Project

General

Profile

Actions
Copy link

Task #7382

closed

Monitoring at a different level (BPF/Suricata/Cilium)

Added by Philipp Buehler almost 5 years ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Philipp Buehler
Start date:
11/29/2019
Due date:
% Done:

0%

Estimated time:
PM Check date:

Description

Traditional pull based monitoring (nagios et al) is DEAD>
Push based (partly Prometheus, Riemann) is cooler.

But it's still somewhat superficial requests.. how about
monitoring directly "from the wire".

Reasearch on gathering data on an app-level without
app-internal instrumentation (eg. haproxy/suricata).

Actions
Copy link
 #2

Updated by Philipp Buehler almost 5 years ago

The idea is to tproxy chain haproxy traffic and let suricata "inspect" the traffic.
Pull the eve.json output into ELG or so.

haproxy:
listen inbound
bind public-ip:80
server moni 172.23.42.1:80 send-proxy # lives on a loopback if (e.g. lo1)
frontend monitor-in
bind 172.23.42.1:80 accept-proxy name monitor-in

suricata makes traffic analysis on lo1

Actions
Copy link
 #3

Updated by Philipp Buehler almost 5 years ago

  • Status changed from New to Waiting

Time ran out, VM too slow to install all necessary toolchain

Actions
Copy link
 #4

Updated by Nico Schottelius 11 months ago

  • Status changed from Waiting to Closed
Actions
Copy link

Also available in: Atom PDF