|
|
|
|
|
|
by yabones
1486 days ago
|
|
|
I've set up Suricata (similar to snort in many ways) on AWS, and it was a pretty horrible process. Basically what you need to do is set up VPC-Mirroring on every single interface in that VPC and send all the traffic to an endpoint attached to your snort server. https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-tra... It's a ton of work, and is quite expensive, since you're paying per interface + per traffic. A better way to handle it (imo) is to just enable VPC flow logging and pull the cloudwatch stream into your SIEM. Suricata/snort isn't that useful for threat detection anymore (thanks to HTTPS), so the important data to capture is just firewall logs. You can still have suricata/snort, but you have to be more selective with it. |
|
|
Thank you. Any recommendations for SEIM for a small company?