Additional suricata functionality

taylorcb · February 24, 2025, 11:25pm

Hello. I’m coming back to VyOS from running OPNsense for a few months (interesting experiment, but too many issues), and have a couple of question about suricata in VyOS.

I’ve been able to get suricata fully configured using the “native” ‘set service suricata’ commands, but was wondering if there was a way to do 2 additional things that were “nice to have” in OPNsense:

Adding additional rule files. From what I can tell, even when running ‘update suricata’, VyOS seems to only use these rule files below. I’ve tried placing additional rule files in that same directory, with the thought they would be picked up and used, but there seems to be some hard-coding in the product to use only these rule files. Ideally I want to add even just the ET Open rule files.

24/2/2025 – 16:19:21 - – Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
24/2/2025 – 16:19:21 - – Loading distribution rule file /etc/suricata/rules/decoder-events.rules
24/2/2025 – 16:19:21 - – Loading distribution rule file /etc/suricata/rules/dhcp-events.rules
24/2/2025 – 16:19:21 - – Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
24/2/2025 – 16:19:21 - – Loading distribution rule file /etc/suricata/rules/dns-events.rules
24/2/2025 – 16:19:21 - – Loading distribution rule file /etc/suricata/rules/files.rules
24/2/2025 – 16:19:21 - – Loading distribution rule file /etc/suricata/rules/http-events.rules
24/2/2025 – 16:19:21 - – Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
24/2/2025 – 16:19:21 - – Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
24/2/2025 – 16:19:21 - – Loading distribution rule file /etc/suricata/rules/modbus-events.rules
24/2/2025 – 16:19:21 - – Loading distribution rule file /etc/suricata/rules/nfs-events.rules
24/2/2025 – 16:19:21 - – Loading distribution rule file /etc/suricata/rules/ntp-events.rules
24/2/2025 – 16:19:21 - – Loading distribution rule file /etc/suricata/rules/smb-events.rules
24/2/2025 – 16:19:21 - – Loading distribution rule file /etc/suricata/rules/smtp-events.rules
24/2/2025 – 16:19:21 - – Loading distribution rule file /etc/suricata/rules/stream-events.rules
24/2/2025 – 16:19:21 - – Loading distribution rule file /etc/suricata/rules/tls-events.rules

One of the easy/nice things in OPNsense was being able to create actions (policies) when a suricata alert was triggered, even as broad as “drop traffic when that alert is seen”. Is there anything that folks have done to add this capability, or is it coming in the future?

Related to these questions, I am aware of the concept of using a suricata container in VyOS, especially what’s talked about in this article (Vyos firewall artificial intelligence support) since it seems to be able to have the Container interact with the nftables approach to the firewall vs. the older version of this configuration that used iptables.

If going with a container provides more capabilities around adding rules and creating actions, I’ll definitely go down that route. Thanks!!

taylorcb · February 25, 2025, 3:09am

Update, and I think I answered one of my own questions; I’ll post this update just in case anybody else is going through this.

I built a new VM with the latest ISO, and used the approach to installing suricata with a container as talked about out in this post: Vyos firewall artificial intelligence support.

The only change I did was used this command to bring down the “latest” suricata 7.0.8 container: ‘add container image jasonish/suricata:latest’. This is something I actually wanted an answer on as well, and confirmed what is running in the latest VyOS rolling ISO is suricata 6.0.10 vs. 7.0.8 in the “latest” container as seen in these commands:

vyos@vyos:~$ suricata -V
This is Suricata version 6.0.10 RELEASE

vyos@vyos:~$ sudo podman exec -it suricata /bin/bash
[root@vyos /]# suricata -V
This is Suricata version 7.0.8 RELEASE

After going through a more “straight-forward” suricata configuration in the container, I was able to replicate the functionality of adding additional rules using ‘suricata-update’ in the container, as well as the 6.0.10 version that is installed in the ISO file. Basically these commands work exactly the same:

‘suricata-update list-sources’
‘suricata-update update-sources’
‘suricata-update enable-source et/open’ (adding the ET Open rules)
‘suricata-update -v’ (verbose is key)

The only difference between what is in the ISO and the container is of course is the container has the latest 7.0.8 suricata. This answers my first question about adding rules the “proper way” to suricata, but then the question that is raised is will suricata in the ISO ever be updated to the latest? Or is the container the better/long-term approach to using suricata with VyOS?

As for the second question, I’d still like to hear feedback on what folks have done with actions to the alerts, especially if something is available outside of brute force modifying the rules to add “drop” to whatever rules necessary. While that can be done via scripting, I’d really rather NOT modify the rule files themselves if possible. Thanks again!

system · March 27, 2025, 3:10am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.