Monitoring traffic on VPC

Pawel · March 3, 2016, 3:35pm

I’ve got a cluster set up in the cloud with a Master and two workers all in separate VPC. They are talking using VPN and I can see the traffic from the workers in the the master. What I’m trying to do is to have the worker monitor the whole VPC as there will be other VMs such as honeypots etc.

I have tried port forwarding (forwarding all the traffic from the other instances into the bro worker) however with no luck as AWS doesn’t allow port forwarding apparently.

My question is can Bro monitor whole subnets? Or is there a better solution to monitor all of the traffic in a VPC?

Justin_Thomas · March 3, 2016, 10:33pm

I tackled this problem in AWS (using Suricata and Bro) by forcing all data through a handful of NAT instances. That allowed me to centralize the data flows and install VTUN and daemonlogger at those points to transfer the network traffic to a few dedicated IDS instances. Amazon’s routing makes even this challenging, and I can get in to more detail about that directly if you’d like.

There are many downsides to that approach, but it worked reliably for my needs (providing IDS services in AWS and complying with regulations).

Topic		Replies	Views
Monitoring of intra virtual machines network traffic on same physical host Zeek	5	125	May 6, 2022
New Cluster configuration Zeek	4	73	May 6, 2022
Info on configuring bro inline in AWS as IDS Zeek	4	111	May 6, 2022
VPN Traffic Detection Zeek	2	161	May 6, 2022
The Bro Deep Cluster Development development	1	82	May 6, 2022

Monitoring traffic on VPC

Related topics