IDS/IPS Integration

We have native CLI for containers “set container name foo xxx”

Hey! Just jumping in here have you had any thoughts of using CrowdSec? -


You beat me to this one :grin:

Crowdsec would indeed be a nice addition. Very lightweight.

I would prefer that much more than snort or suricata.

As I see crowdsec works with iptables, we use nftables

os=Debian dist=bullseye ./

apt install crowdsec

root@r14:/home/vyos# cscli collections list
INFO[06-08-2022 01:50:37 PM] Ignoring file /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml of type parsers 
 NAME                                 📦 STATUS    VERSION  LOCAL PATH                                           
 crowdsecurity/apache2                ✔️  enabled  0.1      /etc/crowdsec/collections/apache2.yaml               
 crowdsecurity/dovecot                ✔️  enabled  0.1      /etc/crowdsec/collections/dovecot.yaml               
 crowdsecurity/iptables               ✔️  enabled  0.1      /etc/crowdsec/collections/iptables.yaml              
 crowdsecurity/linux                  ✔️  enabled  0.2      /etc/crowdsec/collections/linux.yaml                 
 crowdsecurity/nginx                  ✔️  enabled  0.1      /etc/crowdsec/collections/nginx.yaml                 
 crowdsecurity/sshd                   ✔️  enabled  0.1      /etc/crowdsec/collections/sshd.yaml                  
 crowdsecurity/whitelist-good-actors  ✔️  enabled  0.1      /etc/crowdsec/collections/whitelist-good-actors.yaml 
 crowdsecurity/base-http-scenarios    ✔️  enabled  0.3      /etc/crowdsec/collections/base-http-scenarios.yaml   
 crowdsecurity/modsecurity            ✔️  enabled  0.1      /etc/crowdsec/collections/modsecurity.yaml           
 crowdsecurity/naxsi                  ✔️  enabled  0.1      /etc/crowdsec/collections/naxsi.yaml                 
 crowdsecurity/vsftpd                 ✔️  enabled  0.1      /etc/crowdsec/collections/vsftpd.yaml                
 crowdsecurity/wordpress              ✔️  enabled  0.1      /etc/crowdsec/collections/wordpress.yaml             
 crowdsecurity/mysql                  ✔️  enabled  0.1      /etc/crowdsec/collections/mysql.yaml                 
 crowdsecurity/postfix                ✔️  enabled  0.2      /etc/crowdsec/collections/postfix.yaml               

Not sure exectly as I’m not crowdsec user :slight_smile:

Update nftables also supported bouncers

CrowdSec reads logs from different sources (files, streams …) to parse, normalize and enrich them before matching them to threats patterns called scenarios.

Surricata and other reads packets and their patterns it is different solutions


I’m head of moderation on our discord. Feel free to join us if you want to discus more?



I would only use a bouncer on the VyOS device which would update a network-group that is used in a firewall rule for instance. Local services might be monitored just for some basic protection.

The way we use this is running the crowdsec agent on servers with public services and block attackers at the edge of the network straight away using a bouncer.

I think I could write a simple bouncer which updates a network group in config, or we just use the basic nftables bouncer to update an nft ipset.


1 Like

I can write a simple PoC using a network group, or use nftables directly, which would be preferred @syncer ?

It depends on what exactly you are wanting to protect.
If it is simple ssh brute forces, you can use

set service ssh dynamic-protection

It uses sshguard but in theory, you can set up custom logs to parse
There are a lot of modules that are not used in VyOS like apach2, dovecot, MySQL, and so on.
A simple PoC will be useful

Network group seems to be better for the beginning. But the best is to have configurable commands or set names for adding and removing items from firewall settings.

Wanted to share my opinion. This is strictly my personal opinion and I understand this is a community so others have and are entitled to differing opinions.

For me, VyOS is a router OS with some firewall capabilities. I would reach for it as an alternate resource to things like Cisco ISR/ASR, and it fantastic in this regard. Innovation is great, but, I would hate to see too much get added that makes VyOS a “Jack of all trades but master of none.” Really if I wanted to run IDS/IPS, advanced firewall capabilities, etc., I would reach for a dedicated firewall solution whose focus is entirely on that, something I would run behind my VyOS router. It kind of makes me worried to see all this stuff getting added (or talked about adding) like apache, MySQL, IPS, containers, etc., that open up more attack surface and take VyOS beyond a rock solid routing platform.

But, I can also understand the desire to extend it elsewhere.

1 Like

For my VyOS is most near of Cisco ASA not CX but you can make the same firewall protections as the ASA.

If you need IDP/IPS, try a LAB with PVE (Proxmox) or VSphere-ESXi and install VyOS as Router/Firewall and another VM with Suricatta Snort,… or differents IDS/IPS OpenSource solutions.

For this is the best way to implement NextGen FW solution that you drive at 100% .

I’ve successfully set up Suricatta with VyOS zone based firewall, just have no clue how to set up evebox.

Anyone have pointers they could share?

It seems to me that all of this functionality could be hosted within containers rather than being embedded in the core system. Perhaps I’m overlooking some complexities related to integration? Given that containers are already available, it appears the system is already quite extensible. If third parties developed support for the VyOS API and the containers communicated with this API, there would be notable security benefits in addition to what should be relatively straightforward implementations. Just my 3 cents :wink:

1 Like