# - Discovery - # Pass an initial list of hosts to perform discovery when this node is started: # The default list of hosts is "] # ed_hosts: # Sudo nano /etc/elasticsearch/elasticsearch.yml # - Network - # Set the bind address to a specific IP (IPv4 or IPv6): # network.host: 0.0.0.0 # Set a custom port for HTTP: # http.port: 9200 # For more information, consult the network module documentation. In particular, we’ll need to modify the network.host, http.port, and ed_hosts values to match the following. To accomplish this, we can modify the file at /etc/elasticsearch/elasticsearch.yml. In order for us to accept logs directly from our Snort server via Filebeat, we need to enable Elasticsearch to listen on all interfaces and specify a few other settings. If everything is functioning properly, our alert_fast.txt log file should look something like this.Ġ2/11-14:14:37.704500 "ICMP connection test" key-name / -security-group-ids / -subnet-id cat /var/log/snort/alert_fast.txt To get our base infrastructure deployed, we can launch two Ubuntu instances into a VPC w/ Public Subnet via the AWS Console or the following AWS CLI command:Īws ec2 run-instances / -image-id ami-03d315ad33b9d49c4 / -count 2 / -instance-type t2.medium/. For this post, our lab will consist of a single instance running Snort and a single instance running an Elastic Stack, both running on Ubuntu Server 20.04. This approach is effective on a small scale, but as the number of systems grows managing Snort configurations across them can get cumbersome without dedicated automation. Our approach with Snort and Elastic differs slightly in that the heavy lifting of the traffic analysis occurs on the interface of each instance before shipping off to Elastic. Once the traffic reaches the Zeek instance interface, it can be analyzed for malicious indicators such as Command and Control (C2) traffic or network enumeration. The last lab design we looked at for network monitoring forwarded traffic from several EC2 instances to a single interface on our Zeek host. If following along and deploying resources, be sure to terminate the above resources when finished with the lab to avoid unexpected costs. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |