Traffic Mirroring is a key feature in Google Cloud networking for security and network analysis. Its functionality is similar to that of a network tap or a span session in traditional networking. In short, Packet Mirroring captures network traffic (ingress and egress) from select "mirrored sources", copies the traffic, and forwards the copy to "collectors".

It is important to note that Packet Mirroring captures the full payload of each packet and thus consumes additional bandwidth. Because Packet Mirroring is not based on any sampling period, it is able to be used for better troubleshooting, security solutions, and higher layer application based analysis.

Packet Mirroring is founded on a "Packet Mirroring Policy", which contains the following attributes:

Region
VPC Network(s)
Mirrored Source(s)
Collector (destination)
Mirrored traffic (filter)

Here are a some key points that also need to be considered:

Only TCP, UDP and ICMP traffic may be mirrored. This, however, should satisfy the majority of use cases.
"Mirrored Sources" and "Collectors" must be in the SAME Region, but can be in different zones and even different VPCs, as long as those VPCs are properly Peered.
Additional bandwidth charges apply, especially between zones. To limit the traffic being mirrored, filters can be used.

One prime use case for "Packet Mirroring" is to use it in an Intrusion Detection System (IDS) solution. Some cloud-based IDS solutions require a special service to run on each source VM, or to put an IDS virtual appliance in-line between the network source and destination. Both of these have significant implications. For example, the service based solution, though fully distributed, requires that the guest operating system supports the software. The "in-line" solution can create a network bottleneck as all traffic must be funneled through the IDS appliance. The in-line solution will also not be able to capture "east-west" traffic within VMs in the same VPC.

Google Cloud Packet Mirroring does not require any additional software on the VMs and it is fully distributed across each of the mirrored virtual machines. The "Collector" IDS is placed out-of-path using an Internal Network Load Balancer (ILB) and will receive both "north-south" traffic and "east-west" traffic.

Packet Mirroring lab description

To demonstrate how Packet Mirroring can be used with an IDS consider this example using OpenSource IDS Suricata.

A single VPC with 2 subnets, one for mirrored sources and one for the collector
2 Web servers created with a public IP address
1 Collector server (IDS) created with NO public IP for security reasons
CloudNAT enabled for Internet access as needed
All VMs created in the same region and zone, for simplicity and cost reasons

In this lab you will create a Google Cloud environment, configure the "Collector" ILB, configure the Packet Mirror Policy, as well as install and configure [Suricata] (https://suricata-ids.org/) on a virtual instance to act as an IDS. Once complete, network tests will be performed to validate the configuration and use of Packet Mirroring with the Open Source IDS. A very stripped down rule-set and Suricata configuration is used to simplify the demonstration.

Google Cloud environment diagram

Objectives:

Build out a Google Cloud Networking environment as shown in the diagram above

Create 2 virtual machines with gcloud commands to act as WEB SERVERS

Create a single virtual machine with gcloud commands to act as IDS

Create an Internal LoadBalancer (ILB) to act as a "collector" for Packet Mirroring

Install and configure an Open Source IDS (Suricata) on the IDS VM

Review some basic IDS alert rules

Create a Packet Mirror Policy

Test Packet Mirroring by generating network traffic to the "mirrored" subnet

Test Suricata IDS by generating network traffic to simulate an IDS event and review IDS logging

BUILD LAB:

student_04_6d7b0b6748d9@cloudshell:~ (qwiklabs-gcp-03-983f2e6b9894)$ history

1 gcloud compute networks create dm-stamford --subnet-mode=custom

2 gcloud compute networks subnets create dm-stamford-uswest4 --range=172.21.0.0/24 --network=dm-stamford --region=us-west4

3 gcloud compute networks subnets create dm-stamford-uswest4-ids --range=172.21.1.0/24 --network=dm-stamford --region=us-west4

4 gcloud compute firewall-rules create fw-dm-stamford-allow-any-web --direction=INGRESS --priority=1000 --network=dm-stamford --action=ALLOW --rules=tcp:80,icmp --source-ranges=0.0.0.0/0

5 gcloud compute firewall-rules create fw-dm-stamford-ids-any-any --direction=INGRESS --priority=1000 --network=dm-stamford --action=ALLOW --rules=all --source-ranges=0.0.0.0/0 --target-tags=ids

6 gcloud compute firewall-rules create fw-dm-stamford-iapproxy --direction=INGRESS --priority=1000 --network=dm-stamford --action=ALLOW --rules=tcp:22,icmp --source-ranges=35.235.240.0/20

7 gcloud compute routers create router-stamford-nat-west4 --region=us-west4 --network=dm-stamford

8 gcloud compute routers nats create nat-gw-dm-stamford-west4 --router=router-stamford-nat-west4 --router-region=us-west4 --auto-allocate-nat-external-ips --nat-all-subnet-ip-ranges

9 gcloud compute instance-templates create template-dm-stamford-web-us-west4 --region=us-west4 --network=dm-stamford --subnet=dm-stamford-uswest4 --machine-type=g1-small --image=ubuntu-1604-xenial-v20200807 --image-project=ubuntu-os-cloud --tags=webserver --metadata=startup-script='#! /bin/bash

apt-get update

apt-get install apache2 -y

vm_hostname="$(curl -H "Metadata-Flavor:Google" \

http://169.254.169.254/computeMetadata/v1/instance/name)"

echo "Page served from: $vm_hostname" | \

tee /var/www/html/index.html

systemctl restart apache2'

10 gcloud compute instance-groups managed create mig-dm-stamford-web-uswest4 --template=template-dm-stamford-web-us-west4 --size=2 --zone=us-west4-a

11 gcloud compute instance-templates create template-dm-stamford-ids-us-west4 --region=us-west4 --network=dm-stamford --no-address --subnet=dm-stamford-uswest4-ids --image=ubuntu-1604-xenial-v20200807 --image-project=ubuntu-os-cloud --tags=ids,webserver --metadata=startup-script='#! /bin/bash

apt-get update

apt-get install apache2 -y

vm_hostname="$(curl -H "Metadata-Flavor:Google" \

http://169.254.169.254/computeMetadata/v1/instance/name)"

echo "Page served from: $vm_hostname" | \

tee /var/www/html/index.html

systemctl restart apache2'

12 gcloud compute instance-groups managed create mig-dm-stamford-ids-uswest4 --template=template-dm-stamford-ids-us-west4 --size=1 --zone=us-west4-a

13 gcloud compute health-checks create tcp hc-tcp-80 --port 80

14 gcloud compute backend-services create be-dm-stamford-suricata-us-west4 --load-balancing-scheme=INTERNAL --health-checks=hc-tcp-80 --network=dm-stamford --protocol=TCP --region=us-west4

15 gcloud compute backend-services add-backend be-dm-stamford-suricata-us-west4 --instance-group=mig-dm-stamford-ids-uswest4 --instance-group-zone=us-west4-a --region=us-west4

16 gcloud compute packet-mirrorings create mirror-dm-stamford-web --collector-ilb=ilb-dm-stamford-suricata-ilb-us-west4 --network=dm-stamford --mirrored-subnets=dm-stamford-uswest4 --region=us-west4

17 gcloud compute instances list

18 sudo tcpdump -i ens4 -nn -n "(icmp or port 80) and net 172.21.0.0/24"

19 sudo apt install iputils-ping

20 ping -c 4 34.125.170.248

21 ping -c 4 34.125.91.185

22 history

student_04_6d7b0b6748d9@cloudshell:~ (qwiklabs-gcp-03-983f2e6b9894)$

INSTALL IDS software and test lab.

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ history

1 sudo apt-get update -y

2 sudo apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libmagic-dev libjansson-dev libjansson4 -y

3 sudo apt-get install libnspr4-dev -y

4 sudo apt-get install libnss3-dev -y

5 sudo apt-get install liblz4-dev -y

6 sudo apt install rustc cargo -y

8 sudo add-apt-repository ppa:oisf/suricata-stable -y

9 sudo apt-get update -y

10 sudo apt-get install suricata -y

11 suricata -V

12 sudo systemctl stop suricata

13 sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata.backup

14 wget https://storage.googleapis.com/tech-academy-enablement/GCP-Packet-Mirroring-with-OpenSource-IDS/suricata.yaml

15 wget https://storage.googleapis.com/tech-academy-enablement/GCP-Packet-Mirroring-with-OpenSource-IDS/my.rules

16 sudo mkdir /etc/suricata/poc-rules

17 sudo cp my.rules /etc/suricata/poc-rules/my.rules

18 /etc/suricata/poc-rules/my.rules

19 sudo cp suricata.yaml /etc/suricata/suricata.yaml

20 sudo systemctl start suricata

21 sudo systemctl restart suricata

22 cat /etc/suricata/poc-rules/my.rules

23 sudo tcpdump -i ens4 -nn -n "(icmp or port 80) and net 172.21.0.0/24"

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ sudo add-apt-repository ppa:oisf/suricata-stable -ygpg: keyring `/tmp/tmpsvkw80sy/secring.gpg' created

gpg: keyring `/tmp/tmpsvkw80sy/pubring.gpg' created

gpg: requesting key 66EB736F from hkp server keyserver.ubuntu.com

gpg: /tmp/tmpsvkw80sy/trustdb.gpg: trustdb created

gpg: key 66EB736F: public key "Launchpad PPA for Peter Manev" imported

gpg: Total number processed: 1

gpg: imported: 1 (RSA: 1)

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ sudo apt-get update -y

Hit:1 http://us-west4.gce.archive.ubuntu.com/ubuntu xenial InRelease

Hit:2 http://us-west4.gce.archive.ubuntu.com/ubuntu xenial-updates InRelease

Hit:3 http://us-west4.gce.archive.ubuntu.com/ubuntu xenial-backports InRelease

Get:4 http://security.ubuntu.com/ubuntu xenial-security InRelease [99.8 kB]

Hit:5 http://archive.canonical.com/ubuntu xenial InRelease

Get:6 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu xenial InRelease [17.5 kB]

Get:7 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu xenial/main amd64 Packages [1,396 B]

Get:8 http://ppa.launchpad.net/oisf/suricata-stable/ubuntu xenial/main Translation-en [1,204 B]

Fetched 120 kB in 1s (109 kB/s)

Reading package lists... Done

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ sudo apt-get install suricata -y

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ suricata -V

This is Suricata version 6.0.3 RELEASE

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ sudo systemctl stop suricata

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata.backup

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ wget https://storage.googleapis.com/tech-academy-enablement/GCP-Packet-Mirroring-with-OpenSource-IDS/suricata.yaml

--2023-08-05 22:08:51-- https://storage.googleapis.com/tech-academy-enablement/GCP-Packet-Mirroring-with-OpenSource-IDS/suricata.yaml

Resolving storage.googleapis.com (storage.googleapis.com)... 142.251.2.128, 74.125.137.128, 142.250.101.128, ...

Connecting to storage.googleapis.com (storage.googleapis.com)|142.251.2.128|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 70565 (69K) [application/x-yaml]

Saving to: ‘suricata.yaml’

suricata.yaml 100%[==========================================>] 68.91K --.-KB/s in 0.001s

2023-08-05 22:08:51 (96.8 MB/s) - ‘suricata.yaml’ saved [70565/70565]

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ wget https://storage.googleapis.com/tech-academy-enablement/GCP-Packet-Mirroring-with-OpenSource-IDS/my.rules

--2023-08-05 22:09:05-- https://storage.googleapis.com/tech-academy-enablement/GCP-Packet-Mirroring-with-OpenSource-IDS/my.rules

Resolving storage.googleapis.com (storage.googleapis.com)... 142.251.2.128, 74.125.137.128, 142.250.101.128, ...

Connecting to storage.googleapis.com (storage.googleapis.com)|142.251.2.128|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 422 [application/octet-stream]

Saving to: ‘my.rules’

my.rules 100%[==========================================>] 422 --.-KB/s in 0s

2023-08-05 22:09:05 (49.1 MB/s) - ‘my.rules’ saved [422/422]

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ sudo mkdir /etc/suricata/poc-rules

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ sudo cp my.rules /etc/suricata/poc-rules/my.rules

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ sudo cp suricata.yaml /etc/suricata/suricata.yaml

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ sudo systemctl start suricata

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ sudo systemctl restart suricata

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ cat /etc/suricata/poc-rules/my.rules

####RULES#####

#UDP ALERTS

alert udp $HOME_NET any -> 8.8.8.8 53 (msg:"BAD UDP DNS REQUEST"; sid:99996; rev:1;)

#HTTP ALERTS

alert http any any -> $HOME_NET 80 (msg:"BAD HTTP PHP REQUEST"; http.uri; content:"index.php"; sid:99997; rev:1;)

#ICMP ALERTS

alert icmp any any -> $HOME_NET any (msg:"BAD ICMP"; sid:99998; rev:1;)

#TCP ALERTS

alert tcp $HOME_NET any -> any 6667 (msg:"BAD TCP 6667 REQUEST"; sid:99999; rev:1;)student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ sudo tcpdump -i ens4 -nn -n "(icmp or port 80) and net 172.21.0.0/24"

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ens4, link-type EN10MB (Ethernet), capture size 262144 bytes

22:13:25.844115 IP 35.230.28.46 > 172.21.0.3: ICMP echo request, id 65442, seq 1, length 64

22:13:25.845292 IP 172.21.0.3 > 35.230.28.46: ICMP echo reply, id 65442, seq 1, length 64

22:13:26.845271 IP 35.230.28.46 > 172.21.0.3: ICMP echo request, id 65442, seq 2, length 64

22:13:26.845374 IP 172.21.0.3 > 35.230.28.46: ICMP echo reply, id 65442, seq 2, length 64

22:13:27.846825 IP 35.230.28.46 > 172.21.0.3: ICMP echo request, id 65442, seq 3, length 64

22:13:27.846917 IP 172.21.0.3 > 35.230.28.46: ICMP echo reply, id 65442, seq 3, length 64

22:13:28.848784 IP 35.230.28.46 > 172.21.0.3: ICMP echo request, id 65442, seq 4, length 64

22:13:28.848899 IP 172.21.0.3 > 35.230.28.46: ICMP echo reply, id 65442, seq 4, length 64

22:13:43.538816 IP 35.230.28.46 > 172.21.0.2: ICMP echo request, id 296, seq 1, length 64

22:13:43.540182 IP 172.21.0.2 > 35.230.28.46: ICMP echo reply, id 296, seq 1, length 64

22:13:44.539496 IP 35.230.28.46 > 172.21.0.2: ICMP echo request, id 296, seq 2, length 64

22:13:44.539648 IP 172.21.0.2 > 35.230.28.46: ICMP echo reply, id 296, seq 2, length 64

22:13:45.541106 IP 35.230.28.46 > 172.21.0.2: ICMP echo request, id 296, seq 3, length 64

22:13:45.541236 IP 172.21.0.2 > 35.230.28.46: ICMP echo reply, id 296, seq 3, length 64

22:13:46.542448 IP 35.230.28.46 > 172.21.0.2: ICMP echo request, id 296, seq 4, length 64

22:13:46.542565 IP 172.21.0.2 > 35.230.28.46: ICMP echo reply, id 296, seq 4, length 64

22:14:13.612270 IP 136.226.79.33.29119 > 172.21.0.3.80: Flags [S], seq 177583878, win 65535, options [mss 1460,nop,wscale 5,sackOK,TS val 17006898 ecr 0], length 0

22:14:13.613553 IP 172.21.0.3.80 > 136.226.79.33.29119: Flags [S.], seq 3771805674, ack 177583879, win 64768, options [mss 1420,sackOK,TS val 1341901328 ecr 17006898,nop,wscale 7], length 0

22:14:13.629772 IP 136.226.79.33.29119 > 172.21.0.3.80: Flags [.], ack 1, win 2068, options [nop,nop,TS val 17006901 ecr 1341901328], length 0

22:14:13.629802 IP 136.226.79.33.29119 > 172.21.0.3.80: Flags [P.], seq 1:470, ack 1, win 2068, options [nop,nop,TS val 17006901 ecr 1341901328], length 469: HTTP: GET / HTTP/1.1

22:14:13.629890 IP 172.21.0.3.80 > 136.226.79.33.29119: Flags [.], ack 470, win 503, options [nop,nop,TS val 1341901345 ecr 17006901], length 0

22:14:13.630326 IP 172.21.0.3.80 > 136.226.79.33.29119: Flags [P.], seq 1:335, ack 470, win 503, options [nop,nop,TS val 1341901346 ecr 17006901], length 334: HTTP: HTTP/1.1 200 OK

22:14:13.731802 IP 136.226.79.33.29119 > 172.21.0.3.80: Flags [.], ack 335, win 2068, options [nop,nop,TS val 17006913 ecr 1341901346], length 0

22:14:13.927417 IP 136.226.79.33.29119 > 172.21.0.3.80: Flags [P.], seq 470:882, ack 335, win 2068, options [nop,nop,TS val 17006934 ecr 1341901346], length 412: HTTP: GET /favicon.ico HTTP/1.1

22:14:13.927735 IP 172.21.0.3.80 > 136.226.79.33.29119: Flags [P.], seq 335:827, ack 882, win 501, options [nop,nop,TS val 1341901643 ecr 17006934], length 492: HTTP: HTTP/1.1 404 Not Found

22:14:14.028150 IP 136.226.79.33.29119 > 172.21.0.3.80: Flags [.], ack 827, win 2068, options [nop,nop,TS val 17006946 ecr 1341901643], length 0

22:14:14.439507 IP 64.227.150.86.55489 > 172.21.0.2.80: Flags [S], seq 2437880717, win 65535, length 0

22:14:14.441258 IP 172.21.0.2.80 > 64.227.150.86.55489: Flags [S.], seq 235362896, ack 2437880718, win 65320, options [mss 1420], length 0

22:14:14.642951 IP 64.227.150.86.55489 > 172.21.0.2.80: Flags [R], seq 2437880718, win 0, length 0

22:14:18.834628 IP 172.21.0.3.80 > 136.226.79.33.29119: Flags [F.], seq 827, ack 882, win 501, options [nop,nop,TS val 1341906549 ecr 17006946], length 0

22:14:18.850822 IP 136.226.79.33.29119 > 172.21.0.3.80: Flags [.], ack 828, win 2068, options [nop,nop,TS val 17007481 ecr 1341906549], length 0

22:14:18.850834 IP 136.226.79.33.29119 > 172.21.0.3.80: Flags [R.], seq 882, ack 828, win 2068, options [nop,nop,TS val 17007481 ecr 1341906549], length 0

22:14:30.471656 IP 136.226.79.33.31101 > 172.21.0.2.80: Flags [S], seq 2919054858, win 65535, options [mss 1460,nop,wscale 5,sackOK,TS val 17008772 ecr 0], length 0

22:14:30.473083 IP 172.21.0.2.80 > 136.226.79.33.31101: Flags [S.], seq 2504697951, ack 2919054859, win 64768, options [mss 1420,sackOK,TS val 1834532093 ecr 17008772,nop,wscale 7], length 0

22:14:30.488585 IP 136.226.79.33.31101 > 172.21.0.2.80: Flags [.], ack 1, win 2068, options [nop,nop,TS val 17008774 ecr 1834532093], length 0

22:14:30.488591 IP 136.226.79.33.31101 > 172.21.0.2.80: Flags [P.], seq 1:469, ack 1, win 2068, options [nop,nop,TS val 17008774 ecr 1834532093], length 468: HTTP: GET / HTTP/1.1

22:14:30.488710 IP 172.21.0.2.80 > 136.226.79.33.31101: Flags [.], ack 469, win 503, options [nop,nop,TS val 1834532110 ecr 17008774], length 0

22:14:30.489427 IP 172.21.0.2.80 > 136.226.79.33.31101: Flags [P.], seq 1:335, ack 469, win 503, options [nop,nop,TS val 1834532110 ecr 17008774], length 334: HTTP: HTTP/1.1 200 OK

22:14:30.588957 IP 136.226.79.33.31101 > 172.21.0.2.80: Flags [.], ack 335, win 2068, options [nop,nop,TS val 17008786 ecr 1834532110], length 0

22:14:30.804022 IP 136.226.79.33.31101 > 172.21.0.2.80: Flags [P.], seq 469:879, ack 335, win 2068, options [nop,nop,TS val 17008809 ecr 1834532110], length 410: HTTP: GET /favicon.ico HTTP/1.1

22:14:30.804431 IP 172.21.0.2.80 > 136.226.79.33.31101: Flags [P.], seq 335:826, ack 879, win 501, options [nop,nop,TS val 1834532425 ecr 17008809], length 491: HTTP: HTTP/1.1 404 Not Found

22:14:30.903743 IP 136.226.79.33.31101 > 172.21.0.2.80: Flags [.], ack 826, win 2068, options [nop,nop,TS val 17008821 ecr 1834532425], length 0

22:14:35.713172 IP 172.21.0.2.80 > 136.226.79.33.31101: Flags [F.], seq 826, ack 879, win 501, options [nop,nop,TS val 1834537334 ecr 17008821], length 0

22:14:35.728581 IP 136.226.79.33.31101 > 172.21.0.2.80: Flags [.], ack 827, win 2068, options [nop,nop,TS val 17009357 ecr 1834537334], length 0

22:14:35.728590 IP 136.226.79.33.31101 > 172.21.0.2.80: Flags [R.], seq 879, ack 827, win 2068, options [nop,nop,TS val 17009357 ecr 1834537334], length 0

45 packets captured

45 packets received by filter

0 packets dropped by kernel

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$

GENERATE LOG

7b0b6748d9@mig-dm-stamford-web-uswest4-6hsd:~$ dig @8.8.8.8 example.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 example.com

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42717

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 512

;; QUESTION SECTION:

;example.com. IN A

;; ANSWER SECTION:

example.com. 5421 IN A 93.184.216.34

;; Query time: 7 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Sat Aug 05 22:22:48 UTC 2023

;; MSG SIZE rcvd: 56

student-04-6d7b0b6748d9@mig-dm-stamford-web-uswest4-6hsd:~$ telnet 100.64.1.1 6667

Trying 100.64.1.1...

student-04-6d7b0b6748d9@mig-dm-stamford-web-uswest4-6hsd:~$

student-04-6d7b0b6748d9@mig-dm-stamford-web-uswest4-6hsd:~$ telnet 100.64.1.1 6667

Trying 100.64.1.1...

student-04-6d7b0b6748d9@mig-dm-stamford-web-uswest4-6hsd:~$

student-04-6d7b0b6748d9@mig-dm-stamford-web-uswest4-6hsd:~$ ping -c 3 34.125.170.248

PING 34.125.170.248 (34.125.170.248) 56(84) bytes of data.

64 bytes from 34.125.170.248: icmp_seq=1 ttl=61 time=1.91 ms

64 bytes from 34.125.170.248: icmp_seq=2 ttl=61 time=0.360 ms

64 bytes from 34.125.170.248: icmp_seq=3 ttl=61 time=0.379 ms

--- 34.125.170.248 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2031ms

rtt min/avg/max/mdev = 0.360/0.886/1.919/0.730 ms

student-04-6d7b0b6748d9@mig-dm-stamford-web-uswest4-6hsd:~$

LOG in SURICATA:

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ egrep "BAD UDP DNS" /var/log/suricata/eve.json

@GCP: {"timestamp":"2023-08-05T22:22:48.698673+0000","flow_id":1651899379525937,"in_iface":"ens4","event_type":"alert","src_ip":"172.21.0.3","src_port":52318,"dest_ip":"8.8.8.8","dest_port":53,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":99996,"rev":1,"signature":"BAD UDP DNS REQUEST","category":"","severity":3},"dns":{"query":[{"type":"query","id":42717,"rrname":"example.com","rrtype":"A","tx_id":0}]},"app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":82,"bytes_toclient":0,"start":"2023-08-05T22:22:48.698673+0000"}}

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ date

Sat Aug 5 22:23:10 UTC 2023

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ egrep "BAD TCP" /var/log/suricata/eve.json

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ egrep "BAD TCP" /var/log/suricata/eve.json

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ egrep "BAD TCP" /var/log/suricata/eve.json

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ egrep "BAD TCP" /var/log/suricata/eve.json

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ egrep "BAD TCP" /var/log/suricata/eve.json

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ egrep "BAD TCP" /var/log/suricata/eve.json

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ egrep "BAD" /var/log/suricata/eve.json

@GCP: {"timestamp":"2023-08-05T22:13:25.844115+0000","flow_id":1096727574995283,"in_iface":"ens4","event_type":"alert","src_ip":"35.230.28.46","src_port":0,"dest_ip":"172.21.0.3","dest_port":0,"proto":"ICMP","icmp_type":8,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":99998,"rev":1,"signature":"BAD ICMP","category":"","severity":3},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":98,"bytes_toclient":0,"start":"2023-08-05T22:13:25.844115+0000"}}

@GCP: {"timestamp":"2023-08-05T22:13:43.538816+0000","flow_id":778801211979968,"in_iface":"ens4","event_type":"alert","src_ip":"35.230.28.46","src_port":0,"dest_ip":"172.21.0.2","dest_port":0,"proto":"ICMP","icmp_type":8,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":99998,"rev":1,"signature":"BAD ICMP","category":"","severity":3},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":98,"bytes_toclient":0,"start":"2023-08-05T22:13:43.538816+0000"}}

@GCP: {"timestamp":"2023-08-05T22:16:32.406987+0000","flow_id":1852762090386891,"in_iface":"ens4","event_type":"alert","src_ip":"185.234.213.135","src_port":0,"dest_ip":"172.21.0.2","dest_port":0,"proto":"ICMP","icmp_type":8,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":99998,"rev":1,"signature":"BAD ICMP","category":"","severity":3},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":48,"bytes_toclient":0,"start":"2023-08-05T22:16:32.406987+0000"}}

@GCP: {"timestamp":"2023-08-05T22:16:46.871117+0000","flow_id":1322578443389645,"in_iface":"ens4","event_type":"alert","src_ip":"185.234.213.135","src_port":0,"dest_ip":"172.21.0.3","dest_port":0,"proto":"ICMP","icmp_type":8,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":99998,"rev":1,"signature":"BAD ICMP","category":"","severity":3},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":48,"bytes_toclient":0,"start":"2023-08-05T22:16:46.871117+0000"}}

@GCP: {"timestamp":"2023-08-05T22:17:38.543815+0000","flow_id":1597984634719303,"in_iface":"ens4","event_type":"alert","src_ip":"123.184.59.70","src_port":0,"dest_ip":"172.21.0.3","dest_port":0,"proto":"ICMP","icmp_type":8,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":99998,"rev":1,"signature":"BAD ICMP","category":"","severity":3},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":48,"bytes_toclient":0,"start":"2023-08-05T22:17:38.543815+0000"}}

@GCP: {"timestamp":"2023-08-05T22:17:40.163398+0000","flow_id":1638417456987718,"in_iface":"ens4","event_type":"alert","src_ip":"123.184.59.70","src_port":0,"dest_ip":"172.21.0.2","dest_port":0,"proto":"ICMP","icmp_type":8,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":99998,"rev":1,"signature":"BAD ICMP","category":"","severity":3},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":48,"bytes_toclient":0,"start":"2023-08-05T22:17:40.163398+0000"}}

@GCP: {"timestamp":"2023-08-05T22:20:52.873300+0000","flow_id":1247034279744340,"in_iface":"ens4","event_type":"alert","src_ip":"195.123.211.81","src_port":0,"dest_ip":"172.21.0.3","dest_port":0,"proto":"ICMP","icmp_type":8,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":99998,"rev":1,"signature":"BAD ICMP","category":"","severity":3},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":50,"bytes_toclient":0,"start":"2023-08-05T22:20:52.873300+0000"}}

@GCP: {"timestamp":"2023-08-05T22:26:01.289420+0000","flow_id":796466460846732,"in_iface":"ens4","event_type":"alert","src_ip":"34.125.170.248","src_port":0,"dest_ip":"172.21.0.3","dest_port":0,"proto":"ICMP","icmp_type":8,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":99998,"rev":1,"signature":"BAD ICMP","category":"","severity":3},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":98,"bytes_toclient":0,"start":"2023-08-05T22:26:01.289420+0000"}}

@GCP: {"timestamp":"2023-08-05T22:26:01.289502+0000","flow_id":796466460846505,"in_iface":"ens4","event_type":"alert","src_ip":"34.125.170.248","src_port":0,"dest_ip":"172.21.0.3","dest_port":0,"proto":"ICMP","icmp_type":0,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":99998,"rev":1,"signature":"BAD ICMP","category":"","severity":3},"flow":{"pkts_toserver":2,"pkts_toclient":1,"bytes_toserver":196,"bytes_toclient":98,"start":"2023-08-05T22:26:01.289193+0000"}}

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ egrep "BAD ICMP" /var/log/suricata/eve.json

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ egrep "TCP" /var/log/suricata/eve.json

@GCP: {"timestamp":"2023-08-05T22:20:16.794615+0000","flow_id":2103081389051793,"in_iface":"ens4","event_type":"anomaly","src_ip":"66.240.192.82","src_port":33844,"dest_ip":"172.21.0.3","dest_port":80,"proto":"TCP","anomaly":{"app_proto":"tls","type":"applayer","event":"APPLAYER_MISMATCH_PROTOCOL_BOTH_DIRECTIONS","layer":"proto_detect"}}

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ egrep "BAD HTTP" /var/log/suricata/eve.json

@GCP: {"timestamp":"2023-08-05T22:27:20.133109+0000","flow_id":1983990563618130,"in_iface":"ens4","event_type":"alert","src_ip":"136.226.79.33","src_port":1663,"dest_ip":"172.21.0.2","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":99997,"rev":1,"signature":"BAD HTTP PHP REQUEST","category":"","severity":3},"http":{"hostname":"34.125.91.185","url":"/index.php","http_user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36","xff":"24.23.174.37","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":404,"length":275},"app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":6,"bytes_toserver":1432,"bytes_toclient":1396,"start":"2023-08-05T22:27:20.015698+0000"}}

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ egrep "TCP" /var/log/suricata/eve.json

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ egrep "BAD TCP" /var/log/suricata/eve.json

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ egrep "TCP" /var/log/suricata/eve.json

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$

World of GCP by Ketan Patel

Google Cloud Packet Mirroring with OpenSource IDS

Packet Mirroring lab description

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ wget https://storage.googleapis.com/tech-academy-enablement/GCP-Packet-Mirroring-with-OpenSource-IDS/suricata.yaml

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ wget https://storage.googleapis.com/tech-academy-enablement/GCP-Packet-Mirroring-with-OpenSource-IDS/my.rules

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ cat /etc/suricata/poc-rules/my.rules

student-04-6d7b0b6748d9@mig-dm-stamford-ids-uswest4-hr0r:~$ sudo tcpdump -i ens4 -nn -n "(icmp or port 80) and net 172.21.0.0/24"

LOG in SURICATA:

No comments:

Post a Comment

AppEngine - Python

Report Abuse

Labels