OPNids: Suricata with built-in machine learning

Packet Checker

Not Off the Rack

Although Suricata is ready to be installed out of the box, Dragonfly MLE is a different matter. The product is available as free software on GitHub, not from repositories of the major distributors, which this means work on your end. You need to install Dragonfly MLE manually, build a package, or put it into a Docker container.

A container would be the most elegant and cleanest way to run the MLE, because the underlying system remains untouched. However, this approach is not very convenient, either, because the whole process of integrating Suricata and Dragonfly MLE has to be completed manually.

OPNids to the Rescue

OPNids, which can be found on GitHub [3], could come in handy now. Although not written by the OPNsense developers, it is a direct fork of OPNsense; therefore, it makes sense to take a brief look at the starting point.

OPNsense (Figure 3) modestly describes itself as a high-end open source security firewall. At its core, OPNsense operates as a stateful firewall with on-board packet filtering. However, it is enriched with all kinds of functions. OPNsense comes with its own graphical interface (dashboard) and its own management tool for active firewall rules, as well as two-factor authentication and a traffic shaper, which can kill the data flow if necessary. OPNsense can act as an endpoint for a classic VPN connection and as a proxy with a cache function for outgoing traffic.

Figure 3: OPNsense is a popular firewall appliance based on free software. © OPNsense

The OPNsense component list also includes an IDS in the form of Suricata (Figure 4) that can be controlled and administered from a GUI, bringing Suricata into action even faster than on standard systems. The program has a good set of standard signatures, so you can save the trouble of trial and error.

Figure 4: OPNsense includes Suricata out of the box, but the Dragonfly MLE component for automatic learning is missing. © OPNsense

OPNids Derivative

OPNsense is available under a completely free license, so it was no problem for the OPNids developers to use it as a basis for new software. If the OPNsense developers had addressed the issue of machine learning, they would probably have integrated that functionality into OPNsense right away. The fact that this did not happen could still become a problem for OPNids – but more about that later.

If you want to use OPNids instead of OPNsense, you might encounter problems, because OPNids offers a single feature that OPNsense lacks, and OPNsense offers a powerful feature set, but not the MLE functionality. As a true drop-in replacement, neither of the solutions can replace the other.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus