to your local network using the configuration guide

Step 2: Deploy Wazuh central components (SIEM & XDR)

Purpose: Centralized log collection, event correlation, and security monitoring.

Installation:

a. Deploy Dashboard, Manager, and Indexer: Follow Wazuh installation guide for containerized deployment

b. Configure for your environment: Complete system configuration steps

Step 3: Deploy Wazuh agents (Host monitoring)

Purpose: Monitor endpoint activity, file integrity, and host-level events.

Installation:

a. Primary host agent: Follow Wazuh agent installation

b. Additional endpoints (optional): Deploy agents on other systems following the same procedure

c. Remote traffic monitoring (optional): Enable remote monitoring capabilities

Step 4: Integrate Suricata with Wazuh

Purpose: Unified network and host event correlation in SIEM.

Follow the Suricata-Wazuh integration procedure to:

Benefits:

Step 5: Deploy anomaly detection (SONAR or ADBox)

Purpose: ML-based anomaly detection on centralized SIEM data.

Option A: SONAR (Production - Recommended)

# Install SONAR
poetry install --with sonar

# Configure Wazuh connection
# Edit sonar/default_config.yaml with your Wazuh credentials

# Verify connection
poetry run sonar check

# Run detection scenario
poetry run sonar scenario --use-case sonar/scenarios/example_scenario.yaml

See SONAR setup guide for detailed configuration.

Option B: ADBox (Research/Legacy)

# Build Docker image
./build-adbox.sh

# Configure Wazuh connection
# Edit adbox/assets/secrets/wazuh_credentials.json

# Verify connection
./adbox.sh -c

# Run detection use-case
./adbox.sh -u 1

See ADBox installation guide for details.

Verification

After deployment, verify the integrated stack:

  1. Suricata alerts appear in Wazuh Dashboard
  2. Host agents reporting to Wazuh Manager
  3. SONAR/ADBox successfully connects to Wazuh Indexer
  4. Detection scenarios execute without errors

Architecture overview

┌─────────────┐
│   Suricata  │ (Network IDS)
└──────┬──────┘
       │ network alerts
       ↓
┌─────────────────────────────────────┐
│         Wazuh Manager               │ (SIEM & XDR)
│  ┌──────────────┐  ┌─────────────┐ │
│  │ Log Collector│  │ Rule Engine │ │
│  └──────────────┘  └─────────────┘ │
└────────────┬────────────────────────┘
             │ indexed alerts
             ↓
┌─────────────────────────────────────┐
│      Wazuh Indexer (OpenSearch)     │
└────────────┬────────────────────────┘
             │ query alerts
             ↓
┌─────────────────────────────────────┐
│    SONAR / ADBox (Anomaly Det.)     │
│         ↓ anomalies ↓               │
│    Wazuh Data Streams (RADAR)       │
└─────────────────────────────────────┘

Next steps

Troubleshooting

Common issues:

For detailed troubleshooting, consult component-specific documentation.

Reference documentation

This site is open source. Improve this page.