[Oisf-users] Suricata and Cloud (AWS, GCLOUD) scenarios

Champ Clark III cclark at quadrantsec.com
Fri May 11 13:10:36 UTC 2018

One method is to put a virtual firewall/router that supports ERSPANs. 

You configure your virtual machines route "through" that virtual device/firewall. Once that is complete, you can create a ERSPAN to your Suricata instance. 

A ERSPAN takes the "span" traffic and passes it to your Suricata box over a GRE Tunnel. You have Suricata decode the GRE tunnel for analysis. 

Here's a link to a old (not discontinued) Brocade virtual appliance you could do this with: 


You should be able to do it with any virtual firewall that support ERSPAN. 

Hope this helps and good luck! 

From: "jose antonio izquierdo lopez" <jizquierdo at owlh.net> 
To: "oisf-users" <oisf-users at lists.openinfosecfoundation.org> 
Sent: Friday, May 11, 2018 7:06:21 AM 
Subject: [Oisf-users] Suricata and Cloud (AWS, GCLOUD) scenarios 

Hi Suricata Family, 

I'm working with Suricata on Cloud (AWS, GCLOUD) environments to define a 'software TAP' configuration/solution. Right now the best approach I can find is to do local traffic capture on each instance, save to pcap file, forward it to a Suricata running instance, and analyze it with Suricata. I don't want to include Suricata in each instance. 

I'm happy with the new functionality on Suricata 4.1 to keep running while ingesting new pcap files. It helps a lot. 

But my question is if someone has experience in this scenario and if there is a better approach to use Suricata in Cloud environments? 

This is what I have right now. 
[ http://documentation.owlh.net/en/latest/main/OwlHAWS.html | http://documentation.owlh.net/en/latest/main/OwlHAWS.html ] 

Thanks a lot, 

Best Regards, 

Jose Antonio Izquierdo 
m - +34 673 055 255 
skype - izquierdo.lopez 

Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org 
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ 
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 

Conference: https://suricon.net 
Trainings: https://suricata-ids.org/training/ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180511/13f12eb5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2111 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180511/13f12eb5/attachment.bin>

More information about the Oisf-users mailing list