It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda XDR
Overview Documentation Materials

Setting up the XDR Collector for Barracuda IDS for Windows

  • Last updated on

This setup is for the XDR Collector only. If you are using a physical or virtual sensor, refer to Integrating Barracuda IDS.

The XDR Collector runs as a service in your environment. While the minimum specifications are listed below, the required resources depend on the number of active integrations and the amount of data being processed.

Install the XDR Collector on each server you want to monitor. 

Minimum Requirements

To set up the XDR Collector, the minimum requirements are the following:

Minimum requirements

CPU

2vCPU

Disk Size

10GB SSD

Memory

1GB

Network interface card (NICs)

2

Operating System

  • Windows Server 2016 and higher

  • Windows 10 and higher

Windows Server 2022  is recommended.

IP Address Requirements

Two private static IP addresses are required, one for each Ethernet interface.

Required Endpoint/Port Communication

The XDR Collector must be able to communicate to the following endpoints/ports:

Logstash

a96190b49bd294a5fbb3725ff20aab78-c7f64fe7557a87d2.elb.us-east-1.amazonaws.com:5044

Management Server

b5e9a5096e0a4f7782cc444c8edbbd5e.fleet.us-east-1.aws.found.io:443

Update Server

artifacts.elastic.co:443

Setting up the XDR Collector

To set up the XDR Collector, you must do the following procedures:

  • To configure a static IP address

  • To install the XDR Collector

  • To set up switch port mirroring

  • To install Suricata

  • To create the log cleanup scheduled task

To configure a Static IP Address

Configure a static IP address for each Ethernet interface. See the documentation for your specific version of Windows.

To install the XDR Collector

The install command is unique for each account and should only be run on systems within that account's network.

  1. In Barracuda XDR Dashboard, click Infrastructure Collectors.

  2. In the Policies table, next to the on-prem policy, click Action Install.

  3. Click Windows.

    WindowsInstallXDRCollector1.png

  4. Copy the command at the bottom of the dialog box.

    WindowsInstallXDRCollector2.png

  5. On the appropriate system, run Powershell as an administrator, paste the command, and run it.

It may take up to 30 minutes for the install to complete.

Whenever possible, follow the procedure to install the agent.

If downloading the agent package from the Dashboard fails, you can download the package from a browser. Save the package to a temp folder. If you save it to your desktop, the install fails.

To set up Switch Port Mirroring

Click a link for specific configurations for the following:

  1. Connect the secondary Ethernet interface on the XDR Collector's host machine to the mirrored port on the switch.

  2. Configure the switch to mirror traffic in both directions on all other ports on the switch.

To install Suricata 

  • If the number of source ports in the switch mirroring session is greater than or equal to 24, then it is recommended to increase the cache memory of Suricata from the default value of 1MB to 8MB.

  • Add the executable for both Suricata and XDR Collector to the Allow List in all antivirus and endpoint protection software (except in SentinelOne)

    • Suricata: "C:\Program Files\Suricata\suricata.exe"

    • XDR Collector: "C:\Program Files\Elastic\Agent\elastic-agent.exe"

  • Do not upgrade either Suricata or the XDR Collector without confirmation from XDR support as this may result in configuration discrepancies. Barracuda XDR Collector upgrades are managed by Barracuda Networks.

  • If the IP address of the host's secondary interface is changed, then repeat steps 3 and 4 of the installation process.

  1. Download and install NPCAP (https://npcap.com/#download).
    Ensure the Install Npcap in WinPcap API-compatible Mode option is enabled
    NOTE NPCAP allows Windows software to capture raw network traffic.

  2. Download and install Windows 64 Suricata from https://www.openinfosecfoundation.org/downloads/windows/Suricata-7.0.7-1-64bit.msi.

  3. Open the file "C:\Program Files\Suricata\suricata.yaml" and locate the current HOME_NET value.  Modify the value to include only the subnets monitored by your switch. The values must be in cidr notation. Save the file.

  4. As Administrator, open PowerShell and paste the following command, in its entirety.  Modify the path if your install directory is different. Press enter and follow the prompts to begin the installation and configuration process.
    $suricataPath = "C:\Program Files\Suricata"
    Invoke-WebRequest -Uri "https://skout-csd-assets-public.s3.amazonaws.com/suricata/windows/suricata-windows-scripts.zip" -OutFile "$suricataPath\suricata-windows-scripts.zip";
    Expand-Archive -Path "$suricataPath\suricata-windows-scripts.zip" -DestinationPath "$suricataPath" -Force;
    Remove-Item "$suricataPath\suricata-windows-scripts.zip" -Force
    & "$suricataPath\install-suricata-service.ps1"

Suricata should now be running in the background. To verify that Suricata is generating new entries in the log file, run the following command. Modify the path if your install directory is different.
Get-Content Get-ChildItem -Path "C:\Program Files\Suricata\log" -Filter "*.json" | Sort-Object LastWriteTime -Descending | Select-Object -First 1 | Get-Content -Tail 10 -Wait

To Uninstall Suricata

  1. In the Windows, open Add or Remove Programs.

  2. Remove Suricata.

  3. Remove NpCap.

  4. As Administrator, open PowerShell and paste the following command. Modify the path if your install directory is different. Press enter to remove the scheduled tasks.
    & "C:\Program Files\Suricata\remove-scheduled-tasks.ps1"

  5. Optionally, delete the suricata directory: "C:\Program Files\Suricata"