Hi,
We reserved the following hardware for vyos, we want to make it NGFW. What AI technology can we integrate with vyos?
My other question: There is ddos-protection in vyos, we should enter the threshould value. Instead, can it make automatic IDS and also have IPS feature through artificial intelligence?
I would be glad if you could help me with this process.
Server:
HP DL380 Gen8
2x E5-2697v2
64GB Ram
4x 600GB SAS (15K) (RAID 10)
4x Dual port 10G sfp+ pci card
vyos 1.4 versions
I don’t believe there’s any AI technology at the moment you can integrate with Vyos (would love to be shown otherwise).
This sounds like the sort of thing you might have to develop and test yourself. My only suggestion is that containers feature of Vyos makes adding 3rd party software to a Vyos router quite easy, so that is probably the best route to explore.
As a result of some research, I learned that Surricata integration is possible and can work integrated with VYOS IDS. In this way, we are currently creating a test environment and I will share the results again.
Internally we’ve done some PoC using VyOS and Suricata container.
For this, I’ve used queue action from firewall, to pass traffic to container. Firewall example:
## Send packet to Suricata. Any packet with mark !=1 will be enqueued to suricata.
## If packet was parsed by Suricata and returned to firewall, this rule won’t match because Suricata
## returns packet with mark=1
set firewall ipv4 forward filter rule 5 action 'queue'
set firewall ipv4 forward filter rule 5 mark '!1'
set firewall ipv4 forward filter rule 5 queue '1'
## Once packet is return, continue with firewall analysis
set firewall ipv4 forward filter rule 10 action 'accept'
set firewall ipv4 forward filter rule 10 state established 'enable'
set firewall .......
Then, container creation commands:
mkdir /config/suricata
mkdir /config/suricata/etc
mkdir /config/suricata/logs
mkdir /config/suricata/rules
# op-mode command
add container image jasonish/suricata:6.0.14
# config-commands
set container name suricata allow-host-networks
set container name suricata arguments '-q 1'
set container name suricata cap-add 'net-admin'
set container name suricata cap-add 'sys-admin'
set container name suricata image 'jasonish/suricata:6.0.14'
set container name suricata memory '1024'
set container name suricata volume ETC destination '/etc/suricata'
set container name suricata volume ETC source '/config/suricata/etc'
set container name suricata volume LOGS destination '/var/log/suricata'
set container name suricata volume LOGS source '/config/suricata/logs'
set container name suricata volume RULES destination '/var/lib/suricata'
set container name suricata volume RULES source '/config/suricata/rules'
Then continue with Suricata configuration in the configuration files, and also, connecting to suricata container.
Custom rules can be added in /config/suricata/rules/rules/suricata.rules.
Also bare in mind that configuration file for suricata /config/suricata/etc/suricata.yaml. should include:
...
host-mode: router
..
nfq:
mode: repeat
repeat-mark: 1
repeat-mask: 1
This was tested some time ago, but in general this should work
At least Suricata isnt some AI bullshittery.
Came here for a quick laugh, and actually got useful info into setting up suricata.
This should be probably become a sticky somewhere for how to get Suricata going 
The only change I had to make what this:
vyos@vyos# set firewall ipv4 forward filter rule 10 state established 'enable'
Configuration path: firewall ipv4 forward filter rule 10 state established [enable] is not valid
Set failed
I dropped ‘enable’ and the queue rule seems to be working! Beyond that I have no idea 
Rulesets Information
---------------------------------
ipv4 Firewall "forward filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ----------- -----------------------------------
5 queue all 13084798 11797226732 meta mark != 0x00000001 queue to 1
10 accept all 9863358 10935549025 ct state established accept
default accept all 9 2104