Working with open-source tools for Traffic Mirroring - Amazon Virtual Private Cloud

Working with open-source tools for Traffic Mirroring

You can use open-source tools to monitor network traffic from Amazon EC2 instances. The following tools work with Traffic Mirroring:

These open-source tools support VXLAN decapsulation, and they can be used at scale to monitor VPC traffic. For information about how Zeek handles VXLAN support and to download the code, see Zeek vxlan on the GitHub website. For information about how Suricata handles VXLAN support and to download the code, see Suricata on the GitHub website.

The following example uses the Suricata open-source tool. You can follow similar steps for Zeek.

Consider the scenario where you want to mirror inbound TCP traffic on an instance and send the traffic to an instance that has the Suricata software installed. You need the following traffic mirror entities for this example:

  • An EC2 instance with the Suricata software installed on it

  • A traffic mirror target for the EC2 instance (Target A)

  • A traffic mirror filter with a traffic mirror rule for the TCP inbound traffic (Filter rule 1)

  • A traffic mirror session that has the following:

    • A traffic mirror source

    • A traffic mirror target for the appliance

    • A traffic mirror filter with a traffic mirror rule for the TCP inbound traffic

Step 1: Install the Suricata software on the EC2 instance target

Launch an EC2 instance, and then install the Suricata software on it by using the following commands.

# Become sudo sudo -s # Install epel-release amazon-linux-extras install -y epel # Install suricata yum install -y suricata # Create the default suricata rules directory mkdir /var/lib/suricata/rules # Add a rule to match all UDP traffic echo 'alert udp any any -> any any (msg:"UDP traffic detected"; sid:200001; rev:1;)' > /var/lib/suricata/rules/suricata.rules # Start suricata listening on eth0 in daemon mode suricata -c /etc/suricata/suricata.yaml -k none -i eth0 -D # Capture logs can be found in /var/log/suricata/fast.log

Step 2: Create a traffic mirror target

Create a traffic mirror target (Target A) for the EC2 instance. Depending on your configuration, the target is one of the following types:

  • The network interface of the monitoring appliance

  • The Network Load Balancer when the appliance is deployed behind one.

For more information, see Create a traffic mirror target.

Step 3: Create a traffic mirror filter

Create a traffic mirror filter (Filter 1) with the following inbound rule. For more information, see Create a traffic mirror filter.

Traffic mirror filter rule for inbound TCP traffic
Option Value
Rule action Accept
Protocol TCP
Source port range
Destination port range
Source CIDR block 0.0.0.0/0
Destination CIDR block 0.0.0.0/0
Description TCP Rule

Step 4: Create a traffic mirror session

Create and configure a traffic mirror session with the following options. For more information, see Create a traffic mirror session.

Traffic mirror session to monitor inbound TCP traffic
Option Value
Mirror source The network interface of the instance that you want to monitor.
Mirror target Target A
Filter Filter 1