IDR Network Sensor's

afaugno · February 5, 2024, 3:45pm

Hi.

We are starting to look into possibly deploying network sensor’s but wanted to get feedback for customers that are already using it.

Is it worth it?
Does it actually work or do anything?

TIA!

RHolzer · February 5, 2024, 4:06pm

Hi @afaugno!

The sensor itself will give you access to the DNS Query-, Host to IP Observations-, IDS Alert- and Network Flow-Logs. The Network Flow Logs alone are very usefull because you can simply check which computer connects to which computer and you have the Suricata IDS with Rapid7 ruleset on top which can help to identify threats.

I definitly recommend the usage of network sensors.

Best regards
Robert

ajain · February 6, 2024, 9:37am

Are these useful in AWS world as well to capture complete network level telemetry since AWS doesn’t logs DNS logs unless pointed to Route53

mmur_gt4e · February 8, 2024, 9:47am

Remember that you can only display the network flow logs if you have the ultimate licensing… if not is quite useless as you just can view DNS and Host to IP Observations logs…

Camano · February 9, 2024, 7:28pm

I’d be interested in hearing experiences on how you have these deployed in AWS. As there isn’t a mechanism for the sensor to monitor all traffic in the VPC, they have to be pointed to specific instances, and that is limited to 10 instances per sensor.

For most of us, they will only gather DNS requests, as AWS does not allow mirroring of DHCP.

I wish there was more documentation on where/how they should be deployed.

david_smith · February 9, 2024, 9:07pm

@Camano to get around this limit you can create a Network Load Balancer (NLB) to use as your VPC target. To create an NLB, follow Amazon’s instructions

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-network-load-balancer.html

David

Camano · February 9, 2024, 9:57pm

@david_smith Have you had success with this? The documentation I found indicated an NLB could be used as mirror target (which would distribute to multiple sensors). When we tried to use an NLB as a mirror session source, AWS did not allow it, and said the ENI needed to be of type “instance” not “load balancer”.

darragh_delaney2 · February 12, 2024, 11:54am

@Camano

See here on how to configure an NLB as a target. Let me know if this helps, we may to extend our docs to cover this deployment method

https://www.awsnetworkshops.com/050_module3/

Camano · February 12, 2024, 1:51pm

Hey @darragh_delaney2 that shows how to set an NLB as a target. What has been recommended, and what we’re having trouble finding docs on, is how to use an NLB as a mirror source. The network sensor itself needs to be the target in this scenario.