<div dir="ltr"><div dir="ltr"><div>There are several ways you can approach that</div><div><br></div><div>1. run Suricata on NAT instances and route the outbound traffic through that (you will miss the ELB traffic this way)</div><div>2. capture traffic on each instance you are interested in monitoring and ship it over to a "central" Suricata sensor - easily done with netsniff-ng and say, a GRE tunnel (your traffic will not be encrypted)</div><div>3. run Suricata everywhere</div><div>4. do not run Suricata and use VPC flow logs and the GuardDuty (it's a nice noise generator with limited benefit)</div><div><br></div><div>More about various approaches here</div><div><br></div><a href="https://github.com/michalpurzynski/michalpurzynski.github.io/blob/master/suricon2017/SuriCon%202017%20-%20final.pdf">https://github.com/michalpurzynski/michalpurzynski.github.io/blob/master/suricon2017/SuriCon%202017%20-%20final.pdf</a><div><br></div><div>A set of various ansible playbooks plus cloudformation templates that we used to use to deploy our cloudy Suricata</div><div><br></div><div><a href="https://github.com/mozilla/vaporized_meerkat">https://github.com/mozilla/vaporized_meerkat</a><br></div></div></div><br><br><div class="gmail_quote"><div dir="ltr">On Thu, Jan 3, 2019 at 10:23 AM Jeff Dyke <<a href="mailto:jeff.dyke@gmail.com">jeff.dyke@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Perhaps you can expand on the problem. I have Suricata running in IPS mode on a bunch of EC2 instances. While i use a configuration management system(saltstack) to install and configure, the install is no different than bare metal (though i have never set it up on bare metal). I followed what was out there for Ubuntu installations (you can add the repo) and configured it for my environment, not taking into account too much that i was running on EC2.<div><br></div><div>Jeff</div><div><br><div><br></div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jan 3, 2019 at 1:03 PM Kaushal Shriyan <<a href="mailto:kaushalshriyan@gmail.com" target="_blank">kaushalshriyan@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>I will appreciate if anyone has tried implementing Suricata IDS/IPS/NSM in AWS Cloud computing platform. Any docs or blogs to refer to it as a reference. I look forward to hearing from you. Thanks in Advance.</div><div><br></div><div>Best Regards,</div><div><br></div><div>Kaushal</div></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>