IDS/IPS Eventforwarding

[majst01]

• enable forwarding of different event types

@GrigoriyMikhalkin

TODO:

• implement IDS and IPS forwarding, test basic funcitonality in mini-lab
• ensure suricata can send IDS events to unix_dgram or unix_stream for eve output, decide which dgram|stream to use

TODO firewall-controller:

• move suricate configuration reconcilation from metal-networker to firewall-controller
• enable/disable IDS logforwarding depending on Firewall CRD

TODO after all above:

• same for IPS

[GrigoriyMikhalkin]

Regarding socket type. https://redmine.openinfosecfoundation.org/issues/250#note-12 -- it looks like there's not much of a difference between using dgrams and stream, since log size usually fits in single packet payload.

Also, i tested forwarding from dgram socket and it works(with some modification to the code).

[GrigoriyMikhalkin]

@majst01 I'm not sure if it's worth to have separate types for IDS/IPS events. In both cases, logs are written to eve socket. Only difference is in event(action) types. IMO, it's probably better(simpler) to leave only single type(IDS) for both cases.

[majst01]

Yes sure, we should forward both events into the same stream.