Wazuh and Kali Linux Alert to IPv6 Traffic
Posted on September 7, 2025 | by | in Kali Linux, Wazuh
To alert on IPv6 traffic using Wazuh and Kali Linux, you must install the Wazuh agent on the Kali machine, collect the network logs, and create a custom rule on your Wazuh manager to specifically detect and alert on IPv6-related events.

Install Wazah client on Kali Linux

				
					curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo tee /usr/share/keyrings/wazuh.gpg >/dev/null

echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt stable main" | sudo tee /etc/apt/sources.list.d/wazuh.list

sudo apt update

sudo apt install wazuh-agent

sudo nano /var/ossec/etc/ossec.conf

Update
<address>MANAGER_IP</address>

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent

<!-- If "sudo apt install wazuh-agent" doesn't work -->

sudo dpkg --configure -a
sudo apt --fix-broken install
sudo apt clean
sudo apt remove --purge wazuh-agent
sudo rm /var/lib/dpkg/info/wazuh-agent.*
sudo apt update
sudo apt full-upgrade

sudo apt install wazuh-agent

Configure Wazuh to collect network data

				
					<!-- All files in /var/ossec/etc/rules/ must be owned by the wazuh user -->

sudo -u wazuh bash
cd /var/ossec/etc
mkdir rules
touch local_rules.xml
nano local_rules.xml 

<!-- Contents -->

<group name="local,ipv6,">
  <!-- Custom local rules for monitoring IPv6 traffic -->

  <!-- Example: Alert on IPv6 traffic logs -->
  <rule id="100001" level="5">
    <decoded_as>syslog</decoded_as>
    <match>IPv6</match>
    <description>Detected IPv6 traffic in logs</description>
  </rule>

</group>

<!-- End -->

cd /var/ossec/etc/rules

chown wazuh:wazuh local_rules.xml
chmod 640 local_rules.xml
chown -R wazuh:wazuh /var/ossec/etc/rules
chmod 750 /var/ossec/etc/rules
xmllint --noout local_rules.xml

exit

sudo systemctl restart wazuh-agent

<!-- Alterative IPv6 Scan -->
<!-- Onbtain IPv6 address -->

ip -6 a

<!-- Contents of file -->

<group name="ipv6,">
  <rule id="100020" level="10">
    <decoded_as>json</decoded_as>
    <field name="agent.name">kali-machine</field>
    <field name="data.src_ip" type="ipv6">2001:db8::/32</field> <!-- Replace with Kali's IPv6 prefix -->
    <description>IPv6 traffic detected from Kali Linux host.</description>
  </rule>
</group>

<!-- End -->

Leave a Reply

Your email address will not be published. Required fields are marked *