AWS traffic security analysis and mirror

install Suricata in ubuntu instance

1sudo add-apt-repository ppa:oisf/suricata-stable
2sudo apt install suricata
3sudo systemctl enable suricata.service
4sudo systemctl stop suricata.service

Config Suricata

edit file sudo nano /etc/suricata/suricata.yaml

 1# enable/disable the community id feature.
 2community-id: true
 3# Linux high speed capture support
 4af-packet:
 5  - interface: eth0
 6    # Number of receive threads. "auto" uses the number of cores
 7    #threads: auto
 8    # Default clusterid. AF_PACKET will load balance packets based on flow.
 9    cluster-id: 99
10detect-engine:
11  - rule-reload: true    

Setup the suricata

 1# reload config and restart
 2sudo kill -usr2 $(pidof suricata)
 3# determine the device name
 4ip -p -j route show default
 5# update rules
 6sudo suricata-update
 7# list sources
 8sudo suricata-update list-sources
 9# enable specific source
10sudo suricata-update enable-source tgreen/hunting
11# validation the config
12sudo suricata -T -c /etc/suricata/suricata.yaml -v
13# start service
14sudo systemctl start suricata.service
15# view status
16sudo systemctl status suricata.service
17# view logs
18sudo tail -f /var/log/suricata/suricata.log

install filebeat to collect the suricata event to elasticsearch

 1# add gpg key to system
 2curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
 3# add repo source to sources.list
 4echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
 5# install filebeat
 6sudo apt update
 7sudo apt install filebeat
 8# edit filebeat file
 9sudo nano /etc/filebeat/filebeat.yml
10# 

Edit filebeat.yml

1# setup.kibana url
2setup.kibana:
3    host: "your_kibana_ip:5601"
4output.elasticsearch:
5    hosts: ["your_es_ip:9200"]
6    username: "xxxxx"
7    password: "xxxxx"

Enable filebeat modules

1sudo filebeat modules enable suricata
2sudo filebeat setup
3sudo systemctl start filebeat.service
4# SSH tunnel to Kibana
5ssh -L 5601:your_kibana_ip:5601 [email protected] -N

Create traffic mirror target in AWS

create traffic mirror in aws VPC plane

  • Target settings: suricata-instance
  • Choose target: suricata ec2 network interface id
  • Create traffic mirror filter:
    • Rule number: 100
    • Rule action: accept
    • Protocol: TCP
    • Source CIDR Block: 0.0.0.0/0
    • Destination CIDR Block: 0.0.0.0/0
  • Create traffic mirror session:
    • Select source needs monitor traffic network interface in VPC
    • Select suricata-instance as target
    • Seclect custom filter rule
  • Go to suricata ec2 instance view traffic logs or go to Elastic kibana dashboard
1sudo apt install jq
2jq 'select(.alert .signature_id==2100498)' /var/log/suricata/eve.json

Stop and Disable Suricata

1systemctl disable suricata
2systemctl stop suricata

how to install suricata