So I know at present VyOS is currently an primarily a routing platform. But I guess with natural progression, and also faced with the fact that a large portion of the userbase would or is currently using it almost as a UTM appliance. It would be nice to include Suritcata in-place of Snort. Like the old day’s of Vyatta 3.x.
Certainly that should be something that can be re-implemented at some point?
Potentially it could be made up for 2 components.
Suricata
EveBox (For exporting to ElasticSearch directly)
I’m not a developer by nature, but with some guidance on how the configuration management and VTY system is built, I could help do something.
Quite keen on this feature, as it’s pretty much what I think is missing.
Fully agree. I would also be happy to explore further on what does it take to incorporate this. In addition to IDS, I am also thinking if we can incorporate some sort of application identification (kind of the openappid from snort).
@dtakeshi, we can collaborate to see how to structure this as a requirement, and also see what we can do to implement it further.
@ayyaps sounds like a plan! Definitely keen to move forward with this!
Do you have a lot of background in the VyOS code? I’m curious as to how we can implement the options. I’m guessing it’s really loading them into the config.xml and then having the VyOS shell apply said configurations to the suricata.conf file.
I am dead keen for this to progress. I’m reading through the VyOS/Vyatta XML and I’m just thinking about all the different Surciata options I configure during a normal deployment.
One thing I must say is that I’m dead keen on ELK stacked backend. Or even using the local Barnyard2/Snorby combo, however I think Snorby’s a dead project? I could be wrong.
I’m thinking of rolling together the following packages to make it work.
I’ve been thinking about this. And have started looking at using Suricata. And then offloading it to a backend using Evebox. That way no data processing or storage is done on VyOS. But then looking at how when detections occur. How do we push rules based on those back into VyOS.
Well, at least for the moment I’ve manually installed them.
Once suricata is installed and inspecting nfqueue 0 (-q 0), you can send packet to it by passing the action “inspect” to a firewall rule:
set firewall name FROM-INTERNET default-action drop
set firewall name FROM-INTERNET description “From Internet”
set firewall name FROM-INTERNET rule 10 description “Pass port 22 traffic to Suricata”
set firewall name FROM-INTERNET rule 10 action inspect
set firewall name FROM-INTERNET rule 10 protocol tcp
set firewall name FROM-INTERNET rule 10 destination port ssh
Is there anyone actively working on this?
I would like to help with this but I am not familiar with enough VYOS to know where I should start.
Any pointers would be appreciated such as which repo would I need to modify/look at and the general structure of the project.
Some Ideas I have had:
Support IPS/inline mode in Suricata
For logging I was thinking that we could just use Syslog to start, other log exporters might be better to be added globally for all of VYOS to use
suricata.yaml.txt (72.6 KB) ) suricata-yaml
Sucesfully installed on Buster.
Suricata configs in yaml fromat (/etc/suricata/suricata.yaml)
I think it will work with python handlers/checkers.
Intrusion Detection System (IDS) - only detect
Intrusion Protection System (IPS) - firewall match pattern
Multi pattern match (mpm)
For set syntax, I see it:
set service detection engine ids
set service detection engine ids max-pending-packets
set service detection engine ids default-packet-size
set service detection engine ids thread-ratio
set service detection engine ids flow memcap
set service detection engine ids flow hash-size
set service detection engine ids profile (mpm|prefilter)
set service detection engine ids update-rules (update from internet with /usr/bin/suricata-update)
set service detection engine ips rule x action (pass|drop|reject|alert)
set service detection engine ips inspection-recursion-limit
set service detection engine ips mode accept
set service detection engine ips mode repeate
set service detection engine log