Open michaelseto opened 7 years ago
Please give us more information (distribution) or even propose a patch or a wiki edit describing what you had to do.
The Suricata in Amsterdam is sniffing an ethernet interface so it will monitor multiple servers if it receive the traffic of multiple servers. So you have to configure your switch or use a tap device to monitor multiple systems.
sudo wget https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-9.noarch.rpm sudo rpm -Uvh epel-release-7-9.noarch.rpm sudo yum check-update sudo yum install -y python-pip sudo pip install --upgrade pip sudo pip install pyopenssl sudo yum groupinstall 'Development Tools' sudo yum install -y python-devel sudo pip install --upgrade pyopenssl sudo curl -fsSL https://get.docker.com/ | sh sudo pip install docker-py sudo pip install --upgrade docker-py sudo pip install docker-compose==1.9.0 sudo pip install amsterdam
Some prereqs above
You've got proxy_pass set to localhost @ 8000 in nginx, but what if this is sitting behind an external load balancer and needs to reverse proxy to another load balancer which has web servers? Will this still function correctly if the proxy_pass is changed to the load balancer in front of web servers?
I really don't understand what you are trying to do. What is your target architecture ?
A load balanced IDS acting as a reverse proxy to a different load balancer that load balances web servers.
(Load Balancer)-[IDS][IDS]>{REVERSE PROXY}>(Load Balancer)-[WEB01][WEB02]
Make sense?
I think 'no' is a politically correct answer.
IDS is just snffing packet passively at the Ethernet like wireshark so it can not be put in the middle. You may use Suricata in IPS mode but it is layer 2 or 3 so it will not interact cleanly with Load Balancer.
This is in MS Azure, not on prem, so there are considerations around that.
Can't you just sniff eth0 with Suricata and use nginx as a reverse proxy to the load balancer for the web servers?
You've got proxy_pass set to localhost @ 8000 in nginx, but what if this is sitting behind an external load balancer and needs to reverse proxy to another load balancer which has web servers? Will this still function correctly if the proxy_pass is changed to the load balancer in front of web servers?
I think you need to understand the use of Nginx within Amsterdam. Its just for the administrative features that you get with Amsterdam and doesn't really have much to do with the IDS/NSM/IPS features of Amsterdam. Amsterdam listens on an interface, getting the traffic to that interface is up to you. That may involve load balancers and reverse proxies, but that will be dependent on your setup, and not configured within Amsterdam.
Agree with @jasonish but as a really weird usage you could configure nginx in Amsterdam to do 2 redirections (one for the Asmterdam GUI, one for your load balancing) and if packet does not go out from nginx from the same interface then you possibly have something working. Really really weird anyway and not supported.
Let me reiterate what exactly I have and what I am trying to do.
I have an EXTERNAL load balancer with a public IP, this load balances public facing web servers. I want to set up some intrusion detection to spot any hack attempts, etc.
This is in Azure, so it's not like I can set anything up like it's on prem. I can't go plug something into a switch, etc.
So, my understanding is that Suricata sits there and listens on an interface, and logs anything flowing into that interface.
What I am asking to make possible with Amsterdam, is stick a new VM IN FRONT of the load balancer for the web servers, and use the eth0 interface as a reverse proxy and Suricata sniffing the traffic that flows through it. Again, the traffic flows THROUGH it and hits the IP for the load balancer of the web servers.
Is it possible to host the Amsterdam interface and also reverse proxy to the web servers load balancer VIP?
You should be able to do what I've seen done in AWS before, but it really doesn't have anything to do with Suricata or Amsteram.
First, I doubt Azure is going to let you put a VM in front of their load balancers. You could check their documentation or with their support to find out for sure though. So what I suggest would be to NOT use Azure load balancers. Since you would be setting up a choke point in front of them anyways, you may as well just replace their load balancers with one of your own.
So create a VM and install your own reverse proxy on it just like you suggest. And use this in place of the Azure load balancers. Once you get this working, and you have all the traffic flowing through it, then, and only then install Suricata, or Amsterdam on it listening to the desired interface.
Don't worry about not using the Azure load balancers. By sticking a VM in front of them you've just negated their usefulness, so just do the load balancing yourself (nginx, ha-proxy, varnish or something) and run Suricata on that VM.
Should the sciriusstatic and sciriusdata containers be constantly running? It seems they build but only the scirius container stays running.
First issue - you did not define any of the prerequisites that you will need in your documentation before installing via pip - ESPECIALLY - the 1.9.0 version of docker-compose (otherwise you get a client error)
Second issue - after all the prereq's were done, I finally was able to get through an install via pip. However, when attempting to access via browser, it gives an 'Internal Server Error'
Is this meant to monitor a single machine or a network of machines? What if you wanted to run this on one machine and monitor a group of web servers in the same subnet?