Building a Wazuh Server from Scratch in Python: Protocol Reverse Engineering
Developer souzo reverse-engineered the Wazuh agent-server protocol via packet analysis and built wazoo, an open-source Python Wazuh manager. Encryption and message framing explained in detail.
A developer known as souzo reverse-engineered the Wazuh agent-manager protocol purely by observing wire traffic, without reading Wazuh's server source code, and built wazoo, a Python-based drop-in Wazuh manager. The write-up walks through agent enrollment on port 1515 (OSSEC-headed registration messages, the server's returned agent ID and connection password) and the secure channel on port 1514, uncovering key details such as AES-CBC encryption, a hardcoded IV, and an AES key derived from the MD5 hex digest of the agent's registration key.
It also documents the message framing scheme: a length prefix, zlib compression, padding, an MD5 checksum for validation, and random/global/local counters, plus how control messages (agent startup/shutdown/ack, prefixed with #!-) are distinguished from actual log events. The server-side logic for crafting ACK replies was reverse-engineered too, completing a full handshake cycle compatible with real Wazuh agents.
This matters for security and infrastructure engineers because it shows a closed or sparsely documented protocol can be fully reconstructed from network observation alone. The resulting wazoo library offers a lightweight, extensible manager that can enroll genuine Wazuh agents, decrypt their traffic, and forward events over TCP/UDP/Unix sockets or files—useful both as a learning resource and as a practical alternative to running the official Wazuh manager.