Just doesn't work #43
Comments
|
|
sudo wget https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-9.noarch.rpm Some prereqs above #3 - what is this is not on-prem but in Microsoft Azure? How would one do this? Would I need more than one VM running this Amsterdam for HA? Load balancer in front of it? Then traffic goes through that onto another load balancer for example, web servers? How would this be implemented in the cloud? |
|
You've got proxy_pass set to localhost @ 8000 in nginx, but what if this is sitting behind an external load balancer and needs to reverse proxy to another load balancer which has web servers? Will this still function correctly if the proxy_pass is changed to the load balancer in front of web servers? |
|
I really don't understand what you are trying to do. What is your target architecture ? |
|
A load balanced IDS acting as a reverse proxy to a different load balancer that load balances web servers. |
|
(Load Balancer)-[IDS][IDS]>{REVERSE PROXY}>(Load Balancer)-[WEB01][WEB02] Make sense? |
|
I think 'no' is a politically correct answer. IDS is just snffing packet passively at the Ethernet like wireshark so it can not be put in the middle. You may use Suricata in IPS mode but it is layer 2 or 3 so it will not interact cleanly with Load Balancer. |
|
This is in MS Azure, not on prem, so there are considerations around that. |
|
Can't you just sniff eth0 with Suricata and use nginx as a reverse proxy to the load balancer for the web servers? |
I think you need to understand the use of Nginx within Amsterdam. Its just for the administrative features that you get with Amsterdam and doesn't really have much to do with the IDS/NSM/IPS features of Amsterdam. Amsterdam listens on an interface, getting the traffic to that interface is up to you. That may involve load balancers and reverse proxies, but that will be dependent on your setup, and not configured within Amsterdam. |
|
Agree with @jasonish but as a really weird usage you could configure nginx in Amsterdam to do 2 redirections (one for the Asmterdam GUI, one for your load balancing) and if packet does not go out from nginx from the same interface then you possibly have something working. Really really weird anyway and not supported. |
|
Let me reiterate what exactly I have and what I am trying to do. I have an EXTERNAL load balancer with a public IP, this load balances public facing web servers. I want to set up some intrusion detection to spot any hack attempts, etc. This is in Azure, so it's not like I can set anything up like it's on prem. I can't go plug something into a switch, etc. So, my understanding is that Suricata sits there and listens on an interface, and logs anything flowing into that interface. What I am asking to make possible with Amsterdam, is stick a new VM IN FRONT of the load balancer for the web servers, and use the eth0 interface as a reverse proxy and Suricata sniffing the traffic that flows through it. Again, the traffic flows THROUGH it and hits the IP for the load balancer of the web servers. Is it possible to host the Amsterdam interface and also reverse proxy to the web servers load balancer VIP? |
|
You should be able to do what I've seen done in AWS before, but it really doesn't have anything to do with Suricata or Amsteram. First, I doubt Azure is going to let you put a VM in front of their load balancers. You could check their documentation or with their support to find out for sure though. So what I suggest would be to NOT use Azure load balancers. Since you would be setting up a choke point in front of them anyways, you may as well just replace their load balancers with one of your own. So create a VM and install your own reverse proxy on it just like you suggest. And use this in place of the Azure load balancers. Once you get this working, and you have all the traffic flowing through it, then, and only then install Suricata, or Amsterdam on it listening to the desired interface. Don't worry about not using the Azure load balancers. By sticking a VM in front of them you've just negated their usefulness, so just do the load balancing yourself (nginx, ha-proxy, varnish or something) and run Suricata on that VM. |
|
Should the sciriusstatic and sciriusdata containers be constantly running? It seems they build but only the scirius container stays running. |
First issue - you did not define any of the prerequisites that you will need in your documentation before installing via pip - ESPECIALLY - the 1.9.0 version of docker-compose (otherwise you get a client error)
Second issue - after all the prereq's were done, I finally was able to get through an install via pip. However, when attempting to access via browser, it gives an 'Internal Server Error'
Is this meant to monitor a single machine or a network of machines? What if you wanted to run this on one machine and monitor a group of web servers in the same subnet?
The text was updated successfully, but these errors were encountered: