Skip to main content

Monitor honeypods

Big picture

Monitor honeypod behavior to gain insight on what attackers are doing using packet-level inspection.

Value

Adding monitoring to honeypods improves your ability to detect and confirm known threats by analyzing and alerting on network traffic to honeypods that match any Intrusion Detection System (Snort) signatures.

Features

This how-to guide uses the following Calico Cloud features:

  • PacketCapture with Honeypod controller

Concepts

About monitoring honeypods

Honeypods can optionally be monitored using a Calico Cloud controller that periodically polls selected honeypods for suspicious activity and scans its traffic. Alerts are generated in the Events tab of Calico Cloud Manager UI.

The controller leverages the following:

Before you begin

Required

Honeypods are configured for clusters, and alerts are generated when the honeypods are accessed.

How To

Enable packet capture on honeypods

The following manifest enables packet capture on default honeypods. Be sure to modify the namespace and selector if honeypods are placed elsewhere. For help, see PacketCapture.

kubectl create -f - <<EOF
apiVersion: projectcalico.org/v3
kind: PacketCapture
metadata:
  name: capture-honey
  namespace: tigera-internal
spec:
  selector: all()
EOF

In order for the honeypod controller to find the packet captures, the name capture-honey is required for the PacketCapture resource.

Add honeypod controller to cluster

note

If you’ve customized or created your own honeypods, be sure to modify the included capture-honey PacketCapture manifest to target your honeypods.

Add the honeypod controller to each cluster configured for honeypods using the following command:

kubectl apply -f https://downloads.tigera.io/ee/v3.17.1/manifests/threatdef/honeypod/controller.yaml

For OpenShift deployments, the controller requires privileged access:

kubectl apply -f https://downloads.tigera.io/ee/v3.17.1/manifests/threatdef/honeypod/controller_os.yaml

Add custom Snort rules

You can add custom Snort rules to the controller using a ConfigMap. By default, Calico Cloud uses the Snort Community Ruleset.

The following manifest provides the method to add individual custom signatures:

kubectl create -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: localrule
  namespace: tigera-intrusion-detection
data:
  rules: |
    alert icmp any any -> any any (msg:"ICMP Echo Request"; itype:8; sid:1000000;)
    alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype:0; sid:1000001;)
EOF

Refer to Snort Users Manual for writing Snort signatures.

To add a Snort-compatible ruleset file:

kubectl create cm localrule -n tigera-intrusion-detection --from-file=rules=<SNORT-RULESET-LOCATION>
note

The size limit for ConfigMaps is 1 MiB. If more space is required, use an alternative method to mount the volume.

Update the controller deployment to include the ConfigMap. Important! The mountPath /etc/snort/rules/custom.rules is required and the path cannot be changed.

cat <<EOF > patch.yaml
spec:
  template:
    spec:
      containers:
      - name: controller
        volumeMounts:
        - mountPath: /etc/snort/rules/custom.rules
          subPath: custom.rules
          name: custom-rules
          readOnly: true
      volumes:
      - name: custom-rules
        configMap:
          name: localrule
          items:
          - key: "rules"
            path: "custom.rules"
EOF

Apply the patch to the honeypod-controller DaemonSet:

kubectl patch daemonset honeypod-controller -n tigera-intrusion-detection --patch "$(cat patch.yaml)"

Verify the honeypod controller

To verify the installation, ensure that honeypod controller is running within the tigera-intrusion-detection namespace:

kubectl get pods -n tigera-intrusion-detection
NAME                                             READY   STATUS      RESTARTS   AGE
honeypod-controller-57vwk                        1/1     Running     0          22s
honeypod-controller-8vtj6                        1/1     Running     0          22s
honeypod-controller-gk524                        1/1     Running     0          22s
honeypod-controller-k9nz4                        1/1     Running     0          22s
intrusion-detection-controller-bf9794dd7-5qxjs   1/1     Running     0          15m
intrusion-detection-es-job-installer-nfd7t       0/1     Completed   0          15m

As an example, to trigger an alert for the example custom signature, first get the Pod IP for one of the honeypods:

kubectl get pod tigera-internal-app-57vwk -n tigera-internal -ojsonpath='{.status.podIP}'

Then run a busybox container with the command ping on the honeypod IP:

kubectl run --restart=Never --image busybox ping-runner -- ping -c1 <honeypod IP>

An alert will be generated for honeypod-controller.snort with the example custom signature.

Additional resources