Step 1: Install the Suricata software on the EC2 instance target Step 2: Create a traffic mirror target Step 3: Create a traffic mirror filter Step 4: Create a traffic mirror session

Work with open-source tools for traffic mirroring

You can use open-source tools to monitor network traffic from Amazon EC2 instances. The following tools work with Traffic Mirroring:

Zeek — For more information, see the Zeek website.
Suricata — For more information see the Suricata website.

These open-source tools support VXLAN decapsulation, and they can be used at scale to monitor VPC traffic. For information about how Zeek handles VXLAN support and to download the code, see Zeek vxlan on the GitHub website. For information about how Suricata handles VXLAN support and to download the code, see Suricata on the GitHub website.

The following example uses the Suricata open-source tool. You can follow similar steps for Zeek.

Consider the scenario where you want to mirror inbound TCP traffic on an instance and send the traffic to an instance that has the Suricata software installed. You need the following traffic mirror entities for this example:

An EC2 instance with the Suricata software installed on it
A traffic mirror target for the EC2 instance (Target A)
A traffic mirror filter with a traffic mirror rule for the TCP inbound traffic (Filter rule 1)
A traffic mirror session that has the following:
- A traffic mirror source
- A traffic mirror target for the appliance
- A traffic mirror filter with a traffic mirror rule for the TCP inbound traffic

Step 1: Install the Suricata software on the EC2 instance target

Launch an EC2 instance, and then install the Suricata software on it by using the following commands.


# Become sudo
sudo -s
# Install epel-release
amazon-linux-extras install -y epel
# Install suricata
yum install -y suricata
# Create the default suricata rules directory
mkdir /var/lib/suricata/rules
# Add a rule to match all UDP traffic
echo 'alert udp any any -> any any (msg:"UDP traffic detected"; sid:200001; rev:1;)' > /var/lib/suricata/rules/suricata.rules
# Start suricata listening on eth0 in daemon mode
suricata -c /etc/suricata/suricata.yaml -k none -i eth0 -D

# Capture logs can be found in /var/log/suricata/fast.log

Step 2: Create a traffic mirror target

Create a traffic mirror target (Target A) for the EC2 instance. Depending on your configuration, the target is one of the following types:

The network interface of the monitoring appliance
The Network Load Balancer when the appliance is deployed behind one.
The Gateway Load Balancer endpoint when the appliance is deployed behind a Gateway Load Balancer

For more information, see Create or delete a traffic mirror target.

Step 3: Create a traffic mirror filter

Create a traffic mirror filter (Filter 1) with the following inbound rule. For more information, see Create, modify, or delete a traffic mirror filter.

Option	Value
Rule action	Accept
Protocol	TCP
Source port range
Destination port range
Source CIDR block	0.0.0.0/0
Destination CIDR block	0.0.0.0/0
Description	TCP Rule

Step 4: Create a traffic mirror session

Create and configure a traffic mirror session with the following options. For more information, see Create, modify, or delete a traffic mirror session.

Option	Value
Mirror source	The network interface of the instance that you want to monitor.
Mirror target	Target A
Filter	Filter 1

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create, modify, or delete a traffic mirror session

Monitor mirrored traffic