Network Intrusion Detection on VNS3


This post originally appeared on the CohesiveFT blog

The Docker subsystem available since version 3.5 allows additional virtualized network functions (VNFs) to be run on VNS3. I’ve previously written about using this capability for content cachingSSL termination and load balancing. This time I’ll cover using it as a network intrusion detection system (NIDS).

Introducing Suricata

The archetypal NIDS system for Linux is Snort. Suricata is the newer alternative developed by the Open Information Security Foundation. It’s multi threaded, to make it more scalable, has improved protocol and file identification, and is somewhat easier to install and configure (though that’s taken care of with a Dockerfile anyway).

The demo application

For a little while I’ve used an application based on Nginx, Sinatra and MySQL to demo VNS3. It’s gratuitously three tier, but it’s a good way of showing off the various moving parts of an overlay network. The app implements a simple web based todo list with persistence to the database

Getting the traffic into the NIDS

Firstly I uploaded my suricata-demo Dockerfile to VNS3 to become a container image, then I allocated a container from it, which was given the first available IP of Getting traffic off the overlay and into the container just needs an entry like this in the firewall:

# copy all traffic from the overlay network to the NIDS container
MACRO_CUST -j COPY --from tun0 --to --bidirectional

Whilst I’m there it’s also worth putting in the rules so that I can connect to the container over SSH (in order to see detection in action):

# enable NAT to allow containers to talk to the outside world
-o eth0 -s -j MASQUERADE
# forward port 2222 from the VNS3 manager to port 22 on the container
PREROUTING_CUST -i eth0 -p tcp -s --dport 2222 -j DNAT --to

Application specific rules

A nice thing about application centric networks is that they can have application specific rules for intrusion detection – there’s no need to have a kitchen sink list of rules to catch every possible attack that would apply to an entire enterprise network.
For demo purposes I have a single rule that detects Mastercard numbers:

alert tcp any any  any any (pcre:"/5\d{3}(\s|-)?\d{4}(\s|-)?\d{4}(\s|-)?\d{4}/"; msg:"MasterCard number detected in clear text";sid:9000001;rev:1;)

This rule is looking for the pattern 5XXX-XXXX-XXXX-XXXX where each X is a digit and each – could be a dash, a space, or nothing. It’s not doing any validation that the numbers are valid Mastercard numbers, it’s just picking up the pattern of something that looks like a Mastercard number
When this triggers (by putting a Mastercard number into the todo list) an alert can be seen in Suricata’s fast.log file e.g.:

07/22/2014-19:51:20.753227  [**] [1:9000001:1] MasterCard number detected in clear text [**] [Classification: (null)] [Priority: 3] {TCP} ->;

Try it for yourself

The full cohesiveft/suricata image is available on Docker Hub (and Github). It uses Oinkmaster to pull a full set of rules from Emerging Threats.

The cut single rule down demo version cohesiveft/suricata-demo described above is also available on Docker Hub (and Github).

Whether you start out with a full rule set, and cut out the stuff that causes too much noise, or come at it the other way to build up a rule set to address specific concerns – the choice is yours.

One Response to “Network Intrusion Detection on VNS3”

  1. 1 RHAPIS

    The above demo can be explained also if you use a nids simulator like RHAPIS (

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: