Just for the record…in old Vyatta there was a “set content-inspection” command (see Deploying a Vyatta Core Firewall | SANS Institute or https://docs.huihoo.com/vyatta/6.0/Vyatta_SecurityRef_R6.0_v03.pdf for instance)
Yup thats right. It had Snort built into it.
I’ve been thinking about this. And have started looking at using Suricata. And then offloading it to a backend using Evebox. That way no data processing or storage is done on VyOS. But then looking at how when detections occur. How do we push rules based on those back into VyOS.
Well, at least for the moment I’ve manually installed them.
Once suricata is installed and inspecting nfqueue 0 (-q 0), you can send packet to it by passing the action “inspect” to a firewall rule:
set firewall name FROM-INTERNET default-action drop
set firewall name FROM-INTERNET description “From Internet”
set firewall name FROM-INTERNET rule 10 description “Pass port 22 traffic to Suricata”
set firewall name FROM-INTERNET rule 10 action inspect
set firewall name FROM-INTERNET rule 10 protocol tcp
set firewall name FROM-INTERNET rule 10 destination port ssh
and this will send packets to nfqueue 0
Is there anyone actively working on this?
I would like to help with this but I am not familiar with enough VYOS to know where I should start.
Any pointers would be appreciated such as which repo would I need to modify/look at and the general structure of the project.
Some Ideas I have had:
- Support IPS/inline mode in Suricata
- For logging I was thinking that we could just use Syslog to start, other log exporters might be better to be added globally for all of VYOS to use
Yes i’m very interesting to incorporate IDS/IPS module, squidguard doesn’t provide IDS/IPS function with proxy ?
suricata.yaml.txt (72.6 KB) )
suricata-yaml
Sucesfully installed on Buster.
Suricata configs in yaml fromat (/etc/suricata/suricata.yaml)
I think it will work with python handlers/checkers.
Intrusion Detection System (IDS) - only detect
Intrusion Protection System (IPS) - firewall match pattern
Multi pattern match (mpm)
For set syntax, I see it:
set service detection engine ids set service detection engine ids max-pending-packets set service detection engine ids default-packet-size set service detection engine ids thread-ratio set service detection engine ids flow memcap set service detection engine ids flow hash-size set service detection engine ids profile (mpm|prefilter) set service detection engine ids update-rules (update from internet with /usr/bin/suricata-update) set service detection engine ips rule x action (pass|drop|reject|alert) set service detection engine ips inspection-recursion-limit set service detection engine ips mode accept set service detection engine ips mode repeate set service detection engine log
Filter
etc…
just tagging me in here to show support/interest/tag for future updates.
pretty exciting stuff, thanks!
Hello Viecheslav,
So we can install it or it’s already available.
How inspect log, detection,… ?
Thanks.
Just want to be updated on this feature request.
Just want to be updated on this feature request.
- me2
Likely way forward here?
We have native CLI for containers “set container name foo xxx”
You beat me to this one
Crowdsec would indeed be a nice addition. Very lightweight.
I would prefer that much more than snort or suricata.
As I see crowdsec works with iptables, we use nftables
wget https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh
os=Debian dist=bullseye ./script.deb.sh
apt install crowdsec
root@r14:/home/vyos# cscli collections list
INFO[06-08-2022 01:50:37 PM] Ignoring file /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml of type parsers
-----------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-----------------------------------------------------------------------------------------------------------------
crowdsecurity/apache2 ✔️ enabled 0.1 /etc/crowdsec/collections/apache2.yaml
crowdsecurity/dovecot ✔️ enabled 0.1 /etc/crowdsec/collections/dovecot.yaml
crowdsecurity/iptables ✔️ enabled 0.1 /etc/crowdsec/collections/iptables.yaml
crowdsecurity/linux ✔️ enabled 0.2 /etc/crowdsec/collections/linux.yaml
crowdsecurity/nginx ✔️ enabled 0.1 /etc/crowdsec/collections/nginx.yaml
crowdsecurity/sshd ✔️ enabled 0.1 /etc/crowdsec/collections/sshd.yaml
crowdsecurity/whitelist-good-actors ✔️ enabled 0.1 /etc/crowdsec/collections/whitelist-good-actors.yaml
crowdsecurity/base-http-scenarios ✔️ enabled 0.3 /etc/crowdsec/collections/base-http-scenarios.yaml
crowdsecurity/modsecurity ✔️ enabled 0.1 /etc/crowdsec/collections/modsecurity.yaml
crowdsecurity/naxsi ✔️ enabled 0.1 /etc/crowdsec/collections/naxsi.yaml
crowdsecurity/vsftpd ✔️ enabled 0.1 /etc/crowdsec/collections/vsftpd.yaml
crowdsecurity/wordpress ✔️ enabled 0.1 /etc/crowdsec/collections/wordpress.yaml
crowdsecurity/mysql ✔️ enabled 0.1 /etc/crowdsec/collections/mysql.yaml
crowdsecurity/postfix ✔️ enabled 0.2 /etc/crowdsec/collections/postfix.yaml
-----------------------------------------------------------------------------------------------------------------
root@r14:/home/vyos#
Not sure exectly as I’m not crowdsec user
Update nftables also supported bouncers
CrowdSec reads logs from different sources (files, streams …) to parse, normalize and enrich them before matching them to threats patterns called scenarios.
Surricata and other reads packets and their patterns it is different solutions
Hey!
I’m head of moderation on our discord. Feel free to join us if you want to discus more?
Aydan
Hi,
I would only use a bouncer on the VyOS device which would update a network-group that is used in a firewall rule for instance. Local services might be monitored just for some basic protection.
The way we use this is running the crowdsec agent on servers with public services and block attackers at the edge of the network straight away using a bouncer.
I think I could write a simple bouncer which updates a network group in config, or we just use the basic nftables bouncer to update an nft ipset.
Sander
I can write a simple PoC using a network group, or use nftables directly, which would be preferred @syncer ?
It depends on what exactly you are wanting to protect.
If it is simple ssh brute forces, you can use
set service ssh dynamic-protection
It uses sshguard
but in theory, you can set up custom logs to parse
There are a lot of modules that are not used in VyOS like apach2, dovecot, MySQL, and so on.
A simple PoC will be useful