Skip to main content
AWS VPC Traffic Mirroring

Search

Cequence Sensor Integration with AWS VPC Traffic Mirroring

© 2024 Cequence Security. All Rights Reserved.

Cequence Sensor Integration with AWS VPC Traffic Mirroring

  • Updated on
  • ~ minute read
Download PDF

This topic covers the integration of Cequence Sensor with AWS VPC Traffic Mirroring. For testing, this document assumes that you are using one application to receive traffic. Be sure to use an instance type that supports VPC traffic mirroring.

Highlights

  • Installs sensor in a lightweight standalone container

  • Seamless integration with AWS VPC Traffic Mirroring and other packet providers

  • Key insights within minutes

Prerequisites for this integration

  • Red Hat Linux 8.4
    • The user should be familiar with Red Hat Linux
  • Amazon Web Services 
    • Active AWS account
      • Cequence Sensor must be installed in AWS
  • Active HTTP traffic sources
    • SSL Decryption is not supported. For SSL decryption, we recommend using an Application gateway or 3rd party NVA/Packet Broker.
  • Works with the current UAP Platform and older versions.

Install Cequence Sensor if it is not already present.

Cequence Sensor

Investigate suspicious API behavior, mitigate bot attacks, and gain strategic insights within your AWS environment using VPC Traffic Mirroring with the Cequence Sensor. Install Defender for uses cases that require full prevention. The Cequence Sensor installation guide has more details.

Architecture

Diagram.PNG

VPC Traffic Mirror Setup

Identify the Elastic Network Interfaces

  1. Identify the ENI of the application you would like to mirror traffic from
    • Within AWS, navigate to EC2 > Instances > VM Traffic Source, select the networking tab, and note the ENI for the traffic source.
  2. Identify the ENI of the Cequence Sensor virtual machine.
    • Within AWS, navigate to EC2 > Instances > Cequence Sensor, select the networking tab, and note the ENI for the traffic source.
  3. Once you have identified the ENIs of the traffic source and sensor, you can use this integration guide or follow the "Getting Started with Traffic Mirroring" document from AWS to complete the necessary setup in AWS.

Sensor ENI

Sensor2-2.PNG

Traffic Source ENI

Sensor2-1.PNG

Create a Traffic Target

When you create your target, configure your destination as the Cequence Sensor Instance. Configure your source as the source of your traffic. In this case, the source is the Apache server. For more detail, see the Getting Started with Traffic Mirroring configuration guide by AWS.

Sensor3-2.PNG

Create a Traffic Filter

The traffic filter is a policy that you configure to allow or deny traffic. The example in this section allows all traffic. You can configure this based on your traffic flow requirements. For more detail, see the Getting Started with Traffic Mirroring configuration guide by AWS.

Sensor4.PNG

Create a Traffic Mirror Session

Create your traffic mirror session using the target, filter, and ENI traffic source. Once you have completed this step you have completed the necessary AWS configurations. For more detail, see the Getting Started with Traffic Mirroring configuration guide by AWS.

Sensor5-2.PNG

Troubleshooting

This section contains steps you can use to verify that your Cequence Sensor setup is fully operable. 

  • Make sure you are using a well-known CA for Bot Defense and/or Sentinel
  • The Cequence Sensor doesn't support mirroring Syslog

Not Seeing Traffic in your Cequence Appliance?

Look through the output of tcpdump on the sensor virtual machine to see if traffic is ingressing and egressing

[ec2-user@ip-10-0-0-104 ~]$ sudo tcpdump -i eth0 -nn port not 22 and port not 53

First, locate the sensor information. Then open a bash session in the sensor container by using the following steps

[ec2-user@ip-10-0-0-104 ~]$ docker ps
CONTAINER ID    IMAGE                  COMMAND                CREATED       STATUS       PORTS   NAMES
470c181af869    cequence/x-zeek-sensor "/bin/sh -c /opt/vel…" 6 weeks ago   Up 6 weeks           sensor

Run docker exec to gain access to the sensor virtual machine

[ec2-user@ip-10-0-0-104 ~]$ docker exec -it sensor bash

Is the Sensor Connected to Kafka? From a shell session in the Sensor container, navigate into the Sensor-Kafka-Connector Logs folder

[root@sensor] /# cd /opt/velocity-manager/sensor-kafka-connector/logs

Search the directory for connector.log files. If none are present, the sensor connector isn't running.

[root@sensor] logs# ls
connector-helper.pid connector.log connector.log.1.gz connector.log.2.gz connector.log.3.gz logrotate-state start.log

Try to start the connector manually

[root@sensor] logs# /opt/velocity-manager/bin/sensor-kafka-connector start

A successful start has output similar to the following.

[root@sensor] /# ps ax | grep connector
1076890 ? Sl 0:00 /opt/velocity-manager/sensor-kafka-connector/bin/defender-connector sensor /opt/velocity-manager/sensor-kafka-connector/conf/sensor-kafka-connector.json

Tail the connector logs to see if data is being written.

[root@sensor] logs# tail -f connector.log
===========================================================================
2022-01-26T22:19:59.344Z info
==============================connector stats==============================
reader: read: 98, rate: 98
pipeline: sensor-sentinel, received: 98, filtered out: 3
datasink: sentinel-api-edge, type: http, received: 95, written: 95, errors: 0, rate: 95, valid: true
===========================================================================

When no connector process is visible, check the following directory for a connector configuration

[root@sensor] conf# ls
cqai-filters-advanced-default.json cqai-filters-simple-default.json logrotate.conf sensor-kafka-connector.json
cqai-filters-advanced.json cqai-filters-simple.json sensor-kafka-connector-default.json

Exit the sensor container

[root@sensor] conf# exit
exit

Then in the AWS instance navigate to

[ec2-user@ip-10-0-0-104 ~]$ cd /opt/velocity-manager-host/config/

Open the config.json and check the configuration. Here you can change the Cequence appliance destination

[root@sensor] conf# vi sensor-kafka-connector.json

When you make changes to the sensor-kafka-connector.json file, restart velocity-manager-compose

[ec2-user@ip-10-0-0-104 config]# ../bin/velocity-manager-compose restart

The sensor has started but still not receiving data

Once your Sensor connector is working if you are still not sending traffic to your Cequence Security platforms check the Zeek logs.  Run the following commands, send a curl command to the device being monitored. Check the log for data.

[root@sensor] logs# cd /opt/zeek/logs/current
[root@sensor] current# tail -f http.log

Pfring(Optional)

If you are using pfring, be sure pfring is installed properly. If so, you should see a zeek-pfring folder, and pfring folder

[root@sensor] current# cd /opt/
[root@sensor] opt# ls
cequence collectd graphite packet-stats pfring redis velocity-manager zeek zeek-pfring

Then make sure you see the zeek config files in the zeek-pfring/bin directory to ensure pfring is functional

[root@sensor] zeek-pfring# cd /opt/zeek-pfring/bin/
[root@sensor] bin# ls
bifcl binpac bro bro-config bro-cut broctl capstats paraglob-test trace-summary zeek zeek-config zeek-cut zeek-wrapper zeekctl

If you are still experiencing challenges please contact Cequence Support or submit a request on this Zendesk article. 

Version History

Date Version Notes
Nov 4, 2023 2 Updated with newer RHEL version.
Mar 10, 2022 1 Initial version.
Was this article helpful?