[Oisf-users] Implementing Suricata IDS/IPS/NSM in AWS

Michał Purzyński michalpurzynski1 at gmail.com
Thu Jan 3 18:42:23 UTC 2019


There are several ways you can approach that

1. run Suricata on NAT instances and route the outbound traffic through
that (you will miss the ELB traffic this way)
2. capture traffic on each instance you are interested in monitoring and
ship it over to a "central" Suricata sensor - easily done with netsniff-ng
and say, a GRE tunnel (your traffic will not be encrypted)
3. run Suricata everywhere
4. do not run Suricata and use VPC flow logs and the GuardDuty (it's a nice
noise generator with limited benefit)

More about various approaches here

https://github.com/michalpurzynski/michalpurzynski.github.io/blob/master/suricon2017/SuriCon%202017%20-%20final.pdf

A set of various ansible playbooks plus cloudformation templates that we
used to use to deploy our cloudy Suricata

https://github.com/mozilla/vaporized_meerkat


On Thu, Jan 3, 2019 at 10:23 AM Jeff Dyke <jeff.dyke at gmail.com> wrote:

> Perhaps you can expand on the problem.  I have Suricata running in IPS
> mode on a bunch of EC2 instances.  While i use a configuration management
> system(saltstack) to install and configure, the install is no different
> than bare metal  (though i have never set it up on bare metal).  I followed
> what was out there for Ubuntu installations (you can add the repo) and
> configured it for my environment, not taking into account too much that i
> was running on EC2.
>
> Jeff
>
>
>
>
> On Thu, Jan 3, 2019 at 1:03 PM Kaushal Shriyan <kaushalshriyan at gmail.com>
> wrote:
>
>> Hi,
>>
>> I will appreciate if anyone has tried implementing Suricata IDS/IPS/NSM
>> in AWS Cloud computing platform. Any docs or blogs to refer to it as a
>> reference. I look forward to hearing from you. Thanks in Advance.
>>
>> Best Regards,
>>
>> Kaushal
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190103/15f5c69b/attachment-0001.html>


More information about the Oisf-users mailing list