« Previous 1 2 3 4 Next »
OPNids: Suricata with built-in machine learning
Packet Checker
Not Off the Rack
Although Suricata is ready to be installed out of the box, Dragonfly MLE is a different matter. The product is available as free software on GitHub, not from repositories of the major distributors, which this means work on your end. You need to install Dragonfly MLE manually, build a package, or put it into a Docker container.
A container would be the most elegant and cleanest way to run the MLE, because the underlying system remains untouched. However, this approach is not very convenient, either, because the whole process of integrating Suricata and Dragonfly MLE has to be completed manually.
OPNids to the Rescue
OPNids, which can be found on GitHub [3], could come in handy now. Although not written by the OPNsense developers, it is a direct fork of OPNsense; therefore, it makes sense to take a brief look at the starting point.
OPNsense (Figure 3) modestly describes itself as a high-end open source security firewall. At its core, OPNsense operates as a stateful firewall with on-board packet filtering. However, it is enriched with all kinds of functions. OPNsense comes with its own graphical interface (dashboard) and its own management tool for active firewall rules, as well as two-factor authentication and a traffic shaper, which can kill the data flow if necessary. OPNsense can act as an endpoint for a classic VPN connection and as a proxy with a cache function for outgoing traffic.
The OPNsense component list also includes an IDS in the form of Suricata (Figure 4) that can be controlled and administered from a GUI, bringing Suricata into action even faster than on standard systems. The program has a good set of standard signatures, so you can save the trouble of trial and error.
OPNids Derivative
OPNsense is available under a completely free license, so it was no problem for the OPNids developers to use it as a basis for new software. If the OPNsense developers had addressed the issue of machine learning, they would probably have integrated that functionality into OPNsense right away. The fact that this did not happen could still become a problem for OPNids – but more about that later.
If you want to use OPNids instead of OPNsense, you might encounter problems, because OPNids offers a single feature that OPNsense lacks, and OPNsense offers a powerful feature set, but not the MLE functionality. As a true drop-in replacement, neither of the solutions can replace the other.
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.