In this case, it is better to consider snort as the defense and detection backend of IDS/IPS.

@jack9603301 can you explain snort perspectives and describe the difference between? Do you have experience with both IDS?

No, I mean, depending on your console option, it's better to provide complete IDs and IPS functions based on Snort. At present, we use snort to provide IDs or IPS protection functions to pfsense or opnsense open source firewalls, but full startup of this function requires system memory and CPU performance. Maybe it can work with DDoS detection instead of just providing DDoS attack detection. If not, I think the best way is to change the options of the console in order to avoid induction.

The router operating system supports intrusion detection and automatic defense, which may increase the memory and hardware requirements as well as performance load of the router, but for the optional, I feel it is OK.

Yes, it is possible not only to detect DoS/DDoS and also to make some reactions and run alert script.
Alert script receives next params:

#  $1 client_ip_as_string
#  $2 data_direction
#  $3 pps_as_string
#  $4 action (ban or unban)

OK, I think IDS detection may not only be the scope of DOS/DDOS detection and action linkage. Snort can monitor and scan data packets, and according to some set rule base to detect the existence of attack behavior, but open snort The detection and defense functions have requirements on the system hardware and software equipment configuration indicators. The specific addresses can be found at the following addresses (as far as I know, opnsense and pfsense support this detection):

https://www.snort.org/

If you don't consider the complete IDS/IPS support for the time being and only consider DDOS/DOS detection, then the command line may be changed to the following form:

set service ddos-detection mode mirror
set service ddos-detection  listen-interface ethX
set service ddos-detection  network 10.0.0.0/24
set service ddos-detection  network 10.5.5.0/24
set service ddos-detection  direction input
set service ddos-detection  threshold fps 3500
set service ddos-detection  threshold pps 60000
set service ddos-detection  threshold mbps 300
set service ddos-detection  alert-script /tmp/alert.sh

If you consider full IDS/IPS support and support DDOS/DOS detection at the same time, the command line may be changed to the following form:

set ids ddos-detection mode mirror
set ids ddos-detection  listen-interface ethX
set ids ddos-detection  network 10.0.0.0/24
set ids ddos-detection  network 10.5.5.0/24
set ids ddos-detection  direction input
set ids ddos-detection  threshold fps 3500
set ids ddos-detection  threshold pps 60000
set ids ddos-detection  threshold mbps 300
set ids ddos-detection  alert-script /tmp/alert.sh

I agree with @jack9603301 on this, as fastnetmon is not a ids solution, and only focuses on ddos protection it is best to avoid ids in the command syntax alltogether...

set service ddos-detection seams to be a good submode for this

Should we provide the script which perform the change and define what action can be performed in the xml?

@jack9603301
The task of IDS (Intrusion Detection System) is to detect and register attacks, and also to alert when a certain rule is triggered.
If we will use snort and suricata in the future (not a fact), it helps to group logical paths for certain commands.

set service ids fastnetmon
set service ids snort
set service ids suricata

But it another topic for snort, suricata, etc https://forum.vyos.io/t/ids-ips-integration/2067/14

@Viacheslav If so, the following commands are recommended at least:

set service ids fastnetmon
set service ids snort
set service ids suricata

Change to the following command:

set service ddos-detection
set service ids

or

set service ids ddos-detection
set service ids snort
set service ids suricata

In fact, I prefer the former because vyos does not need two exactly the same functions to support IDs and IPS. For example, Snort and Suricata only need one of them. Fastnetmon is not an IDS solution, but only focuses on the protection of DDoS/DOS. Therefore, it is not recommended to set the command syntax according to the original scheme, and it should not be confused with full-featured IDs.

I know that IDs of opnsense and pfsense may belong to one of Snort or Suricata (at least pfsense is snort), but as opnsense and pfsense realize, we don't need two exactly the same functions to be implemented in the same system unless we have to.

At the same time, you should avoid using words that may allow users to guess the meaning of their functions. For example, fastnetmon can use ddos-detection.

The following is a good solution:

set service ddos-detection
set service ids

I suppose "service ids ddos-protection" makes sense indeed.

PR https://github.com/vyos/vyos-1x/pull/487 with changed CLI to service ids ddos-protection.

Necessary run service with priority for correct starting https://github.com/vyos/vyos-1x/pull/489

Can I make a suggestion? Since this DDoS detection supports user script processing, it is better to migrate the script during the vyos upgrade to prevent script loss

Hi @jack9603301 , in normal condition all scripts and files should be migrated from /config/ directory on the migration process.