Mata Elang Sensor
Prerequisiteβ
β Ubuntu 24.04 LTS installed and updated with the following command.
sudo apt update && sudo apt -y upgrade
β Docker 27.3 or later installed with the following command.
π You can follow this guideline for installing Docker on your PC, with comprehensive instruction for each Linux's Distribution Docker Official Documentation.
β οΈ NOTE: You can check Docker version on your host using this command:
docker -v
Generating TLS Certificatesβ
The sensor communicates with the Defense Center over mutual TLS (mTLS). Before installing the sensor, you must generate the CA certificate that the sensor uses to verify the gRPC server.
π If you are deploying the Defense Center on the same machine, follow the complete guide at Certificate Generation to generate all required certificates.
π If the sensor is on a separate machine, generate certificates on the Defense Center host first, then copy the CA certificate to the sensor host:
# On the Defense Center host
cd example-docker-deployment
cp config.example.toml config.toml
# Edit config.toml: change ssl.password to a secure password
nano config.toml
./generate.sh
# Copy CA cert to sensor host
scp ssl_certs/ca/ca.crt user@sensor-host:/path/to/example-docker-deployment/ssl_certs/ca/ca.crt
β οΈ Important: The
ca.crtfile must exist atssl_certs/ca/ca.crtrelative to the repository root before starting the sensor.
Configurating and Installing Sensorβ
Downloading Installation Mediaβ
βΆοΈ Clone Mata Elang v2.1 Sensor from GitHub to your defense center machine.
β οΈ You can skip this step if you already set your defense center.
git clone https://github.com/mata-elang-stable/example-docker-deployment.git
βΆοΈ Find sensor_snort folder, and check for its contained files.
cd example-docker-deployment/sensor_snort/ && tree --dirsfirst -L 1 -a
π You shall expect this result
$ tree --dirsfirst -L 1 -a
.
βββ rules/
βββ compose.yml
βββ custom.rules
βββ .env.example
βββ .gitignore
βββ readme.md
Configuring Enviromentβ
βΆοΈ Create an .env file by copying .env.example
cp .env.example .env
You will have a new file titled .env.
βΆοΈ Edit the .env using nano to connect it to your defense center. You have to set NETWORK_INTERFACE and Mata Elang : Sensor Parser section.
nano .env
π .env's default variable valuesβ
###############################
# Mata Elang: Sensor Snort
###############################
# Network interface to listen on
NETWORK_INTERFACE=eth0
###############################
# Mata Elang: Sensor Parser
###############################
# IP address of the Mata Elang Defense System (MES) server
MES_CLIENT_SERVER=172.17.0.1
# Port of the MES server
MES_CLIENT_PORT=50051
# Unique ID of the sensor in the MES server
MES_CLIENT_SENSOR_ID=sensor1
# Path to Snort alert JSON file
MES_CLIENT_FILE=/var/log/snort/alert_json.txt
# Interval between batch sends to gRPC server
MES_CLIENT_INTERVAL=1s
# -- gRPC TLS --
MES_CLIENT_SECURE=true
MES_CLIENT_CERTIFICATE=/secrets/ca.crt
MES_CLIENT_SERVER_NAME=sensor-api
π Set MES_CLIENT_SENSOR_ID to a unique name for this sensor (e.g., sensor-office-1, sensor-dc-1). This ID appears in the OpenSearch Dashboards to identify which sensor generated each alert.
π For the complete list of configuration options, see Sensor Configuration.
β οΈ NOTE: You may change the values to meet your needs. β οΈ
Installing Sensorβ
βΆοΈ After your .env file is set, you can pull compose.yml image using this command.
docker compose pull
βΆοΈ After pulling process is done, you can start the services by following this command.
docker compose up -d
βΆοΈ Check the container whether its already running or not.
docker compose ps -a
π You shall expect this kind of result.
NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS
sensor_snort-snort-1 ghcr.io/mata-elang-stable/snort3-docker-image:v2.1-debian "/usr/local/bin/starβ¦" snort 3 seconds ago Up 2 seconds
sensor_snort-snort-parser-1 ghcr.io/mata-elang-stable/sensor-snort-service:latest "/go/bin/app client β¦" snort-parser 3 seconds ago Up 2 seconds