<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>One method is to put a virtual firewall/router that supports ERSPANs. </div><div><br data-mce-bogus="1"></div><div>You configure your virtual machines route "through" that virtual device/firewall. Once that is complete, you can create a ERSPAN to your Suricata instance. </div><div><br data-mce-bogus="1"></div><div>A ERSPAN takes the "span" traffic and passes it to your Suricata box over a GRE Tunnel. You have Suricata decode the GRE tunnel for analysis. </div><div><br data-mce-bogus="1"></div><div>Here's a link to a old (not discontinued) Brocade virtual appliance you could do this with:</div><div><br data-mce-bogus="1"></div><div>https://docs.extrahop.com/6.2/dep-brocade-aws/<br data-mce-bogus="1"></div><div><br data-mce-bogus="1"></div><div>You should be able to do it with any virtual firewall that support ERSPAN.</div><div><br data-mce-bogus="1"></div><div>Hope this helps and good luck!</div><div><br data-mce-bogus="1"></div><div><br></div><div><br></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>From: </b>"jose antonio izquierdo lopez" <jizquierdo@owlh.net><br><b>To: </b>"oisf-users" <oisf-users@lists.openinfosecfoundation.org><br><b>Sent: </b>Friday, May 11, 2018 7:06:21 AM<br><b>Subject: </b>[Oisf-users] Suricata and Cloud (AWS, GCLOUD) scenarios<br></div><br><div data-marker="__QUOTED_TEXT__"><div dir="ltr"><div class="gmail_default"><div class="gmail_default"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">Hi Suricata Family, </span></div><div class="gmail_default"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><br></span></div><div class="gmail_default"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">I'm working with Suricata on Cloud (AWS, GCLOUD) environments to define a 'software TAP' configuration/solution. Right now the best approach I can find is to do local traffic capture on each instance, save to pcap file, forward it to a Suricata running instance, and analyze it with Suricata. I don't want to include Suricata in each instance. </span></div><div class="gmail_default"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><br></span></div><div class="gmail_default"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">I'm happy with the new functionality on Suricata 4.1 to keep running while ingesting new pcap files. It helps a lot.</span></div><div class="gmail_default"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><br></span></div><div class="gmail_default"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">But my question is if someone has experience in this scenario and if there is a better approach to use Suricata in Cloud environments? </span></div><div class="gmail_default"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><br></span></div><div class="gmail_default"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">This is what I have right now. </span></div><div class="gmail_default"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><a href="http://documentation.owlh.net/en/latest/main/OwlHAWS.html" target="_blank">http://documentation.owlh.net/en/latest/main/OwlHAWS.html</a><br></span></div><div class="gmail_default"><br></div><div class="gmail_default"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">Thanks a lot, </span></div></div><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><br></span><div><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">Best Regards, </span></div><div><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><br></span></div><div><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">Jose Antonio Izquierdo</span></div><div><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">m - +34 673 055 255</span></div><div><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;">skype - izquierdo.lopez</span></div><div><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><br></span></div><div><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><br></span></div><div><span face="monospace, monospace" data-mce-style="font-family: monospace, monospace;" style="font-family: monospace, monospace;"><img width="96" height="34" src="https://docs.google.com/uc?export=download&id=180plM3cTdpAVTMK66Jh3gkmj0qkypR8V&revid=0B7TEJgO_mj_5c1ZmUlczamJ2YVU1U1VMSmtVOWRwbXM0VHA0PQ"><br></span></div></div></div></div></div></div></div></div></div>
<br>_______________________________________________<br>Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/<br>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br><br>Conference: https://suricon.net<br>Trainings: https://suricata-ids.org/training/<br></div></div></body></html>