The Cequence Sensor can work with GCP Packet MIrroring to receive a copy of the network traffic to a specified interface.
Prerequisites
- Red Hat Linux 8.4
-
Google Cloud Platform
- Active GCP account
- Cequence Sensor must be installed in GCP
- Active GCP account
-
Active HTTP traffic sources
- SSL Decryption is not supported. Use an application gateway or third-party NVA or packet broker for use cases that require SSL decryption.
- Works with the current release of the UAP Platform.
The Cequence Sensor Installation topic provides details on installing and verifying the healthy operation of the Cequence Sensor.
Cequence Sensor
Packet mirroring from your GCP environment to the Cequence Sensor enables you to Investigate suspicious API behavior, mitigate bot attacks, and gain strategic insights. For full prevention, use a complete installation of Defender. See the Cequence Sensor - Installation to RHEL 8.4 installation guide for a more detailed overview.
GCP Packet Mirror Setup
To configure GCP Packet Mirroring, follow the guide provided by Google. In general terms, setting up GCP Packet Mirroring involves these steps:
-
- Create a collector instance to receive the mirrored packets
- Configure the firewall rules to enable communications to the collector instance
- Create a packet mirroring policy to determine the source, destination, and type of packets to copy.
Resolving common issues
For reliable communications within GCP, verify that the certificate authority (CA) for your Bot Defense or Sentinel installations is well-known.
No Traffic to the Cequence Appliance
Run the "sudo tcpdump" command from a terminal on the sensor virtual machine to watch for incoming or outbound traffic.
[ec2-user@ip-10-0-0-104 ~]$ sudo tcpdump -i eth0 -nn port not 22 and port not 53
Run the docker ps command to show information about the Cequence Sensor.
[ec2-user@ip-10-0-0-104 ~]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
470c181af869 cequence/x-zeek-sensor "/bin/sh -c /opt/vel…" 6 weeks ago Up 6 weeks sensor
Run the "docker exec" command to open a bash session to the Cequence Sensor virtual machine.
[ec2-user@ip-10-0-0-104 ~]$ docker exec -it sensor bash
To verify that the Sensor is connected to Kafka, navigate to the logs folder for Sensor Kafka, as in the following example.
[root@sensor] /# cd /opt/velocity-manager/sensor-kafka-connector/logs
Search the directory for connector.log files. When no such files are present, the Cequence Sensor is not running.
[root@sensor] logs# ls
connector-helper.pid connector.log connector.log.1.gz connector.log.2.gz connector.log.3.gz logrotate-state start.log
Run the "sensor-kafka-connector start" command to start the connector manually.
[root@sensor] logs# /opt/velocity-manager/bin/sensor-kafka-connector start
Run the "ps ax | grep connector" command to confirm that the connector is running.
[root@sensor] /# ps ax | grep connector
1076890 ? Sl 0:00 /opt/velocity-manager/sensor-kafka-connector/bin/defender-connector sensor /opt/velocity-manager/sensor-kafka-connector/conf/sensor-kafka-connector.json
Run the tail command to observe connector log activity in real time.
[root@sensor] logs# tail -f connector.log
===========================================================================
2022-01-26T22:19:59.344Z info
==============================connector stats==============================
reader: read: 98, rate: 98
pipeline: sensor-sentinel, received: 98, filtered out: 3
datasink: sentinel-api-edge, type: http, received: 95, written: 95, errors: 0, rate: 95, valid: true
===========================================================================
When no connector process is available, navigate to the conf directory and look for configuration files.
[root@sensor] conf# ls
cqai-filters-advanced-default.json cqai-filters-simple-default.json logrotate.conf sensor-kafka-connector.json
cqai-filters-advanced.json cqai-filters-simple.json sensor-kafka-connector-default.json
To exit the sensor container, type exit at the shell prompt.
[root@sensor] conf# exit
exit
The sensor has started but does not receive data
Check the Zeek logs to find details on why a working Sensor connector is not receiving traffic. Run the following commands, followed by the "curl address of monitored device" command in order to populate the /opt/zeek/logs/current/http.log file with current log data.
[root@sensor] logs# cd /opt/zeek/logs/current
[root@sensor] current# tail -f http.log
Pfring(Optional)
When pfring is in use, verify that the pfring installation is complete and working. When correctl installed, the zeek-pfring and pfring folders are available in /opt.
[root@sensor] current# cd /opt/
[root@sensor] opt# ls
cequence collectd graphite packet-stats pfring redis velocity-manager zeek zeek-pfring
Verify that Zeek configuration files are present in the zeek-pfring/bin directory.
[root@sensor] zeek-pfring# cd /opt/zeek-pfring/bin/
[root@sensor] bin# ls
bifcl binpac bro bro-config bro-cut broctl capstats paraglob-test trace-summary zeek zeek-config zeek-cut zeek-wrapper zeekctl
Version History
Date | Version | Notes |
Oct 18, 2023 | 2 | Updated with additional troubleshooting sections. |
Feb 6, 2022 | 1 | Initial version. |