I’ve been working with suricata in VyOS for the past couple of weeks, so I’ll give you my 2 cents. One thing to keep in mind is I’ve come back to VyOS from experimenting with OPNsense, which while I did run into a few issues that is forcing me to come back to VyOS, their suricata implementation is pretty easy and works well. My goal for suricata in VyOS is to duplicate what I was able to do with OPNsense.
First I’ve focused on 2 methods for using suricata in VyOS: a) using a container, and b) the “native” ‘set service suricata’ method. The container method is from this post (Vyos firewall artificial intelligence support), which does work, but I never completed the final piece configuration incorporating it with the firewall. The one piece that I couldn’t get working was I want to have the suricata alerts sent to the VyOS syslog (JournalD) from the container so I can send them to an NMS system. I just couldn’t figure it out, and I’m thinking maybe it’s because VyOS uses podman, which there is a way to launch a container with podman and use a journald logging mechanism, but I couldn’t figure out how to do that with the ‘set container’ commands. I will point out that the default configuration in the container is to only run suricata in “IDS Mode”, and I want to get it running in “IPS Mode” as I have good hardware to handle the load. I’m sure it could be configured that way in the container, but not being able to figure out how to send alerts from the container is a show-stopper for me.
The second method is the “native” ‘set service suricata’ commands, which does work well, but again it’s in “IDS Mode” by default. Everything I want to do with syslog though works solid, so this is the way I’m going to use it. In order to get it working, I used below as my config which most of this may be overkill, but I just wanted to make sure it’s working, I basically duplicated the “vars:” and “port-groups” section of the /etc/suricata/suricata.yaml file to make sure everything is covered. BTW when you run the ‘set service suricata’ commands, a separate config file is generated and used in ‘/run/suricata/suricata.yaml’.
$ sudo ps -ef | grep -i suricata
root 756211 1 2 00:01 ? 00:20:15 /usr/bin/suricata -D --af-packet -c /run/suricata/suricata.yaml --pidfile /run/suricata/suricata.pid
my config:
set service suricata address-group home-net address ‘10.0.0.0/8’
set service suricata address-group external-net group ‘!home-net’
set service suricata address-group http-servers group ‘home-net’
set service suricata address-group smtp-servers group ‘home-net’
set service suricata address-group sql-servers group ‘home-net’
set service suricata address-group dns-servers group ‘home-net’
set service suricata address-group telnet-servers group ‘home-net’
set service suricata address-group aim-servers group ‘external-net’
set service suricata address-group dc-servers group ‘home-net’
set service suricata interface ‘eth2’ (internet interface)
set service suricata log eve filetype ‘syslog’
set service suricata log eve type ‘alert’
set service suricata log eve type ‘drop’
set service suricata port-group all-ports port ‘1-65535’
set service suricata port-group http-ports port ‘80’
set service suricata port-group shellcode-ports port ‘!80’
set service suricata port-group oracle-ports port ‘1521’
set service suricata port-group ssh-ports port ‘22’
set service suricata port-group file-data-ports group ‘http-ports’
set service suricata port-group file-data-ports port ‘110’
set service suricata port-group file-data-ports port ‘143’
set service suricata port-group ftp-ports port ‘21’
set service suricata port-group geneve-ports port ‘6081’
set service suricata port-group teredo-ports port ‘3544’
set service suricata port-group vxlan-ports port ‘4789’
Once you commit a config like this, then run ‘update suricata’ which under the covers is running ‘/usr/bin/suricata-update’ (standard update utility that comes with suricata). This brings down the .rules files, which by default are the ET/open (free) rules, which are a great place to start. Keep in mind that if you want to include additional rule sources, or create your own, you will need to manipulate the /run/suricata/suricata.yaml file directly as there doesn’t seem to be a way to do that in the ‘set service suricata’ commands? If you go that route, I would recommend running ‘/usr/bin/suricata-update’ with a ‘-v’ so you can really see what’s going on. That utility also allows you to add additional rule sources which again don’t appear to be in the VyOS CLI.
Another thing to mention is the version of suricata in the latest-and-greatest VyOS ISO file is 6.0.10, which 7.0.8 is out, and actually that’s what’s in OPNSense. I’ve noticed the alerts in 6.0.10 are a little noisy compared to what I experienced in 7.0.8 so I don’t know if that’s a version thing or what. I’m currently working on a method to update to 7.0.8 of suricata, and also enable “IPS mode” as that’s where I really want to be at. I think what OPNsense does for “IPS Mode” is use their own scripts to manipulate the .rules files themselves and change the first word which is the action. If this idea works then the final configuration would be this:
a) configure “native” suricata to run in IPS Mode
b) run a standard ‘/usr/bin/suricata-update’ minimally once a day
c) programmatically update the action in the ‘/var/lib/suricata/rules/suricata.rules’ file that ‘/usr/bin/suricata-update’ generates
d) reload the rules on-the-fly using the mechanism suricata provides
One final thing to point out is the downside to this approach. Once a VyOS upgrade is done, everything done outside of the CLI commands will be lost. I’m OK with that as I use redundant hardware to introduce new versions of VyOS, and script the whole config with the new version. It’s so easy to do that with VyOS!!
Hopefully this helps.