We at Coralogix, believe that cloud security is not a “nice-to-have” feature – something that only large organizations can benefit from or are entitled to have. We believe it’s a basic need that should be solved for organizations of any shape and size. This is why we built the Coralogix Security Traffic Analyzer (STA) tool for packet sniffing and automated analysis. Today we’re announcing several new features to our security product you’ll find interesting.
- Automatic AWS VPC Traffic Mirroring Configuration Manager – One of the great things about AWS is that everything can scale up and down as much as needed to keep costs at a minimum while not losing any important data. Now we brought this power to the VPC Traffic Mirroring configuration. You can read all about it here.
- Spot / On-demand choice – The new installation process of the STA now allows you to choose whether you’d like to run the STA as a spot instance of a spot fleet (for example for testing purposes) or as an on-demand instance. Now the choice is absolutely yours.
- Configurable Size – Now you can choose the size of the machine that will be used for the STA. The instance types that are going to be used based on the selected size are listed below:
Small Medium Large c5.2xlarge c5.4xlarge m5.8xlarge c5d.2xlarge c5d.4xlarge m6g.8xlarge c5a.2xlarge c5a.4xlarge r5a.8xlarge c5n.2xlarge c5n.4xlarge m5n.8xlarge c4.2xlarge c4.4xlarge m4.10xlarge c6g.2xlarge c6g.4xlarge c6g.8xlarge a1.2xlarge a1.4xlarge c5.9xlarge
- Automated configuration sync to S3 – During installation, you can set an S3 bucket for the configuration of the STA, if the bucket is empty, the STA will automatically copy its config files to that bucket, if the bucket contains the STA config files and they have been modified (either manually by you or by a script…) the STA will automatically pull the new configuration and apply it. This configuration includes the following files:
Config file name Purpose local.rules Includes snort rules that will be used in addition to those that were downloaded automatically disablesid.conf List of snort SIDs that should be disabled. Use this file to disable noisy snort rules. bpf.conf A BPF filter that the STA will use to filter incoming traffic. Usually, you can achieve the same outcome by modifying the VPC Traffic Mirroring filter. wazuh_rules.conf If the STA is installed with Wazuh support, this file is used to set the policy for all connected Wazuh agents
To learn more about how to modify these files see here.
- Automated upload of .pcap files to S3 – During installation, the user can set an S3 bucket that will be used by the STA to upload compressed pcap files of all the traffic that was observed by the STA. The user can then set any lifecycle hook on that bucket for automated cleanup of old pcap files. These pcap files can be used for many purposes, including forensic investigations, alert tuneups, deeper investigations of applications and services issues, and more.
- Monitoring – The new STA contains a built-in Prometheus node-exporter that listens on the third network interface on the default port.
- Domain letter frequency analysis – Many cyber attacks nowadays are using command and control servers, and kill-switches for their malicious code. These usually use machine-generated domain names. We added a new capability to the STA to automatically calculate a score for each domain, parent domain virtual host, certificate CN, etc. based on the frequency of letter combinations that are expected to be rare and letter combinations that are expected to be frequent. This score can be used to detect machine-generated domains in certificates, common names, and DNS requests, and several other locations where the domain name can be found.
- “Baby Domains” – Employees and even more so, servers that are accessing domains that are “young” in the sense that they were registered only very recently are often good indications of malicious activity. The new version of the STA automatically pulls a list of domains with their creation date and adds the creation date to every domain detected in DNS requests, virtual hosts and many other fields that contain a domain name. In addition, the new version of the STA contains a special dashboard for displaying such “baby domains” that were accessed by monitored servers and clients.
- Default Alerts – We added a default set of alerts that will be added to your account after the installation of the STA. These alerts will help you to get started with the STA and dramatically improve your organization’s security posture. You can read more about these alerts here.
That’s it for now. We have lots of new exciting features just waiting to be released in the next versions so stay tuned.