IDS/IPS Integration


#1

So I know at present VyOS is currently an primarily a routing platform. But I guess with natural progression, and also faced with the fact that a large portion of the userbase would or is currently using it almost as a UTM appliance. It would be nice to include Suritcata in-place of Snort. Like the old day’s of Vyatta 3.x.

Certainly that should be something that can be re-implemented at some point?

Potentially it could be made up for 2 components.

  1. Suricata
  2. EveBox (For exporting to ElasticSearch directly)

I’m not a developer by nature, but with some guidance on how the configuration management and VTY system is built, I could help do something.

Quite keen on this feature, as it’s pretty much what I think is missing.


#2

Fully agree. I would also be happy to explore further on what does it take to incorporate this. In addition to IDS, I am also thinking if we can incorporate some sort of application identification (kind of the openappid from snort).

@dtakeshi, we can collaborate to see how to structure this as a requirement, and also see what we can do to implement it further.


#3

@ayyaps sounds like a plan! Definitely keen to move forward with this!

Do you have a lot of background in the VyOS code? I’m curious as to how we can implement the options. I’m guessing it’s really loading them into the config.xml and then having the VyOS shell apply said configurations to the suricata.conf file.


#4

We maybe want to talk with suricata devs and try to see how we can collaborate


#5

I am dead keen for this to progress. I’m reading through the VyOS/Vyatta XML and I’m just thinking about all the different Surciata options I configure during a normal deployment.

One thing I must say is that I’m dead keen on ELK stacked backend. Or even using the local Barnyard2/Snorby combo, however I think Snorby’s a dead project? I could be wrong.

I’m thinking of rolling together the following packages to make it work.

  • Suricata
  • ET Open
  • Sicirus
  • EveBox
  • ELK
  • Elastalert

#6

we don´t want to keep ELK on router, we need to see how we send data to remote db


#7

Evebox could do it. Also there’s potential for integration with the Wazuh agent for those that use Wazuh SIEM.