The Coralogix STA is capable of detecting security-related issues in network traffic and host activities (with Wazuh integration). Until now it could receive the mirrored traffic in only two ways: AWS VPC Traffic Mirroring and physical network taps or SPAN ports.
We are excited to inform you that we have launched our own virtual tap which can be used to mirror traffic from instances which are not supported for AWS VPC Traffic Mirroring, from containerized environments or from environments in which it won’t make economic sense to use AWS VPC Traffic Mirroring.
The Coralogix STA Virtual Tap can run as a container (either as a Docker container or as a Kubernetes pod) and can both mirror the instance’s traffic by using eBPF as well as function as a Wazuh agent and collect host based information and handle tasks defined by the Wazuh manager’s configuration.
To install the Coralogix STA Virtual Tap copy the following file to a file:
apiVersion: apps/v1 kind: DaemonSet metadata: name: coralogix-vtap-wazuh namespace: default labels: k8s-app: coralogix-sta-ng spec: selector: matchLabels: kubernetes.io/os: linux template: metadata: labels: kubernetes.io/os: linux spec: hostNetwork: true containers: - name: coralogix-vtap-wazuh image: coralogixrepo/sta-virtual-tap-docker:4.2.6-8 securityContext: privileged: true env: - name: STA_SNIFFING_NLB value: "STA_SNIFFING_NLB_DNS_NAME" - name: WAZUH_MANAGER value: "WAZUH_MANAGER_NLB_DNS_NAME" - name: TAP_INTERFACE value: eth0 resources: limits: memory: 200Mi requests: cpu: 100m memory: 200Mi terminationGracePeriodSeconds: 30
The values for the STA_SNIFFING_NLB and WAZUH_MANAGER environment variables should be retrieved from the “Load Balancers” in the EC2 console in AWS:
docker run -d --name sta-virtual-tap -e "STA_SNIFFING_NLB=s3://<CONFIGURATION_S3>" -e "TAP_INTERFACE=<TAP_INTERFACE>" -e 'STA_SNIFFING_FILTER=not dst port 4789' --privileged --net host coralogixrepo/sta-virtual-tap-docker
note: in case you don’t want to install
Wazuh, make sure to add environment variable
STA_DISABLE_WAZUH and set it to
To function properly, the instance hosting this docker should have an IAM role attached to it (or the AWS credentials provided to default profile) with the following permissions:
It is possible to control many aspects of the behavior of the Coralogix STA Virtual Tap by setting the following environment variables (in addition to STA_SNIFFING_NLB and WAZUH_MANAGER mentioned above):
STA_DISABLE_TAP – Can be set to “TRUE” to disable the tap feature of the Coralogix STA Virtual Tap, essentially making it work just as a Wazuh agent. By default this value is set to “FALSE”
STA_DISABLE_WAZUH – Can be set to “TRUE” to disable the Wazuh agent STA_DISABLE_TAP – Can be set to “TRUE” to disable the tap feature of the Coralogix STA Virtual Tap, essentially making it work just as a virtual tap. By default this value is set to “FALSE”
TAP_INTERFACE – Can be set to a specific network interface that its traffic you wish to mirror to the STA. By default this value is set to “any” which will mirror traffic from all of the instance’s network interface.
STA_SNIFFING_FILTER – Can be set to a BPF filter that will determine which traffic will be mirrored to the STA. By default this value is empty which will mirror all types of traffic seen.
WAZUH_GROUP – The Wazuh agent group to use for the built in agent in the Coralogix STA Virtual Tap. By default this value is set to “default”.
After installing this container on your environment, the STA should start receiving traffic and Wazuh events from your environment and display them on the Coralogix UI and, if needed, alert you upon security related issues found.
Although it is possible to install Coralogix STA Virtual Tap instead of using the AWS VPC Traffic Mirroring, we recommend that you will consider the following notes:
The Virtual Tap allows you to specify an eBPF filter for limiting the amount of traffic that will be mirrored to the STA. Here are some examples of what you can set it to (by default it will mirror everything):
portrange 1-79 or icmp
icmp or (not portrange 443-445 and not port 80)
You can consult this document for more information: https://biot.com/capstats/bpf.html
For more information about selecting the best mirroring strategy: https://coralogix.com/docs/aws-traffic-mirroring/