Goal: Configure deep packet inspection for sensitive workloads to allow Calico inspect packets and alert on suspicious traffic.
-
Configure deep packet inspection (DPI) resource.
Navigate to
demo/70-deep-packet-inspectionand review YAML manifests that represent DPI resource definition. A DPI resource is usually deployed to watch traffic for entire namespace or specific pods within the namespace using label selectors.Deploy DPI resource definition to allow Calico inspect packets bound for
dev/nginxpods.kubectl apply -f demo/70-deep-packet-inspection/nginx-dpi.yaml
Once the
DeepPacketInspectionresource is deployed, Calico starts capturing packets for all endpoints configured in theselectorfield.Wait until all DPI pods become
Readywatch kubectl get po -n tigera-dpi
-
Simulate malicious request.
Query
dev/nginxapplication with payload that triggers a Snort rule alert.kubectl -n dev exec -t centos -- sh -c "curl http://nginx-svc/secid_canceltoken.cgi -H 'X-CMD: Test' -H 'X-KEY: Test' -XPOST"
-
Review alerts.
Navigate to the Alerts view in Tigera UI and review alerts triggered by DPI controller. Calico DPI controller uses Snort signatures to perform DPI checks.