Module 3: Use security alerts and leverage dynamic packet capture

Estimated time: 20 min

Learning objectives

  • Use global alerts to notify security and operations teams about unsanctioned or suspicious activity.
  • Configure packet capture for specific pods to capture packet payload for further forensic analysis and explore the captured payload.

Use security alerts

We deployed security alerts in the first module. While we were implementing the use cases, some of them have triggered the alerts and now we can explore them.

  1. Review alerts manifests.

    Navigate to demo/50-alerts path and review YAML manifests that represent alerts definitions. Each file containes an alert template and alert definition. Alerts templates can be used to quickly create an alert definition in the UI.

  2. View triggered alerts.

    Open Alerts view to see all triggered alerts in the cluster. Review the generated alerts.

    alerts view

    You can also review the alerts configuration and templates by navigating to alerts configuration in the top right corner.

Leverage dynamic packet capture

Refer to packet capture documentation for more details about this capability.

  1. Configure packet capture.

    Navigate to demo/60-packet-capture and review YAML manifests that represent packet capture definition. Each packet capture is configured by deploing a PacketCapture resource that targets endpoints using selector and labels.

    Deploy packet capture definition to capture packets for dev/nginx pods.

    kubectl apply -f demo/60-packet-capture/nginx-pcap.yaml

    Once the PacketCapture resource is deployed, Calico starts capturing packets for all endpoints configured in the selector field.

  2. Install calicoctl CLI

    The easiest way to retrieve captured *.pcap files is to use calicoctl CLI.

    CALICO_VERSION=$(kubectl get clusterinformation default -ojsonpath='{.spec.cnxVersion}')
# download and configure calicoctl
curl -o calicoctl -O -L https://docs.tigera.io/download/binaries/${CALICO_VERSION}/calicoctl
chmod +x calicoctl
sudo mv calicoctl /usr/local/bin/
calicoctl version

  3. Fetch and review captured payload.

    The captured *.pcap files are stored on the hosts where pods are running at the time the PacketCapture resource is active.

    Retrieve captured *.pcap files and review the content.

    # get pcap files
calicoctl captured-packets copy nginx-pcap --namespace dev

ls dev-nginx*
# view *.pcap content
tcpdump -Ar $(ls dev-* | head -1)
tcpdump -Xr $(ls dev-* | head -1)

  4. Clean up packet capture resource

    If a packet capture resource does not have endTime field, the capture would be continuous until the resource is removed.

    Stop packet capture by removing the PacketCapture resource.

    kubectl delete -f demo/60-packet-capture/nginx-pcap.yaml

Note Packet Captures can also be created and scheduled directly from the Calico UI. Follow the Service Graph method for this alternative procedure.

Configure deep packet inspection for sensitive workloads

Refer to deep packet inspection documentation for more details about this capability.

  1. Configure deep packet inspection (DPI) resource.

    Deploy DPI resource to allow Calico inspect packets bound for dev/nginx pods.

    kubectl apply -f demo/70-deep-packet-inspection/nginx-dpi.yaml

    Once the DeepPacketInspection resource is deployed, Calico configures DPI controller to scan packets for endpoints matching the selector field configuration.

    Wait until all DPI pods become Ready

    watch kubectl get po -n tigera-dpi

  2. Simulate malicious request and review alerts.

    Query dev/nginx application with payload that triggers a Snort rule alert.

    kubectl -n dev exec -t centos -- sh -c "curl http://nginx-svc/secid_canceltoken.cgi -H 'X-CMD: Test' -H 'X-KEY: Test' -XPOST"

    Navigate to the Alerts view in Tigera UI and review alerts triggered by DPI controller. Calico DPI controller uses Snort signatures to perform DPI checks.