IDS/IPS Integration

So I know at present VyOS is currently an primarily a routing platform. But I guess with natural progression, and also faced with the fact that a large portion of the userbase would or is currently using it almost as a UTM appliance. It would be nice to include Suritcata in-place of Snort. Like the old day’s of Vyatta 3.x.

Certainly that should be something that can be re-implemented at some point?

Potentially it could be made up for 2 components.

  1. Suricata
  2. EveBox (For exporting to ElasticSearch directly)

I’m not a developer by nature, but with some guidance on how the configuration management and VTY system is built, I could help do something.

Quite keen on this feature, as it’s pretty much what I think is missing.

Fully agree. I would also be happy to explore further on what does it take to incorporate this. In addition to IDS, I am also thinking if we can incorporate some sort of application identification (kind of the openappid from snort).

@dtakeshi, we can collaborate to see how to structure this as a requirement, and also see what we can do to implement it further.

@ayyaps sounds like a plan! Definitely keen to move forward with this!

Do you have a lot of background in the VyOS code? I’m curious as to how we can implement the options. I’m guessing it’s really loading them into the config.xml and then having the VyOS shell apply said configurations to the suricata.conf file.

We maybe want to talk with suricata devs and try to see how we can collaborate

I am dead keen for this to progress. I’m reading through the VyOS/Vyatta XML and I’m just thinking about all the different Surciata options I configure during a normal deployment.

One thing I must say is that I’m dead keen on ELK stacked backend. Or even using the local Barnyard2/Snorby combo, however I think Snorby’s a dead project? I could be wrong.

I’m thinking of rolling together the following packages to make it work.

  • Suricata
  • ET Open
  • Sicirus
  • EveBox
  • ELK
  • Elastalert
1 Like

we don´t want to keep ELK on router, we need to see how we send data to remote db

1 Like

Evebox could do it. Also there’s potential for integration with the Wazuh agent for those that use Wazuh SIEM.

Is there any update on this request?
Can you share some info how to implement this functionality?

THX

Just for the record…in old Vyatta there was a “set content-inspection” command (see https://www.sans.org/reading-room/whitepapers/firewalls/deploying-vyatta-core-firewall-33493 or https://docs.huihoo.com/vyatta/6.0/Vyatta_SecurityRef_R6.0_v03.pdf for instance)

1 Like

Yup thats right. It had Snort built into it.

I’ve been thinking about this. And have started looking at using Suricata. And then offloading it to a backend using Evebox. That way no data processing or storage is done on VyOS. But then looking at how when detections occur. How do we push rules based on those back into VyOS.

Well, at least for the moment I’ve manually installed them.

1 Like

Once suricata is installed and inspecting nfqueue 0 (-q 0), you can send packet to it by passing the action “inspect” to a firewall rule:

set firewall name FROM-INTERNET default-action drop
set firewall name FROM-INTERNET description “From Internet”
set firewall name FROM-INTERNET rule 10 description “Pass port 22 traffic to Suricata”
set firewall name FROM-INTERNET rule 10 action inspect
set firewall name FROM-INTERNET rule 10 protocol tcp
set firewall name FROM-INTERNET rule 10 destination port ssh

and this will send packets to nfqueue 0

1 Like

Is there anyone actively working on this?
I would like to help with this but I am not familiar with enough VYOS to know where I should start.
Any pointers would be appreciated such as which repo would I need to modify/look at and the general structure of the project.

Some Ideas I have had:

  • Support IPS/inline mode in Suricata
  • For logging I was thinking that we could just use Syslog to start, other log exporters might be better to be added globally for all of VYOS to use

Yes i’m very interesting to incorporate IDS/IPS module, squidguard doesn’t provide IDS/IPS function with proxy ?

suricata.yaml.txt (72.6 KB) )
suricata-yaml
Sucesfully installed on Buster.
Suricata configs in yaml fromat (/etc/suricata/suricata.yaml)
I think it will work with python handlers/checkers.

Intrusion Detection System (IDS) - only detect
Intrusion Protection System (IPS) - firewall match pattern
Multi pattern match (mpm)

For set syntax, I see it:

set service detection engine ids
set service detection engine ids max-pending-packets
set service detection engine ids default-packet-size
set service detection engine ids thread-ratio
set service detection engine ids flow memcap
set service detection engine ids flow hash-size
set service detection engine ids profile (mpm|prefilter)
set service detection engine ids update-rules (update from internet with /usr/bin/suricata-update)
set service detection engine ips rule x action (pass|drop|reject|alert)
set service detection engine ips inspection-recursion-limit
set service detection engine ips mode accept
set service detection engine ips mode repeate
set service detection engine log

Filter
etc…

4 Likes

just tagging me in here to show support/interest/tag for future updates.
pretty exciting stuff, thanks!

Hello Viecheslav,

So we can install it or it’s already available.
How inspect log, detection,… ?

Thanks.

@FabG It’s too early to talk about it yet.

Just want to be updated on this feature request.