[Oisf-users] Suricata and Cloud (AWS, GCLOUD) scenarios
Champ Clark III
cclark at quadrantsec.com
Fri May 11 13:10:36 UTC 2018
One method is to put a virtual firewall/router that supports ERSPANs.
You configure your virtual machines route "through" that virtual device/firewall. Once that is complete, you can create a ERSPAN to your Suricata instance.
A ERSPAN takes the "span" traffic and passes it to your Suricata box over a GRE Tunnel. You have Suricata decode the GRE tunnel for analysis.
Here's a link to a old (not discontinued) Brocade virtual appliance you could do this with:
https://docs.extrahop.com/6.2/dep-brocade-aws/
You should be able to do it with any virtual firewall that support ERSPAN.
Hope this helps and good luck!
From: "jose antonio izquierdo lopez" <jizquierdo at owlh.net>
To: "oisf-users" <oisf-users at lists.openinfosecfoundation.org>
Sent: Friday, May 11, 2018 7:06:21 AM
Subject: [Oisf-users] Suricata and Cloud (AWS, GCLOUD) scenarios
Hi Suricata Family,
I'm working with Suricata on Cloud (AWS, GCLOUD) environments to define a 'software TAP' configuration/solution. Right now the best approach I can find is to do local traffic capture on each instance, save to pcap file, forward it to a Suricata running instance, and analyze it with Suricata. I don't want to include Suricata in each instance.
I'm happy with the new functionality on Suricata 4.1 to keep running while ingesting new pcap files. It helps a lot.
But my question is if someone has experience in this scenario and if there is a better approach to use Suricata in Cloud environments?
This is what I have right now.
[ http://documentation.owlh.net/en/latest/main/OwlHAWS.html | http://documentation.owlh.net/en/latest/main/OwlHAWS.html ]
Thanks a lot,
Best Regards,
Jose Antonio Izquierdo
m - +34 673 055 255
skype - izquierdo.lopez
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180511/13f12eb5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2111 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180511/13f12eb5/attachment.bin>
More information about the Oisf-users
mailing list