This repository holds the source code you need to bring up a setup locally on a Docker host, which mirrors the example described in part 3 of the Cloud IDS blog series.

• app: contains docker compose definition to bring up the app and CloudLens to monitor packets
• sensor: contains docker compose definition to bring up the logical ids sensor application consisting of Snort, CloudLens agent and Filebeat.
• events_ui: contains docker compose definition to bring up ELK to serve event aggregation and end user presentation.

• docker engine (>=17.12.0-ce): see install instructions
• docker compose (>= 1.22.0): see install instructions

1. set up cloudlens account, create project and obtain project key
2. go into events_ui directory, follow the instructions there to start ELK.
3. with the ELK hostname/IP from (2) and cloudlens project key: go into sensor directory, follow the instructions there to start Snort sensor
4. with the cloudlens project key: go into app directory, follow the instructions there to start the vulnerable app.
5. create the vulnerable app and the snort sensor groups in CloudLens, and connect them.
6. analyze via Kibana.