This repository holds the source code you need to bring up a setup locally on a Docker host, which mirrors the example described in part 3 of the Cloud IDS blog series.
- app: contains docker compose definition to bring up the app and CloudLens to monitor packets
- sensor: contains docker compose definition to bring up the logical ids sensor application consisting of Snort, CloudLens agent and Filebeat.
- events_ui: contains docker compose definition to bring up ELK to serve event aggregation and end user presentation.
- docker engine (>=17.12.0-ce): see install instructions
- docker compose (>= 1.22.0): see install instructions
- set up cloudlens account, create project and obtain project key
- go into events_ui directory, follow the instructions there to start ELK.
- with the ELK hostname/IP from (2) and cloudlens project key: go into sensor directory, follow the instructions there to start Snort sensor
- with the cloudlens project key: go into app directory, follow the instructions there to start the vulnerable app.
- create the vulnerable app and the snort sensor groups in CloudLens, and connect them.
- analyze via Kibana.