OPNids: Suricata with built-in machine learning

Packet Checker

Complex Build

Unlike the developers of OPNsense, the OPNids developers do not currently provide ISO images of their product. You cannot download a single file from which to install the OPNids appliance. However, the OPNsense tools and the OPNids GitHub directory can be used to build ISO images – as mentioned in a manual [7] – although not very conveniently.

Once you've fought your way through the process, the basic OPNsense framework of OPNids is ready for action. Additionally, the Dragonfly MLE-specific entries are immediately available in the web GUI, but for incomprehensible reasons they are disabled in OPNids in the default installation, so you have to enable them first. You also has to remember to define the port on the machine running OPNids as a mirror port on the switch; otherwise, OPNids will not see all the packets in its environment.

Annoyingly, although OPNids integrates Dragonfly MLE, you still have to configure central settings like teaming up Suricata and Dragonfly MLE manually. This process simply feels as if the OPNids developers have not completed their work (Figure 5).

Figure 5: Although OPNids comes with a GUI plugin for Dragonfly MLE, it turns out not to be very useful. © OPNids

Uncertain Future?

This awkward impression is also backed by something that came to light during working on this article: The OPNids website [8] suddenly disappeared from the web. When called up at press time, all I got back was a Connection Refused , which cannot be the result of a lack of popularity for OPNids, because many other sites link to it. This made me suspect that the overhead of maintaining what is in part an OPNsense fork is simply too much for the OPNids developers. Although diversity is one of the key factors in the FL/OSS world, sometimes it makes more sense to join forces than to do your own thing.

The amount of work that an admin has to invest to use OPNids in a meaningful way by far exceeds the effort needed to configure Suricata and OPNids manually on an off-the-shelf Linux system. Also, the GUI, which takes care of the Suricata and Dragonfly MLE configuration in OPNids, is missing, although it only really helps you with OPNids for Suricata.

The part that deals with Dragonfly MLE, on the other hand, offers little added value. Whether you type the names of Suricata logfiles to be monitored in a configuration file or a path box in the web interface doesn't matter in the end. The Suricata in OPNids is a standard configuration – you could even set automatically where the EVE log resides and how Dragonfly MLE can access it. Instead, the OPNids interface forces you into a bout of pointless mouse pushing.

Dragonfly MLE is still under active development, but the last commit in the OPNids GitHub repo was quite a while ago. I can't rule out hearing the OPNids swan song some time soon. Given the current state of the project, this would not be a tragedy either.

Conclusions

The idea of automatically detecting attacks on the basis of various factors and rating them with a points system seems clever and makes a lot of sense. If it works for SpamAssassin, for example, it can also be applied to an IDS: The patterns of incoming traffic have certain characteristics, so the probability that something undesirable is lurking out there increases. If you train an engine for IDS rules to recognize these patterns and adapt its heuristics in a meaningful way, it can actually detect attacks autonomously.

Dragonfly MLE was explicitly designed for use with Suricata, which means that its developers have undoubtedly put their money on the best horse in the open source IDS systems stable. Combined with OPNids, however, it is not very exciting. OPNids seems more dead than alive. It remains to be seen whether it really makes sense to use a half-baked fork of a well-functioning solution in the production environment of a setup. Most admins would intuitively say no to this question anyway.

Luckily, Dragonfly MLE development is still ongoing, and if you run Suricata and the MLE on Linux, you get a functional combination for automatic threat detection, and it is precisely what I would advise you to do at the end of the day. OPNids is certainly a neat idea, but it is currently not possible to use it in a meaningful way.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus