Skip to content

snort3/snort3_aws

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

51 Commits
.gradle
.gradle
 
 
aws
aws
 
 
crd-samples
crd-samples
 
 
gradle/wrapper
gradle/wrapper
 
 
helm/snort3-ips
helm/snort3-ips
 
 
scripts
scripts
 
 
snort3-dockers
snort3-dockers
 
 
src
src
 
 
README.md
README.md
 
 
build.gradle
build.gradle
 
 
gradlew
gradlew
 
 
gradlew.bat
gradlew.bat
 
 
settings.gradle
settings.gradle
 
 

Repository files navigation

snort3_aws

snort3_aws is a project for building snort3 docker images and deploying IPS/IDS in AWS environment using Gateway Load Balancer(GWLB) and Elastic Kubernetes Service (EKS).

How to build docker images

In order to build the docker images and run kubernetes deployment, the following applications must be installed on your local computer

  • java for running gradle build
  • docker
  • go
  • kubectl
  • helm for running local test
  • kind for running local test
  • aws cli for installing gwlb and eks using cloudformation script
  • a dockerhub repo where you can publish images

To build docker image, first set the following environmental variables.

export DOCKER_REPO='your_docker_repo'
export DOCKER_SERVER='your_dockerhub_server'
export DOCKER_USER='your_docker_username'
export DOCKER_PASSWORD='your_docker_password'

Then run

./gradlew build

You can also run unit test

./gradlew test

To publish docker images

./gradlew publish

How to run local test using Kind cluster

./gradlew startLocalTest

./gradlew stopLocalTest

How to configure helm chart

Before installing the helm chart, please replace the YOUR_DOCKER_REPO in helm/snort3-ips/values.yaml with your actual docker repo.

AWS EKS deployment with gateway load balancer (GWLB)

Please see aws/gwlb and aws/eks in this repo for creating GWLB and EKS using cloudformation templates.

snort3:

  • daq: gwlb
  • interface: eth1
  • mode: -Q # use -Q for inline mode and -v for passive mode
  • numThread: 4

Here interface is where snort3 will be listening on for Geneve traffic (UDP port 6081). Please make sure you have security group rule to allow incoming traffic from UDP port 6081.

On-prem deployment

snort3:

  • daq: afpacket
  • interface: eth0:eth1
  • mode: -Q # use -Q for inline mode and -v for passive mode
  • numThread: 2

For on-prem deployment, you should use afpacket in general. If you want to deploy it with inline mode, you need an inline pair of interfaces. Please refer to snort3 manual (https://github.com/snort3/snort3/releases/download/3.1.16.0/snort_user.pdf) for more details.

How to apply Talos_LightSPD.tar.gz dowloaded from your www.snort.org account

./scripts/apply_lightspd.sh ~/Downloads/Talos_LightSPD.tar.gz 2021-11-09-001

The first argument is the path of Talos lightspd package. The second argument is the package verison.

How to apply an IPS policy

./scripts/apply_policy.sh balanced-security-and-connectivity

Available policies:

  • no-rules-active
  • connectivity-over-security
  • security-over-connectivity
  • balanced-security-and-connectivity
  • maximum-detection

How to save IPS alert files generated by snort3

./scripts/save_alerts.sh

Note after running this script, the IPS alerts will be saved on your local computer in current directory and the alert files in the running snort3 containers will be pruned.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

5 stars

Watchers

4 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages