AWS traffic security analysis and mirror
install Suricata
in ubuntu instance
1sudo add-apt-repository ppa:oisf/suricata-stable
2sudo apt install suricata
3sudo systemctl enable suricata.service
4sudo systemctl stop suricata.service
Config Suricata
edit file sudo nano /etc/suricata/suricata.yaml
1# enable/disable the community id feature.
2community-id: true
3# Linux high speed capture support
4af-packet:
5 - interface: eth0
6 # Number of receive threads. "auto" uses the number of cores
7 #threads: auto
8 # Default clusterid. AF_PACKET will load balance packets based on flow.
9 cluster-id: 99
10detect-engine:
11 - rule-reload: true
Setup the suricata
1# reload config and restart
2sudo kill -usr2 $(pidof suricata)
3# determine the device name
4ip -p -j route show default
5# update rules
6sudo suricata-update
7# list sources
8sudo suricata-update list-sources
9# enable specific source
10sudo suricata-update enable-source tgreen/hunting
11# validation the config
12sudo suricata -T -c /etc/suricata/suricata.yaml -v
13# start service
14sudo systemctl start suricata.service
15# view status
16sudo systemctl status suricata.service
17# view logs
18sudo tail -f /var/log/suricata/suricata.log
install filebeat
to collect the suricata event to elasticsearch
1# add gpg key to system
2curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
3# add repo source to sources.list
4echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
5# install filebeat
6sudo apt update
7sudo apt install filebeat
8# edit filebeat file
9sudo nano /etc/filebeat/filebeat.yml
10#
Edit filebeat.yml
1# setup.kibana url
2setup.kibana:
3 host: "your_kibana_ip:5601"
4output.elasticsearch:
5 hosts: ["your_es_ip:9200"]
6 username: "xxxxx"
7 password: "xxxxx"
Enable filebeat modules
1sudo filebeat modules enable suricata
2sudo filebeat setup
3sudo systemctl start filebeat.service
4# SSH tunnel to Kibana
5ssh -L 5601:your_kibana_ip:5601 [email protected] -N
Create traffic mirror target in AWS
create traffic mirror in aws VPC plane
- Target settings: suricata-instance
- Choose target: suricata ec2 network interface id
- Create traffic mirror filter:
- Rule number: 100
- Rule action: accept
- Protocol: TCP
- Source CIDR Block: 0.0.0.0/0
- Destination CIDR Block: 0.0.0.0/0
- Create traffic mirror session:
- Select source needs monitor traffic network interface in VPC
- Select suricata-instance as target
- Seclect custom filter rule
- Go to suricata ec2 instance view traffic logs or go to Elastic kibana dashboard
1sudo apt install jq
2jq 'select(.alert .signature_id==2100498)' /var/log/suricata/eve.json
Stop and Disable Suricata
1systemctl disable suricata
2systemctl stop suricata