![]() # - Discovery - # Pass an initial list of hosts to perform discovery when this node is started: # The default list of hosts is "] # ed_hosts: # Sudo nano /etc/elasticsearch/elasticsearch.yml # - Network - # Set the bind address to a specific IP (IPv4 or IPv6): # network.host: 0.0.0.0 # Set a custom port for HTTP: # http.port: 9200 # For more information, consult the network module documentation. In particular, we’ll need to modify the network.host, http.port, and ed_hosts values to match the following. To accomplish this, we can modify the file at /etc/elasticsearch/elasticsearch.yml. In order for us to accept logs directly from our Snort server via Filebeat, we need to enable Elasticsearch to listen on all interfaces and specify a few other settings. If everything is functioning properly, our alert_fast.txt log file should look something like this.Ġ2/11-14:14:37.704500 "ICMP connection test" key-name / -security-group-ids / -subnet-id cat /var/log/snort/alert_fast.txt To get our base infrastructure deployed, we can launch two Ubuntu instances into a VPC w/ Public Subnet via the AWS Console or the following AWS CLI command:Īws ec2 run-instances / -image-id ami-03d315ad33b9d49c4 / -count 2 / -instance-type t2.medium/. For this post, our lab will consist of a single instance running Snort and a single instance running an Elastic Stack, both running on Ubuntu Server 20.04. This approach is effective on a small scale, but as the number of systems grows managing Snort configurations across them can get cumbersome without dedicated automation. ![]() Our approach with Snort and Elastic differs slightly in that the heavy lifting of the traffic analysis occurs on the interface of each instance before shipping off to Elastic. Once the traffic reaches the Zeek instance interface, it can be analyzed for malicious indicators such as Command and Control (C2) traffic or network enumeration. The last lab design we looked at for network monitoring forwarded traffic from several EC2 instances to a single interface on our Zeek host. If following along and deploying resources, be sure to terminate the above resources when finished with the lab to avoid unexpected costs. 2 x t2.medium Linux instances - $0.0464/hr. ![]() The estimates are for the US-East-1 region. The following list covers the costs of of the individual resources and the total estimated cost per hour to run this lab environment. The lab we’ll be creating in this post has several AWS resources which cost money to run. We’ve already covered how to implement VPC Traffic Mirroring and Zeek, and in this post we’ll walk through setting up the Snort IDS and Elastic Stack to identify potentially malicious network activity in a lab. Two specific scenarios, outlined in this post, make use of native AWS functionality along with popular open-source network traffic analysis tools to provide insight into network traffic in our lab environments. Our customers often ask for detailed logging and monitoring capabilities in their lab environments, and we’ve implemented a number of unique scenarios to enable those requests. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |