Sending AWS VPC Flow Logs into Security Onion
512 views
Skip to first unread message
Mitul Patel
Mar 12, 2017, 5:11:12 PM3/12/17
to security-onion
All,
I have successful setup Security Onion in AWS with one test client. I realized, if I wanted to scale this out to my network AWS infrastructure as well as others, I need to monitor traffic at a level higher than individual EC2 instances. The idea would be to take the VPC Flow Logs, which captures traffic from all the EC2 instances under the VPC, and direct into the security Onion server/sensor. Monitor traffic at the VPC level as opposed to individual server level.
Has anyone tried to integrate AWS VPC Flow logs into Security Onion?
Thank You
Mitul
Kevin Branch
Mar 13, 2017, 5:21:34 PM3/13/17
to securit...@googlegroups.com
Hi Mitul,
That is a really cool idea :) I imagine a process could be worked out to feed VPC Flow Logs to a Security Onion system that parses and feeds them into ELSA, resulting in something akin to BRO_CONN records. In fact, you could convert incoming VPC Flow Logs to match the Bro connection record file format (see /nsm/bro/spool/manager/conn.log), and then configure syslog-ng to tail your converted VPC Flow Logs file. I think that is all you would need to get your VPC flows stashed as BRO_CONN records in ELSA. Just give them a unique "sensorname" field value to distinguish them from the connection records truly generated by Bro.
Additionally, to enable richer flow analytics, that same process could also import those flow logs into Argus (via raconvert) so that you could use all of the Argus ra- tools to put your flow analysis ninja skills to great use :)
I have not heard of either of these things being done yet, but both strike me as quite feasible and worthwhile. If you take a crack at either of these, please share back with the community.
Kevin
Mitul
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Mitul Patel
Mar 27, 2017, 10:25:44 AM3/27/17
to security-onion
Kevin,
Thank You for the input. I think most definitely, I will be taking a crack at this. Any issues or obstacles I run into, I will post back to this thread. My company is moving EVERYTHING into the cloud and this process will truly remove the headache of installing tools on individual client boxes. VPC Flow logs should capture everything we need to see anyway.
Thanks again!
On Monday, March 13, 2017 at 5:21:34 PM UTC-4, Kevin Branch wrote:
> Hi Mitul,
>
>
> That is a really cool idea :) I imagine a process could be worked out to feed VPC Flow Logs to a Security Onion system that parses and feeds them into ELSA, resulting in something akin to BRO_CONN records. In fact, you could convert incoming VPC Flow Logs to match the Bro connection record file format (see /nsm/bro/spool/manager/conn.log), and then configure syslog-ng to tail your converted VPC Flow Logs file. I think that is all you would need to get your VPC flows stashed as BRO_CONN records in ELSA. Just give them a unique "sensorname" field value to distinguish them from the connection records truly generated by Bro.
>
>
> Additionally, to enable richer flow analytics, that same process could also import those flow logs into Argus (via raconvert) so that you could use all of the Argus ra- tools to put your flow analysis ninja skills to great use :)
>
>
>
> I have not heard of either of these things being done yet, but both strike me as quite feasible and worthwhile. If you take a crack at either of these, please share back with the community.
>
>
> Kevin
>
>
> On Sun, Mar 12, 2017 at 5:11 PM, Mitul Patel <dizz...@gmail.com> wrote:
> All,
>
>
>
> I have successful setup Security Onion in AWS with one test client. I realized, if I wanted to scale this out to my network AWS infrastructure as well as others, I need to monitor traffic at a level higher than individual EC2 instances. The idea would be to take the VPC Flow Logs, which captures traffic from all the EC2 instances under the VPC, and direct into the security Onion server/sensor. Monitor traffic at the VPC level as opposed to individual server level.
>
>
>
> Has anyone tried to integrate AWS VPC Flow logs into Security Onion?
>
>
>
> Thank You
>
> Mitul
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.
Thank You for the input. I think most definitely, I will be taking a crack at this. Any issues or obstacles I run into, I will post back to this thread. My company is moving EVERYTHING into the cloud and this process will truly remove the headache of installing tools on individual client boxes. VPC Flow logs should capture everything we need to see anyway.
Thanks again!
On Monday, March 13, 2017 at 5:21:34 PM UTC-4, Kevin Branch wrote:
> Hi Mitul,
>
>
> That is a really cool idea :) I imagine a process could be worked out to feed VPC Flow Logs to a Security Onion system that parses and feeds them into ELSA, resulting in something akin to BRO_CONN records. In fact, you could convert incoming VPC Flow Logs to match the Bro connection record file format (see /nsm/bro/spool/manager/conn.log), and then configure syslog-ng to tail your converted VPC Flow Logs file. I think that is all you would need to get your VPC flows stashed as BRO_CONN records in ELSA. Just give them a unique "sensorname" field value to distinguish them from the connection records truly generated by Bro.
>
>
> Additionally, to enable richer flow analytics, that same process could also import those flow logs into Argus (via raconvert) so that you could use all of the Argus ra- tools to put your flow analysis ninja skills to great use :)
>
>
>
> I have not heard of either of these things being done yet, but both strike me as quite feasible and worthwhile. If you take a crack at either of these, please share back with the community.
>
>
> Kevin
>
>
> On Sun, Mar 12, 2017 at 5:11 PM, Mitul Patel <dizz...@gmail.com> wrote:
> All,
>
>
>
> I have successful setup Security Onion in AWS with one test client. I realized, if I wanted to scale this out to my network AWS infrastructure as well as others, I need to monitor traffic at a level higher than individual EC2 instances. The idea would be to take the VPC Flow Logs, which captures traffic from all the EC2 instances under the VPC, and direct into the security Onion server/sensor. Monitor traffic at the VPC level as opposed to individual server level.
>
>
>
> Has anyone tried to integrate AWS VPC Flow logs into Security Onion?
>
>
>
> Thank You
>
> Mitul
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
>
> To post to this group, send email to securit...@googlegroups.com.
Steve Sonnenberg
Aug 8, 2018, 5:13:15 PM8/8/18
to security-onion
Thanks
Reply all
Reply to author
Forward
0 new messages