IDS/IPS Integration

Just for the record…in old Vyatta there was a “set content-inspection” command (see Deploying a Vyatta Core Firewall | SANS Institute or https://docs.huihoo.com/vyatta/6.0/Vyatta_SecurityRef_R6.0_v03.pdf for instance)

1 Like

Yup thats right. It had Snort built into it.

I’ve been thinking about this. And have started looking at using Suricata. And then offloading it to a backend using Evebox. That way no data processing or storage is done on VyOS. But then looking at how when detections occur. How do we push rules based on those back into VyOS.

Well, at least for the moment I’ve manually installed them.

1 Like

Once suricata is installed and inspecting nfqueue 0 (-q 0), you can send packet to it by passing the action “inspect” to a firewall rule:

set firewall name FROM-INTERNET default-action drop
set firewall name FROM-INTERNET description “From Internet”
set firewall name FROM-INTERNET rule 10 description “Pass port 22 traffic to Suricata”
set firewall name FROM-INTERNET rule 10 action inspect
set firewall name FROM-INTERNET rule 10 protocol tcp
set firewall name FROM-INTERNET rule 10 destination port ssh

and this will send packets to nfqueue 0

1 Like

Is there anyone actively working on this?
I would like to help with this but I am not familiar with enough VYOS to know where I should start.
Any pointers would be appreciated such as which repo would I need to modify/look at and the general structure of the project.

Some Ideas I have had:

  • Support IPS/inline mode in Suricata
  • For logging I was thinking that we could just use Syslog to start, other log exporters might be better to be added globally for all of VYOS to use

Yes i’m very interesting to incorporate IDS/IPS module, squidguard doesn’t provide IDS/IPS function with proxy ?

suricata.yaml.txt (72.6 KB) )
suricata-yaml
Sucesfully installed on Buster.
Suricata configs in yaml fromat (/etc/suricata/suricata.yaml)
I think it will work with python handlers/checkers.

Intrusion Detection System (IDS) - only detect
Intrusion Protection System (IPS) - firewall match pattern
Multi pattern match (mpm)

For set syntax, I see it:

set service detection engine ids
set service detection engine ids max-pending-packets
set service detection engine ids default-packet-size
set service detection engine ids thread-ratio
set service detection engine ids flow memcap
set service detection engine ids flow hash-size
set service detection engine ids profile (mpm|prefilter)
set service detection engine ids update-rules (update from internet with /usr/bin/suricata-update)
set service detection engine ips rule x action (pass|drop|reject|alert)
set service detection engine ips inspection-recursion-limit
set service detection engine ips mode accept
set service detection engine ips mode repeate
set service detection engine log

Filter
etc…

4 Likes

just tagging me in here to show support/interest/tag for future updates.
pretty exciting stuff, thanks!

Hello Viecheslav,

So we can install it or it’s already available.
How inspect log, detection,… ?

Thanks.

@WebToor It’s too early to talk about it yet.

Just want to be updated on this feature request.

Just want to be updated on this feature request.

  • me2

Likely way forward here?

1 Like

We have native CLI for containers “set container name foo xxx”

Hey! Just jumping in here have you had any thoughts of using CrowdSec? - crowdsec.net

1 Like

You beat me to this one :grin:

Crowdsec would indeed be a nice addition. Very lightweight.

I would prefer that much more than snort or suricata.

As I see crowdsec works with iptables, we use nftables

wget https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh
os=Debian dist=bullseye ./script.deb.sh

apt install crowdsec

root@r14:/home/vyos# cscli collections list
INFO[06-08-2022 01:50:37 PM] Ignoring file /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml of type parsers 
-----------------------------------------------------------------------------------------------------------------
 NAME                                 📦 STATUS    VERSION  LOCAL PATH                                           
-----------------------------------------------------------------------------------------------------------------
 crowdsecurity/apache2                ✔️  enabled  0.1      /etc/crowdsec/collections/apache2.yaml               
 crowdsecurity/dovecot                ✔️  enabled  0.1      /etc/crowdsec/collections/dovecot.yaml               
 crowdsecurity/iptables               ✔️  enabled  0.1      /etc/crowdsec/collections/iptables.yaml              
 crowdsecurity/linux                  ✔️  enabled  0.2      /etc/crowdsec/collections/linux.yaml                 
 crowdsecurity/nginx                  ✔️  enabled  0.1      /etc/crowdsec/collections/nginx.yaml                 
 crowdsecurity/sshd                   ✔️  enabled  0.1      /etc/crowdsec/collections/sshd.yaml                  
 crowdsecurity/whitelist-good-actors  ✔️  enabled  0.1      /etc/crowdsec/collections/whitelist-good-actors.yaml 
 crowdsecurity/base-http-scenarios    ✔️  enabled  0.3      /etc/crowdsec/collections/base-http-scenarios.yaml   
 crowdsecurity/modsecurity            ✔️  enabled  0.1      /etc/crowdsec/collections/modsecurity.yaml           
 crowdsecurity/naxsi                  ✔️  enabled  0.1      /etc/crowdsec/collections/naxsi.yaml                 
 crowdsecurity/vsftpd                 ✔️  enabled  0.1      /etc/crowdsec/collections/vsftpd.yaml                
 crowdsecurity/wordpress              ✔️  enabled  0.1      /etc/crowdsec/collections/wordpress.yaml             
 crowdsecurity/mysql                  ✔️  enabled  0.1      /etc/crowdsec/collections/mysql.yaml                 
 crowdsecurity/postfix                ✔️  enabled  0.2      /etc/crowdsec/collections/postfix.yaml               
-----------------------------------------------------------------------------------------------------------------
root@r14:/home/vyos# 

Not sure exectly as I’m not crowdsec user :slight_smile:

Update nftables also supported bouncers

CrowdSec reads logs from different sources (files, streams …) to parse, normalize and enrich them before matching them to threats patterns called scenarios.

Surricata and other reads packets and their patterns it is different solutions

Hey!

I’m head of moderation on our discord. Feel free to join us if you want to discus more?

Aydan

Hi,

I would only use a bouncer on the VyOS device which would update a network-group that is used in a firewall rule for instance. Local services might be monitored just for some basic protection.

The way we use this is running the crowdsec agent on servers with public services and block attackers at the edge of the network straight away using a bouncer.

I think I could write a simple bouncer which updates a network group in config, or we just use the basic nftables bouncer to update an nft ipset.

Sander

1 Like

I can write a simple PoC using a network group, or use nftables directly, which would be preferred @syncer ?

It depends on what exactly you are wanting to protect.
If it is simple ssh brute forces, you can use

set service ssh dynamic-protection

It uses sshguard but in theory, you can set up custom logs to parse
There are a lot of modules that are not used in VyOS like apach2, dovecot, MySQL, and so on.
A simple PoC will be useful