This document outlines how you can securely forward/copy data from one Immediate Insight server to another over the WAN (or Internet). As an example: this can be utilized to send data from a remote site to a central Immediate Insight in environments such as MSSP.
These are the variables (in bold) that you will need to set based on your environment. For more details, refer to the Appendix of this document under “Variable Definition”.
localTCPtunnelPort – port on the source server that is the endpoint of the SSH tunnel.
remoteTCPlistenerPort – port on the destination server that is the endpoint of the SSH tunnel. Set this to the TCP Socket Listener (default TCP port 3000).
remoteIP – IP address of the destination server.
Source (Local) Immediate Insight Server Configuration
Use the CLI to perform the following commands on the source (local) server to bring up the SSH tunnel. The final “echo” command should be executed within 5 minutes of the “ssh –f –C –L…” command to insure that the tunnel stays up.
ssh –f –C –L localTCPtunnelPort:localhost:remoteTCPlistenerPort insight@remoteIP sleep 300
socat UDP-LISTEN:localUDPtunnelPort,fork TCP:localhost:localTCPtunnelPort &
echo “tunnel up” |socat – UDP:localhost:localUDPtunnelPort
Use the Immediate Insight web GUI to configure the streamUDP data route on the source (local) server. In this example, events on the TCP Socket Listener are being copied/forwarded.
Go to DataFlow > Data Routing > Data Routing & Filtering and click the “+” on the top right.
Give the Data Route a name (here we are using “secure copy”) and match the other settings above:
- Stage – post
- Expires – (no configuration)
- Match – “TCP Socket Listener” (this matches the data collector name on the remote server – edit to match your environment).
- Match Field – source
- Action – streamUDP
Once complete with the above configuration, click “Edit Settings”.
Leave the “Destination IP” value as 127.0.0.1 (representing localhost). Edit the “Destination port” to match your localUDPtunnelPort variable.
The configuration on the source (local) Immediate Insight server is complete.
Destination (Remote) Immediate Insight Server Configuration
Make sure that TCP port 22 (SSH) is open to the source (local) Immediate Insight server.
Best practice is to create a firewall policy that restricts access to SSH to the IP address of the source (local) Immediate Insight server and to send the SSH traffic through an encrypted VPN tunnel.
Immediate Insight should never be exposed directly to the Internet using the default settings.
Please contact firstname.lastname@example.org for any other inquiries.
|CLI||Arbitrary (unused) local TCP port used to establish the SSH tunnel to the destination (remote).|
DataFlow > Data Routing > Data Routing
The source (local) UDP port used for tunneling data out to the destination (remote). Although it is sent via UDP it is received via TCP by the Data Router in the background.
|DataFlow > Collectors > Create New|
Collector (or use the default “TCP Socket
Listener” as defined in this document). If
you do not use the default, be sure you
alter the “match” variable in your Data
Route and make sure the port matches.
|The port that the destination (remote) will listen on for data. A collector must exist on the destination (remote) to receive the data from the source (local).|
|N/A||IP address for the destination (remote) Immediate Insight server.|