7/14/2023 0 Comments Filebeat kibanaThe Digital Ocean guide referenced earlier has excellent details on this process. To set up a more secure configuration requiring authentication, a simple solution is to use NGINX as a reverse proxy. Obviously, this isn’t an ideal setup outside of an isolated lab environment like the one we’re working from. We can verify this by browsing to This configuration opens up the Kibana service externally with no authentication configured. Now our Kibana dashboard should accept external connections over port 5601. Uncomment them and change the server.host value to 0.0.0.0 for all interfaces, or to a specific address.Īfter we’ve modified the Kibana configuration, we need to restart the service for the changes to take effect. These should be the first two settings in the config file. To do this, we can edit two lines in the kibana.yml configuration file. Since our lab is hosted in AWS, we’ll need to be able to access the Kibana dashboard remotely. Sudo apt install kibana sudo systemctl enable kibana sudo systemctl start kibanaīy default, Kibana only listens on localhost port 5601 for connections. Since we’ve already added the Elastic package repository to this server, installation is quick and easy. Kibana is the service that will power any dashboards or visualizations of data ingested by Elasticsearch. Now that Elasticsearch is running properly, let’s configure our visualization service, Kibana. We can save the file and restart the Elasticsearch service for the changes to take effect. # - Discovery - # Pass an initial list of hosts to perform discovery when this node is started: # The default list of hosts is "] # ed_hosts: # Sudo nano /etc/elasticsearch/elasticsearch.yml # - Network - # Set the bind address to a specific IP (IPv4 or IPv6): # network.host: 0.0.0.0 # Set a custom port for HTTP: # http.port: 9200 # For more information, consult the network module documentation. In particular, we’ll need to modify the network.host, http.port, and ed_hosts values to match the following. To accomplish this, we can modify the file at /etc/elasticsearch/elasticsearch.yml. In order for us to accept logs directly from our Snort server via Filebeat, we need to enable Elasticsearch to listen on all interfaces and specify a few other settings. If everything is functioning properly, our alert_fast.txt log file should look something like this.Ġ2/11-14:14:37.704500 "ICMP connection test" key-name / -security-group-ids / -subnet-id cat /var/log/snort/alert_fast.txt To get our base infrastructure deployed, we can launch two Ubuntu instances into a VPC w/ Public Subnet via the AWS Console or the following AWS CLI command:Īws ec2 run-instances / -image-id ami-03d315ad33b9d49c4 / -count 2 / -instance-type t2.medium/. For this post, our lab will consist of a single instance running Snort and a single instance running an Elastic Stack, both running on Ubuntu Server 20.04. This approach is effective on a small scale, but as the number of systems grows managing Snort configurations across them can get cumbersome without dedicated automation. Our approach with Snort and Elastic differs slightly in that the heavy lifting of the traffic analysis occurs on the interface of each instance before shipping off to Elastic. Once the traffic reaches the Zeek instance interface, it can be analyzed for malicious indicators such as Command and Control (C2) traffic or network enumeration. The last lab design we looked at for network monitoring forwarded traffic from several EC2 instances to a single interface on our Zeek host. If following along and deploying resources, be sure to terminate the above resources when finished with the lab to avoid unexpected costs. 2 x t2.medium Linux instances - $0.0464/hr.The estimates are for the US-East-1 region. The following list covers the costs of of the individual resources and the total estimated cost per hour to run this lab environment. The lab we’ll be creating in this post has several AWS resources which cost money to run. We’ve already covered how to implement VPC Traffic Mirroring and Zeek, and in this post we’ll walk through setting up the Snort IDS and Elastic Stack to identify potentially malicious network activity in a lab. Two specific scenarios, outlined in this post, make use of native AWS functionality along with popular open-source network traffic analysis tools to provide insight into network traffic in our lab environments. Our customers often ask for detailed logging and monitoring capabilities in their lab environments, and we’ve implemented a number of unique scenarios to enable those requests.
0 Comments
Leave a Reply. |