Sunday, August 2, 2020

Utilizing AWS Traffic Mirroring with Snort on Debian Linux

I wanted to utilize the AWS Traffic Mirroring feature to deploy an IDS with an AWS environment.  It seems initially fairly simple, but there were a few minor snags.  Most specifically with the Linux kernel feeling a mac address had moved from one IP to another with messages like:

Jul 31 18:15:51 debian kernel: [ 9394.768861] vxlan-tap: 0a:93:bf:88:4b:aa migrated from 10.6.12.47 to 10.6.12.117

repeating over and over.


My initial setup was utilizing a single vxlan link setup like:
ip link add vxlan-tap type vxlan id 16668977 dev ens6 dstport 4789
ip link set vxlan-tap up

After much searching around, I got the idea to try multiple links and utilize a virtual bridge to tie them together such as:
ip link add vxlan-tap0 type vxlan id 16668977 dev ens6 dstport 4789
ip link set vxlan-tap0 up
ip link add vxlan-tap1 type vxlan id 16668976 dev ens6 dstport 4789
ip link set vxlan-tap1 up
brctl addbr vxlan-tap
brctl addif vxlan-tap vxlan-tap0
brctl addif vxlan-tap vxlan-tap1
ifconfig vxlan-tap up

And still utilizing vxlan-tap as my interface in Snort.

Posted by at No comments:
Subscribe to: Posts (Atom)