Virtual Private Cloud:Use traffic mirror to audit VPC traffic

What you'll build

This tutorial walks you through setting up a complete security monitoring pipeline that mirrors traffic from a production Elastic Compute Serivce (ECS) instance to a dedicated ECS server running Suricata intrusion detection system (IDS), stores logs in Elasticsearch, and backs up audit data to Object Storage Service (OSS) for retention and compliance.

• Traffic mirroring: Duplicates network traffic from the elastic network interface (ENI) of the source ECS and forwards it to a designated ENI. This feature is commonly used for content inspection, threat monitoring, and troubleshooting.

• Traffic audit: Suricata is used in this example for message reception and anomaly detection. It supports VXLAN encapsulation and decapsulation, intrusion detection service (IDS), intrusion prevention service (IPS), and network security monitoring. Suricata identifies malicious traffic patterns and integrates seamlessly with the visual analytics system Elasticsearch. You can also use other security analysis tools from Alibaba Cloud Marketplace.

• Log processing and storage: Filebeat collects Suricata logs and sends them to Elasticsearch, which indexes and stores them. You can then use Kibana to query, analyze, and visualize the logs.

• Index file storage: After you configure Elasticsearch, the indexed traffic records are stored in OSS. This ensures that data is securely stored and accessible over the long term.

Before you begin

Resources required

• Two VPCs, each with one ECS instance.

  • ECS1 (Traffic source): Your production instance to monitor.

  • ECS2 (Traffic destination): Runs the security analysis stack.

• Traffic mirror enabled: If you haven't activated the feature, you'll be prompted to enable it during configuration.

• VPC peering connection: If the instances are in different VPCs, connect them with a VPC peering connection.

• Elasticsearch instance: With Kibana enabled and Internet access enabled. Add the public IP address to the Kibana whitelist.

ECS configuration

• ECS1: Associate an Elastic IP (EIP) for internet access if necessary.

• ECS2:

  • Associate an EIP, which is required to install Suricata and Filebeat.

  • Security group must allow inbound UDP port 4789 for VXLAN-encapsulated mirror traffic.

  • Operating system set to Alibaba Cloud Linux 3.2104 LTS 64-bit in this example.

Procedure

Step 1: Install and configure Suricata

Deploy Suricata on ECS2 to receive network traffic and perform security audits.

1. Log on to ECS2 and run the following commands to install Suricata.

   # Install dependencies
   sudo dnf install -y gcc libpcap-devel pcre-devel libyaml-devel file-devel \
                        zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel
   
   # Install suricata
   sudo dnf install suricata -y
   
   # Ensure suricata starts automatically
   sudo systemctl enable suricata
   sudo systemctl start suricata

2. Configure Suricata.

   The Suricata configuration is in /etc/suricata/suricata.yaml. You can use the default settings.

3. Update the security rules.

   Run suricata-update to refresh the rule files, which are stored in /var/lib/suricata/rules/suricata.rules by default.

4. Run sudo service suricata restart to reboot Suricata.

Step 2: Configure traffic mirror

1. Set up a filter.

   1. Log on to the VPC console. In the left navigation pane, choose O&M and Monitoring > Traffic Mirror > Filter.

   2. On the Filter page, click Create Filter. In the Rule Configuration section, click the Outbound Rules tab and choose Add Outbound Rule. Keep the settings as their default values and capture all traffic. Click Save.

2. Create and activate a traffic mirror session.

   1. In the left navigation pane, choose O&M and Monitoring > Traffic Mirror > Traffic Mirror Session.

   2. On the Traffic Mirror Session page, click Create Traffic Mirror Session. Maintain the default Basic Configuration. For Associate Filter, select the rule created in Step 1. Then, choose the ENI of ECS1 as the Traffic Mirror Source, and the ENI of ECS2 as the Traffic Mirror Destination.

   3. On the Traffic Mirror Session page, find the session you just configured and click Start in the Actions column.

3. After you configure traffic mirroring and Suricata is running properly, the following log files are generated in the /var/log/suricata/ directory.

   /var/log/suricata/
   ├── certs
   ├── core
   ├── eve.json            ## All captured flow, alert, stats, and HTTP logs in JSON format
   ├── fast.log            ## Alert logs from detection and analysis
   ├── files
   ├── stats.log           ## Detailed statistics on captured and processed packets
   ├── suricata.log        ## Detailed runtime logs
   └── suricata-start.log  ## Detailed startup logs

Step 3: Collect and store Suricata logs

Use Filebeat to send Suricata logs to Elasticsearch for indexing and storage, and then use Kibana to visualize the logs.

1. Log on to ECS2 and run the following command to install Filebeat:

   curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.10.0-x86_64.rpm
   sudo rpm -vi filebeat-7.10.0-x86_64.rpm

2. Configure the Suricata module to specify which traffic log files to collect.

   1. Enable the Suricata module by running sudo filebeat modules enable suricata.

   2. Change the Suricata configuration by running sudo vim /etc/filebeat/modules.d/suricata.yml.

      - module: suricata
        # Specify traffic log files for collection
        eve:
          enabled: true
          var.paths: ["/var/log/suricata/eve.json"]

   3. Press Esc, type :wq, and press Enter to save changes and exit.

3. Configure the filebeat.yml file by running sudo vim /etc/filebeat/filebeat.yml and complete the connection settings.

   1. Modify the configuration of Filebeat modules.

      filebeat.config.modules:
        # Globally load configuration files
        path: /etc/filebeat/modules.d/suricata.yml
      
        # Enable dynamic reloading and application of new configurations
        reload.enabled: true
      
        # Check for configuration changes at the specified interval
        reload.period: 1s

   2. Modify the Kibana configuration.

      setup.kibana:
        host: "https://es-cn-8l**********2r7ln-kibana.cn-hangzhou.elasticsearch.aliyuncs.com:5601"

      host: This is the address for Kibana with a format of <Kibana public address>:5601. For more information, see Kibana configuration.

   3. Adjust the Elasticsearch output settings.

      output.elasticsearch:
        # Specify the Elasticsearch instance for log storage
        hosts: ["http://es-cn-8ly**********r7ln.elasticsearch.aliyuncs.com:9200"]
        username: "elastic"
        password: "<your_password>"

      host: The address for Elasticsearch with a format of <private or public address of the instance>:9200. For more information, view the basic information of a cluster.

      username: The default username for Elasticsearch is elastic.

      password: The password that is set in instance creation. If you forget the password, you can reset the access password for an Elasticsearch cluster.

   4. Press Esc, type :wq, and press Enter to save the changes and exit.

   5. Run the following command to upload resources such as Dashboard to Elasticsearch and Kibana and start Filebeat.

      sudo filebeat setup
      sudo service filebeat start

Step 4: Visualize VPC traffic

1. Log on to the Kibana console of the Elasticsearch instance. In the left navigation pane, click Kibana > Discover and change the Index Pattern to filebeat.

2. You can add the alert filter and select a time range in the top right corner to see potential threats in VPC traffic in the specified period.

   

Step 5: Verify alerts

1. Log on to ECS1 and run curl http://testmynids.org/uid/index.html to simulate the output of an ID command and trigger an alert.

   

   Note

   The Suricata rule set includes the following rule that drops the packet and generates an alert when a packet contains the string uid=0|28|root|29| and the traffic is classified as unknown.

   alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

2. In the Kibana interface, apply the GPL filter to view alerts corresponding to the Suricata IDS signature rule, GPL ATTACK_RESPONSE id check returned root.

What to do next: Data backup

You can back up the Elasticsearch index files to ensure long-term data security and access. Automatic backup is enabled for Elasticsearch by default. You can store automatic backup snapshots in an Alibaba Cloud OSS repository.

FAQ

1. How do I apply changes to Filebeat configuration?

   Restart the service after modifying the configuration file. Run the following command:

   sudo systemctl restart filebeat

2. How do I verify that mirrored traffic is reaching the destination?

   Log on to ECS2, the traffic mirror destination, and run the following command:

   tcpdump -i eth0 udp port 4789 -nne

   If the output contains vni 1, the destination is receiving mirrored packets and the traffic mirror session is working correctly.