We have native CLI for containers “set container name foo xxx”
You beat me to this one 
Crowdsec would indeed be a nice addition. Very lightweight.
I would prefer that much more than snort or suricata.
As I see crowdsec works with iptables, we use nftables
wget https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh
os=Debian dist=bullseye ./script.deb.sh
apt install crowdsec
root@r14:/home/vyos# cscli collections list
INFO[06-08-2022 01:50:37 PM] Ignoring file /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml of type parsers
-----------------------------------------------------------------------------------------------------------------
NAME 📦 STATUS VERSION LOCAL PATH
-----------------------------------------------------------------------------------------------------------------
crowdsecurity/apache2 ✔️ enabled 0.1 /etc/crowdsec/collections/apache2.yaml
crowdsecurity/dovecot ✔️ enabled 0.1 /etc/crowdsec/collections/dovecot.yaml
crowdsecurity/iptables ✔️ enabled 0.1 /etc/crowdsec/collections/iptables.yaml
crowdsecurity/linux ✔️ enabled 0.2 /etc/crowdsec/collections/linux.yaml
crowdsecurity/nginx ✔️ enabled 0.1 /etc/crowdsec/collections/nginx.yaml
crowdsecurity/sshd ✔️ enabled 0.1 /etc/crowdsec/collections/sshd.yaml
crowdsecurity/whitelist-good-actors ✔️ enabled 0.1 /etc/crowdsec/collections/whitelist-good-actors.yaml
crowdsecurity/base-http-scenarios ✔️ enabled 0.3 /etc/crowdsec/collections/base-http-scenarios.yaml
crowdsecurity/modsecurity ✔️ enabled 0.1 /etc/crowdsec/collections/modsecurity.yaml
crowdsecurity/naxsi ✔️ enabled 0.1 /etc/crowdsec/collections/naxsi.yaml
crowdsecurity/vsftpd ✔️ enabled 0.1 /etc/crowdsec/collections/vsftpd.yaml
crowdsecurity/wordpress ✔️ enabled 0.1 /etc/crowdsec/collections/wordpress.yaml
crowdsecurity/mysql ✔️ enabled 0.1 /etc/crowdsec/collections/mysql.yaml
crowdsecurity/postfix ✔️ enabled 0.2 /etc/crowdsec/collections/postfix.yaml
-----------------------------------------------------------------------------------------------------------------
root@r14:/home/vyos#
Not sure exectly as I’m not crowdsec user 
Update nftables also supported bouncers
CrowdSec reads logs from different sources (files, streams …) to parse, normalize and enrich them before matching them to threats patterns called scenarios.
Surricata and other reads packets and their patterns it is different solutions
Hey!
I’m head of moderation on our discord. Feel free to join us if you want to discus more?
Aydan
Hi,
I would only use a bouncer on the VyOS device which would update a network-group that is used in a firewall rule for instance. Local services might be monitored just for some basic protection.
The way we use this is running the crowdsec agent on servers with public services and block attackers at the edge of the network straight away using a bouncer.
I think I could write a simple bouncer which updates a network group in config, or we just use the basic nftables bouncer to update an nft ipset.
Sander
1 Like
I can write a simple PoC using a network group, or use nftables directly, which would be preferred @syncer ?
It depends on what exactly you are wanting to protect.
If it is simple ssh brute forces, you can use
set service ssh dynamic-protection
It uses sshguard but in theory, you can set up custom logs to parse
There are a lot of modules that are not used in VyOS like apach2, dovecot, MySQL, and so on.
A simple PoC will be useful
Network group seems to be better for the beginning. But the best is to have configurable commands or set names for adding and removing items from firewall settings.
Wanted to share my opinion. This is strictly my personal opinion and I understand this is a community so others have and are entitled to differing opinions.
For me, VyOS is a router OS with some firewall capabilities. I would reach for it as an alternate resource to things like Cisco ISR/ASR, and it fantastic in this regard. Innovation is great, but, I would hate to see too much get added that makes VyOS a “Jack of all trades but master of none.” Really if I wanted to run IDS/IPS, advanced firewall capabilities, etc., I would reach for a dedicated firewall solution whose focus is entirely on that, something I would run behind my VyOS router. It kind of makes me worried to see all this stuff getting added (or talked about adding) like apache, MySQL, IPS, containers, etc., that open up more attack surface and take VyOS beyond a rock solid routing platform.
But, I can also understand the desire to extend it elsewhere.
1 Like
For my VyOS is most near of Cisco ASA not CX but you can make the same firewall protections as the ASA.
If you need IDP/IPS, try a LAB with PVE (Proxmox) or VSphere-ESXi and install VyOS as Router/Firewall and another VM with Suricatta Snort,… or differents IDS/IPS OpenSource solutions.
For this is the best way to implement NextGen FW solution that you drive at 100% .
I’ve successfully set up Suricatta with VyOS zone based firewall, just have no clue how to set up evebox.
Anyone have pointers they could share?
It seems to me that all of this functionality could be hosted within containers rather than being embedded in the core system. Perhaps I’m overlooking some complexities related to integration? Given that containers are already available, it appears the system is already quite extensible. If third parties developed support for the VyOS API and the containers communicated with this API, there would be notable security benefits in addition to what should be relatively straightforward implementations. Just my 3 cents 
1 Like