IDS/IPS Integration


#1

So I know at present VyOS is currently an primarily a routing platform. But I guess with natural progression, and also faced with the fact that a large portion of the userbase would or is currently using it almost as a UTM appliance. It would be nice to include Suritcata in-place of Snort. Like the old day’s of Vyatta 3.x.

Certainly that should be something that can be re-implemented at some point?

Potentially it could be made up for 2 components.

  1. Suricata
  2. EveBox (For exporting to ElasticSearch directly)

I’m not a developer by nature, but with some guidance on how the configuration management and VTY system is built, I could help do something.

Quite keen on this feature, as it’s pretty much what I think is missing.


#2

Fully agree. I would also be happy to explore further on what does it take to incorporate this. In addition to IDS, I am also thinking if we can incorporate some sort of application identification (kind of the openappid from snort).

@dtakeshi, we can collaborate to see how to structure this as a requirement, and also see what we can do to implement it further.


#3

@ayyaps sounds like a plan! Definitely keen to move forward with this!

Do you have a lot of background in the VyOS code? I’m curious as to how we can implement the options. I’m guessing it’s really loading them into the config.xml and then having the VyOS shell apply said configurations to the suricata.conf file.