DEV Community

Cover image for HIDS + NIDS: Why Your SMB Needs Both (And How We Integrated Wazuh + Suricata in a Single Platform)
Nguyen Dong
Nguyen Dong

Posted on

HIDS + NIDS: Why Your SMB Needs Both (And How We Integrated Wazuh + Suricata in a Single Platform)

#cybersecurity #wazuh #suricata #startup

Most SMBs think they're "covered" with just antivirus. Here's why that's like locking the front door but leaving every window wide open.

The Blind Spot in SMB Security

I've talked to dozens of SMB owners about their security setup. The conversation usually goes like this:

Me: "What security monitoring do you have?"
Them: "We have antivirus on every computer."
Me: "What about network traffic? Can you see what's going in and out?"
Them: ...silence...

This is the blind spot. Antivirus checks what's ON your computers. But nobody checks what's FLOWING THROUGH your network. A hacker stealing data over DNS tunneling, a compromised device beaconing to a C2 server, lateral movement between machines — antivirus won't catch any of it.

You need two types of monitoring. And no, you don't need a $200K/year SIEM to get them.

HIDS vs. NIDS: A 60-Second Primer

HIDS (Host-based IDS) NIDS (Network-based IDS)
What it watches Individual devices (endpoints) Network traffic flow
Detects File changes, process anomalies, login attempts, malware Port scans, intrusion attempts, data exfiltration, C2 beaconing
Tool Wazuh Agent Suricata IDS
Where it runs On each endpoint On a network sensor or device
Analogy Security camera inside each room Guard at the building entrance

HIDS tells you what happened on a machine. NIDS tells you what's happening on the wire.

You need both. Here's a real example:

A Wazuh alert says "3 failed SSH logins from 182.23.XX.XX". That's HIDS.
Suricata simultaneously sees "182.23.XX.XX is port-scanning 47 services on your network". That's NIDS.

Combined? You know it's not a typo — it's an active attacker probing your infrastructure. Block them instantly.

What We Built: Wazuh + Suricata → ClickHouse → AI

In VRadar, we integrated both HIDS and NIDS into a single pipeline. Here's how the data flows:

                    HIDS Pipeline
Windows/Linux/Mac ──→ Wazuh Agent ──→ Wazuh Manager
                                            │
                                            ▼ webhook
                                      VRadar Backend ──→ ClickHouse
                                            │              (security_logs)
                                            ▼
                                      AI Operator ──→ Triage + Auto-Response

                    NIDS Pipeline  
Network Traffic ──→ Suricata IDS ──→ eve.json
                                        │
                                  Wazuh Agent (monitors eve.json)
                                        │
                                  Wazuh Manager ──→ Custom Rules 100100-100104
                                        │
                                        ▼ webhook
                                  VRadar Backend ──→ ClickHouse
                                                     (nta_events)
Enter fullscreen mode Exit fullscreen mode

Both pipelines converge into the same backend. One dashboard. One AI engine analyzing everything.

The Technical Integration (For the Engineers)

Getting Suricata to talk to Wazuh cleanly wasn't trivial. Here are the challenges we solved:

1. Interface Detection on Windows

Suricata crashes if you pass it a friendly interface name like "Wi-Fi" or "Ethernet". It needs the NPF device path: \Device\NPF_{GUID}. Our installation script auto-detects this:

# Convert friendly name → NPF device path (Suricata requirement)
$adapter = Get-NetAdapter | Where-Object { $_.Status -eq 'Up' -and $_.InterfaceDescription -notmatch 'Loopback|Virtual|Hyper-V' } | Select-Object -First 1
$npcapDevice = "\\Device\\NPF_$($adapter.InterfaceGuid)"
Enter fullscreen mode Exit fullscreen mode

2. Rule File Auto-Detection

Suricata ships different rule files depending on version. Our script scans the actual rules/ directory and rewrites suricata.yaml to match:

$rules = Get-ChildItem "$env:ProgramFiles\Suricata\rules" -Filter "*.rules" |
    Where-Object { $_.Name -notmatch 'dnp3|modbus|ipsec' }  # Exclude ICS rules
Enter fullscreen mode Exit fullscreen mode

3. JSON Decoder Limit

Suricata's eve.json events are large (800+ bytes). Wazuh's default JSON decoder limit (256) truncates them:

analysisd.decoder_order_size=1024  # Increased from 256
Enter fullscreen mode Exit fullscreen mode

4. Custom Wazuh Rules for Suricata

Suricata alerts come through Wazuh's rule 86600 at level 0 (ignored by default). We created custom rules 100100-100104 to elevate them:

<rule id="100100" level="3">
  <if_sid>86600</if_sid>
  <field name="event_type">^flow$</field>
  <description>Suricata: Network flow event</description>
</rule>
Enter fullscreen mode Exit fullscreen mode

5. One-Click Installation

The biggest challenge: making all of this install with one command. Our agent script handles 6 steps automatically:

  1. Clean up any existing Wazuh/Suricata installation
  2. Register with Wazuh Manager
  3. Install Wazuh Agent (version-matched to Manager)
  4. Configure HIDS monitoring
  5. Install Npcap + Suricata IDS
  6. Wire Suricata → Wazuh → VRadar pipeline

Works on Windows, Linux, and macOS.

What You See in the Dashboard

Once both HIDS and NIDS are running, the VRadar dashboard shows:

HIDS Tab (System Alerts)

  • Security alerts from Wazuh (3,000+ detection rules)
  • Alert severity distribution (Critical/High/Medium/Low)
  • AI-powered triage decisions with confidence scores
  • One-click IP blocking via Wazuh Active Response

NIDS Tab (Network Monitoring)

  • Suricata IDS events (flow, DNS, HTTP, TLS)
  • Severity breakdown over 7 days
  • Protocol distribution and traffic patterns
  • Source/destination IP analysis with geolocation

Threat Map

  • Real-time world map showing attacks hitting your network
  • SVG-based Mercator projection with animated attack lines
  • Data from both HIDS (login attempts, malware) and NIDS (port scans, intrusion attempts)

Security Score

  • 9-factor scoring including both HIDS and NIDS health
  • NIDS Monitoring is one of the 9 scoring factors (10% weight)
  • Getting both working pushes your score above 80 (Grade B → A territory)

The Cost Argument

Here's what dual HIDS + NIDS monitoring costs at scale:

Vendor HIDS + NIDS Monthly Cost (50 devices)
Arctic Wolf Managed SOC $3,500+
Blumira SIEM + IDS $850+
SentinelOne + Darktrace EDR + NDR $2,500+
VRadar Wazuh + Suricata + AI $1,250

We can offer this pricing because:

  1. Wazuh and Suricata are open-source — $0 licensing
  2. AI triage via GPT-4o-mini — $0.15/1M tokens (we spend ~$2-5/tenant/month)
  3. ClickHouse for log storage — handles millions of events on a single server
  4. Solo operation — no sales team, no marketing department (yet)

Lessons for Other Builders

If you're building security tooling for SMBs:

  1. Don't make users choose between HIDS and NIDS. They need both. Bundle them.
  2. Auto-install everything. If setup takes more than one command, adoption drops to near zero.
  3. AI triage is table stakes now. GPT-4o-mini costs almost nothing. Use it to reduce alert fatigue.
  4. Suricata on Windows is possible but painful. Budget extra time for NPF device paths, rule-file compatibility, and threshold configs.
  5. Log everything to a columnar DB. ClickHouse handles millions of events for $0 and queries complete in milliseconds.

Try It

VRadar is live at vradar.io — plans start at $25/device/month for dual HIDS + NIDS monitoring with AI-powered threat analysis.

If you're running an SMB with no security monitoring (or just antivirus), you're exactly who we built this for.

I'm Dong, a solo developer from Vietnam building affordable security tools. If you have questions about integrating Wazuh + Suricata or building security products for the SMB market — ask me anything in the comments.

Tags: #cybersecurity #wazuh #suricata #HIDS #NIDS #ai #SOC #startup #opensource #buildinpublic

Top comments (0)