You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/network-watcher/network-watcher-intrusion-detection-open-source-tools.md
+21-34Lines changed: 21 additions & 34 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,37 +1,34 @@
1
1
---
2
-
title: Perform network intrusion detection with open source tools
2
+
title: Perform network intrusion detection using open source tools
3
3
titleSuffix: Azure Network Watcher
4
-
description: This article describes how to use Azure Network Watcher and open source tools to perform network intrusion detection
4
+
description: Learn how to use Azure Network Watcher and open source tools to perform network intrusion detection.
5
5
services: network-watcher
6
+
ms.author: halkazwini
6
7
author: halkazwini
7
-
ms.assetid: 0f043f08-19e1-4125-98b0-3e335ba69681
8
8
ms.service: network-watcher
9
9
ms.topic: how-to
10
-
ms.workload: infrastructure-services
11
-
ms.date: 09/15/2022
12
-
ms.author: halkazwini
13
-
ms.custom: engagement-fy23
10
+
ms.date: 09/29/2023
14
11
---
15
12
16
-
# Perform network intrusion detection with Network Watcher and open source tools
13
+
# Perform network intrusion detection using Azure Network Watcher and open source tools
17
14
18
-
Packet captures are a key component for implementing network intrusion detection systems (IDS) and performing Network Security Monitoring (NSM). There are several open source IDS tools that process packet captures and look for signatures of possible network intrusions and malicious activity. Using the packet captures provided by Network Watcher, you can analyze your network for any harmful intrusions or vulnerabilities.
15
+
Packet captures are a key component for implementing network intrusion detection systems (IDS) and performing network security monitoring (NSM). There are several open source IDS tools that process packet captures and look for signatures of possible network intrusions and malicious activity. Using the packet captures provided by Azure Network Watcher, you can analyze your network for any harmful intrusions or vulnerabilities.
19
16
20
-
One such open source tool is Suricata, an IDS engine that uses rulesets to monitor network traffic and triggers alerts whenever suspicious events occur. Suricata offers a multi-threaded engine, meaning it can perform network traffic analysis with increased speed and efficiency. For more details about Suricata and its capabilities, visit their website at https://suricata.io/.
17
+
One such open source tool is Suricata, an IDS engine that uses rulesets to monitor network traffic and triggers alerts whenever suspicious events occur. Suricata offers a multi-threaded engine to perform network traffic analysis with increased speed and efficiency. For more details about Suricata and its capabilities, visit their website at https://suricata.io/.
21
18
22
19
## Scenario
23
20
24
21
This article explains how to set up your environment to perform network intrusion detection using Network Watcher, Suricata, and the Elastic Stack. Network Watcher provides you with the packet captures used to perform network intrusion detection. Suricata processes the packet captures and trigger alerts based on packets that match its given ruleset of threats. These alerts are stored in a log file on your local machine. Using the Elastic Stack, the logs generated by Suricata can be indexed and used to create a Kibana dashboard, providing you with a visual representation of the logs and a means to quickly gain insights to potential network vulnerabilities.
25
22
26
-
![simple web application scenario][1]
23
+
:::image type="content" source="./media/network-watcher-intrusion-detection-open-source-tools/figure1.png" alt-text="Diagram shows a simple web application scenario.":::
27
24
28
25
Both open source tools can be set up on an Azure VM, allowing you to perform this analysis within your own Azure network environment.
29
26
30
27
## Steps
31
28
32
29
### Install Suricata
33
30
34
-
For all other methods of installation, visit https://suricata.readthedocs.io/en/suricata-5.0.2/quickstart.html#installation
31
+
For all other methods of installation, see [Suricata installation quickstart guide](https://suricata.readthedocs.io/en/suricata-5.0.2/quickstart.html#installation)
35
32
36
33
1. In the command-line terminal of your VM run the following commands:
37
34
@@ -45,7 +42,7 @@ For all other methods of installation, visit https://suricata.readthedocs.io/en/
45
42
46
43
### Download the Emerging Threats ruleset
47
44
48
-
At this stage, we do not have any rules for Suricata to run. You can create your own rules if there are specific threats to your network you would like to detect, or you can also use developed rule sets from a number of providers, such as Emerging Threats, or VRT rules from Snort. We use the freely accessible Emerging Threats ruleset here:
45
+
At this stage, we don't have any rules for Suricata to run. You can create your own rules if there are specific threats to your network you would like to detect, or you can also use developed rule sets from a number of providers, such as Emerging Threats, or VRT rules from Snort. We use the freely accessible Emerging Threats ruleset here:
49
46
50
47
Download the rule set and copy them into the directory:
51
48
@@ -73,7 +70,7 @@ While the logs that Suricata produces contain valuable information about what's
73
70
74
71
#### Install Elasticsearch
75
72
76
-
1. The Elastic Stack from version 5.0 and above requires Java 8. Run the command `java -version` to check your version. If you do not have Java installed, refer to documentation on the [Azure-supported JDKs](/azure/developer/java/fundamentals/java-support-on-azure).
73
+
1. The Elastic Stack from version 5.0 and above requires Java 8. Run the command `java -version` to check your version. If you don't have Java installed, refer to documentation on the [Azure-supported JDKs](/azure/developer/java/fundamentals/java-support-on-azure).
77
74
78
75
1. Download the correct binary package for your system:
79
76
@@ -241,51 +238,41 @@ For this article, we have provided a sample dashboard for you to view trends and
241
238
242
239
You can also create your own visualizations and dashboards tailored towards metrics of your own interest. Read more about creating Kibana visualizations from Kibana's [official documentation](https://www.tutorialspoint.com/kibana/kibana_create_visualization.htm).
1. Top 10 Alerts – a summary of the 10 most frequent triggered alerts and their description. Clicking an individual alert filters down the dashboard to the information pertaining to that specific alert.
255
252
256
-
![image 4][4]
253
+
:::image type="content" source="./media/network-watcher-intrusion-detection-open-source-tools/figure4.png" alt-text="Screenshot shows most frequent triggered alerts.":::
257
254
258
255
1. Number of Alerts – the total count of alerts triggered by the ruleset
259
256
260
-
![image 5][5]
257
+
:::image type="content" source="./media/network-watcher-intrusion-detection-open-source-tools/figure5.png" alt-text="Screenshot shows the number of Alerts.":::
261
258
262
259
1. Top 20 Source/Destination IPs/Ports - pie charts showing the top 20 IPs and ports that alerts were triggered on. You can filter down on specific IPs/ports to see how many and what kind of alerts are being triggered.
263
260
264
-
![image 6][6]
261
+
:::image type="content" source="./media/network-watcher-intrusion-detection-open-source-tools/figure6.png" alt-text="Screenshot shows pie charts of the top 20 IPs and ports that alerts were triggered on." lightbox="./media/network-watcher-intrusion-detection-open-source-tools/figure6.png":::
265
262
266
263
1. Alert Summary – a table summarizing specific details of each individual alert. You can customize this table to show other parameters of interest for each alert.
267
264
268
-
![image 7][7]
265
+
:::image type="content" source="./media/network-watcher-intrusion-detection-open-source-tools/figure7.png" alt-text="Screenshot shows a summary table with details about each individual alert." lightbox="./media/network-watcher-intrusion-detection-open-source-tools/figure7.png":::
269
266
270
267
For more documentation on creating custom visualizations and dashboards, see [Kibana's official documentation](https://www.elastic.co/guide/en/kibana/current/introduction.html).
271
268
272
269
## Conclusion
273
270
274
271
By combining packet captures provided by Network Watcher and open source IDS tools such as Suricata, you can perform network intrusion detection for a wide range of threats. These dashboards allow you to quickly spot trends and anomalies within your network, as well dig into the data to discover root causes of alerts such as malicious user agents or vulnerable ports. With this extracted data, you can make informed decisions on how to react to and protect your network from any harmful intrusion attempts, and create rules to prevent future intrusions to your network.
275
272
276
-
## Next steps
277
-
278
-
Learn how to trigger packet captures based on alerts by visiting [Use packet capture to do proactive network monitoring with Azure Functions](network-watcher-alert-triggered-packet-capture.md)
279
-
280
-
Learn how to visualize your NSG flow logs with Power BI by visiting [Visualize NSG flows logs with Power BI](network-watcher-visualize-nsg-flow-logs-power-bi.md)
281
-
273
+
## Next step
282
274
275
+
Learn how to trigger packet captures based on alerts:
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments