[Bro] Monitoring traffic on VPC
Justin Thomas
justin at justinthomas.name
Thu Mar 3 14:33:59 PST 2016
I tackled this problem in AWS (using Suricata and Bro) by forcing all data
through a handful of NAT instances. That allowed me to centralize the data
flows and install VTUN and daemonlogger at those points to transfer the
network traffic to a few dedicated IDS instances. Amazon's routing makes
even this challenging, and I can get in to more detail about that directly
if you'd like.
There are many downsides to that approach, but it worked reliably for my
needs (providing IDS services in AWS and complying with regulations).
On Thu, Mar 3, 2016 at 7:35 AM, Paweł Piszczatowski <
pawelec93 at googlemail.com> wrote:
> I've got a cluster set up in the cloud with a Master and two workers all
> in separate VPC. They are talking using VPN and I can see the traffic from
> the workers in the the master. What I'm trying to do is to have the worker
> monitor the whole VPC as there will be other VMs such as honeypots etc.
> I have tried port forwarding (forwarding all the traffic from the other
> instances into the bro worker) however with no luck as AWS doesn't allow
> port forwarding apparently.
>
> My question is can Bro monitor whole subnets? Or is there a better
> solution to monitor all of the traffic in a VPC?
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160303/d539c4f8/attachment.html
More information about the Bro
mailing list