CloudLens with Suricata IDS example

Azure Public Test Date Azure Public Test Result

Azure US Gov Last Test Date Azure US Gov Last Test Result

Best Practice Check Cred Scan Check

Deploy To Azure Deploy To Azure US Gov Visualize

  1. Solution Overview
  2. Solution Architecture
  3. Licenses and Costs
  4. Prerequisites
  5. Deployment Steps
  6. Support

Solution Overview

This Quick Start deployment guide provides step-by-step instructions for deploying Suricata and CloudLens in the Azure Cloud.

This Quick Start is for users who need to identify malicious activity, insider threats and data leakage within your Azure vms.

Solution Architecture

This template will deploy:

  • Two storage accounts
  • One Virtual Network
  • 2 Public IP’s, one for the tapping vm and one for the Suricata IDS
  • Two UbuntuServer 16.04.0-LTS VMs

Deployment Solution Architecture

Licenses and Costs

You are responsible for the cost of the Azure services used while running this Quick Start deployment. There is no additional cost for using the Quick Start.

The Azure template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as vm size, will affect the cost of deployment. For cost estimates, see the pricing pages for each Azure service you will be using. Prices are subject to change.

CloudLens will be configured to use a free trial account, the user can convert at any time to a paid account.

Prerequisites

Azure Subscription with ability to launch VMs.

Deployment Steps

Step 1. Prepare Your CloudLens Account

  1. Create a CloudLens free trial account at https://ixia.cloud/free-trial?isQuickstart=true by following the on-screen instructions.
  2. Activate your free trial account by visiting the link provided in the email.
  3. Login to CloudLens. A project will be automatically created for you with all the required infrastructure: one group for source instances and one group for tool instances, a connection between the two groups. The groups are automatically configured with filters that match the agents that will be started later by the Quick Start template.
  4. Select the project by clicking the tile having the name “QUICKSTART_PROJECT”.
  5. On the project page click on SHOW PROJECT KEY to display the project key and copy it, since you will need it to deploy the template.

Step 2. Launch the Quick Start

Create your CloudLens environment on Azure in a few simple steps:

  • Launch the Template by click on 'Deploy to Azure' button.
  • Fill in all the required parameter values. Accept the terms and conditions and click on 'Purchase'.

Step 3. Play with the environment

After the deployment is ready (~ 6 minutes):

  • Check the CloudLens portal to see if the agents have connected and are part of the 2 groups (should say '1 instance' under each group).
  • Login in the Suricata web ui (https://{suricata-vm-ip}) with scirius/scirius. If you get a 502 Bad Gateway error, it means Suricata is still installing.
  • Check the alerts

Support

For any support related questions, issues or customization requirements, please contact cloudlens@keysight.com.

https://www.ixiacom.com/products/cloudlens-public

Tags: Microsoft.Storage/storageAccounts, Microsoft.Network/publicIPAddresses, Microsoft.Network/networkSecurityGroups, Microsoft.Network/virtualNetworks, Microsoft.Network/networkInterfaces, Microsoft.Compute/virtualMachines, Microsoft.Compute/virtualMachines/extensions, CustomScript