Suricata Suricata - IDS on AsusWRT Merlin

[rgnldo]

Or is there a third configuration that would make more sense?

To avoid waste, I would do this:

       INTARWEBS
          | |
  AC3200 + Diversion + Skynet + Suricata
          | |
         Aimesh
          | |
         AC3100

 

[rgnldo]

I uninstalled Cake-QoS and installed FlexQoS 0.9.2.
I had to re-enable Adaptive QoS

I have no idea. With Cake-QOS it works.

In the logs, the message is this:

Jul  6 19:29:04 kernel: device ppp0 entered promiscuous mode
Jul  6 19:29:05 kernel: device br0 entered promiscuous mode

Network devices must be in promiscuous mode.

 

[JGrana]

Jul 10 06:41:16 kernel: protocol 0800 is buggy, dev br0
Jul 10 06:41:16 kernel: protocol 0000 is buggy, dev eth0

Known issue with Adaptive QoS and Suricata - especially if you use the Asus/Trend Micro setup - AI protection, Adaptive QoS and the like.

On my AC68U I run just FlexQoS ONLY (disabled/removed Suricata) - slowed my router to a halt. However I wasn't seeing your error. I only saw those using the old FreshQoS scripts...

Thanks, I was afraid of that....
I like Suricata so I will likely go back to Cake.

 

[JaimeZX]

To avoid waste, I would do this:

       INTARWEBS
          | |
 AC3200 + Diversion + Skynet + Suricata
           | |
         Aimesh
          | |
         AC3100

Thanks!

Two follow-ups:
1) I thought Suricata and Skynet were incompatible? Or was that worked out in the previous 20 pages somewhere?
2) What is the purpose of the 3100 if everything is running on the 3200? (Actually, I think it'd make more sense to run everything on the 3100, it has more power...) I was figuring Suricata has a lot of processing overhead, so it'd make more sense to run it separately.

So now I'm thinking:

       INTARWEBS
          | |
 AC3200 + Diversion + Skynet
          | |
    AC3100+Suricata
       (routing)
        /  '  \
         LAN

Putting Skynet outside Suricata will filter a lot of crap and give it less to process. Hopefully Suricata+routing isn't too much overhead...

Thanks again!

 

[Ubimo]

Some suggestions for installing suricata:

mkdir /opt/var/lib/suricata/rules

This does not work. I manually added this path with winscp.

I suggest this file instead:
nano /jffs/scripts/services-start

Edit:
How/Where can I see if suricata is working?
In syslog I saw it started, but what now?
In htop I don't see any suricata process: https://imgur.com/H94QIwr

Edit2:
When I restart my router, is suricata also automatically restarting?

Edit3:
Suricata stops after a few seconds.
Because, after a fews second, when I run "/opt/etc/init.d/S82suricata start", it says starting done, instead of "already running"...

 

[ttgapers]

Ok folks, long from an official release, I've ported over @Martineau rough script over to Github for more collaborative development for those interested. I had a look at it, and @rgnldo has added an issue, as I have also.

Suricata install is more complex than the Cake scripts, and I would need time to sort through it and more importantly support it. Therefore I am encouraging community development if want to see the pace pickup on this becoming a mainstream addon.

Personally, I'd like to see the script get to @Adamm standards/menu etc. which is what the alpha branch is being used for. In the short term, any testers and developers (can't stress the importance of devs) to tweak the existing @Martineau variant as it's ported over -- please come forward and link up on Github.

Repo: https://github.com/ttgapers/suricata-merlin
Note: This is not prime time ready IMO so please backup your existing configs etc prior to testing!

Thanks and feedback appreciated. I wanted to give this update as people have been asking.....

Cheers

 

[Kingp1n]

Ok folks, long from an official release, I've ported over @Martineau rough script over to Github for more collaborative development for those interested. I had a look at it, and @rgnldo has added an issue, as I have also.

Suricata install is more complex than the Cake scripts, and I would need time to sort through it and more importantly support it. Therefore I am encouraging community development if want to see the pace pickup on this becoming a mainstream addon.

Personally, I'd like to see the script get to @Adamm standards/menu etc. which is what the alpha branch is being used for. In the short term, any testers and developers to tweak the existing @Martineau variant as it's ported over -- please come forward and link up on Github.

Repo: https://github.com/ttgapers/suricata-merlin
Note: This is not prime time ready IMO so please backup your existing configs etc prior to testing!

Thanks and feedback appreciated. I wanted to give this update as people have been asking.....

Cheers

I appreciate this and hope to see it evolve. I did try using the basic script from Martineau but it would not allow me to install due to having Skynet installed. I didn't try the instructions from post 1 but I may try again later. I would rather use Suricata vs AIProtect. I had AIProtect enabled in the past and it seems the numbers always remain the same and nothing is being tracked.

 

[ttgapers]

I appreciate this and hope to see it evolve. I did try using the basic script from Martineau but it would not allow me to install due to having Skynet installed. I didn't try the instructions from post 1 but I may try again later. I would rather use Suricata vs AIProtect. I had AIProtect enabled in the past and it seems the numbers always remain the same and nothing is being tracked.

I can look at disabling that, but the script as I went through should allow it as Skynet install is a "warning".

Confirmed:

# Check Skynet
            [ -f /jffs/scripts/firewall ] && echo -e $cBRED"\a\t[✖] ***Warning Skynet installed"

So seems it should - so I'll have to test as well. Did you try disabling Skynet completing the install and re-enabling? I know I do have Skynet running with Suricata and Cake with no issue, so it's one of the items I want to see if it's certain routers the combination poses issues.

 

[Kingp1n]

I can look at disabling that, but the script as I went through should allow it as Skynet install is a "warning".

Confirmed:

# Check Skynet
            [ -f /jffs/scripts/firewall ] && echo -e $cBRED"\a\t[✖] ***Warning Skynet installed"

So seems it should - so I'll have to test as well. Did you try disabling Skynet completing the install and re-enabling? I know I do have Skynet running with Suricata and Cake with no issue, so it's one of the items I want to see if it's certain routers the combination poses issues.

I tried disabling Skynet and still gave me the error message!

The script version I used was v1.03 (https://www.snbforums.com/threads/suricata-ids-ips-on-asuswrt-merlin.63280/page-10#post-582858)

but I gave up after that. I'm sure I can follow the instructions from post 1 and it should work without issues.

 

[ttgapers]

I tried disabling Skynet and still gave me the error message!

The script version I used was v1.03 (https://www.snbforums.com/threads/suricata-ids-ips-on-asuswrt-merlin.63280/page-10#post-582858)

but I gave up after that. I'm sure I can follow the instructions from post 1 and it should work without issues.

Cool...if you can open the issue on Github, would be good to track these items! Thanks @Kingp1n

 

[Jack Yaz]

I tried disabling Skynet and still gave me the error message!

The script version I used was v1.03 (https://www.snbforums.com/threads/suricata-ids-ips-on-asuswrt-merlin.63280/page-10#post-582858)

but I gave up after that. I'm sure I can follow the instructions from post 1 and it should work without issues.

The code is testing for the existence of the skynet script on the router. Disabling it won't be enough with the code in its current state.

 

[ttgapers]

The code is testing for the existence of the skynet script on the router. Disabling it won't be enough with the code in its current state.

Yup caught that when investigating.

Updated the issue: https://github.com/ttgapers/suricata-merlin/issues/2

Note, I am not supporting the version 1.03 on pastebin, but the ported over version which is essentially the same (1.04).

Anyone wanna help out please do. Issue from @rgnldo updated to reflect the items before we can consider this stable.

Other item around shellcheck: https://github.com/ttgapers/suricata-merlin/issues/1

Thanks @Jack Yaz

 

[rgnldo]

I'm using version 5 of Suricata on my OpenBSD.

I made some adjustments for those who use the FW Merlin.

Deactivate the blocking lists for malware in your adblock. Suricata will do this job. I changed suricata.yaml on github.

With the attack_response rules, see on http://testmyids.com
This site should not load then, and the IPS should log GPL ATTACK_RESPONSE id. check returned root

uid=0(root) gid=0(root) groups=0(root)

 

[XIII]

Updated the config file.

I now have many error codes in my log about invalid and duplicate signatures

Additionally that site does load, with exactly the code you showed:

uid=0(root) gid=0(root) groups=0(root)

Reverted for now. Hope someone can help clarify.

 

[Smokey613]

I too have multiple error codes relating to duplicate signatures. It seems there is an overlap in the rules being loaded.

 

[Smokey613]

My errors in the log

Spoiler

Jul 23 05:49:26 RT-AC86U suricata: 23/7/2020 -- 05:49:26 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Meth/"; fast_pattern; http_header; metadata: former_category SCAN; classtype:attempted-admin; sid:2030375; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_06_22, updated_at 2020_06_22"
Jul 23 05:49:26 RT-AC86U suricata: 23/7/2020 -- 05:49:26 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Meth/"; fast_pattern; http_header; metadata: former_category SCAN; classtype:attempted-admin; sid:2030375; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_06_22, updated_at 2020_06_22" from file /opt/var/lib/suricata/rules/emerging-scan.rules at line 703
Jul 23 05:49:26 RT-AC86U suricata: 23/7/2020 -- 05:49:26 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Masayki"; fast_pattern; http_header; classtype:attempted-admin; sid:2030470; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_07_06, updated_at 2020_07_06"
Jul 23 05:49:26 RT-AC86U suricata: 23/7/2020 -- 05:49:26 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; content:"User-Agent|3a 20|Masayki"; fast_pattern; http_header; classtype:attempted-admin; sid:2030470; rev:1; metadata:affected_product Linux, attack_target IoT, deployment Perimeter, signature_severity Minor, created_at 2020_07_06, updated_at 2020_07_06" from file /opt/var/lib/suricata/rules/emerging-scan.rules at line 705

 

[heysoundude]

Updated the config file.

I now have many error codes in my log about invalid and duplicate signatures

Additionally that site does load, with exactly the code you showed:

uid=0(root) gid=0(root) groups=0(root)

Reverted for now. Hope someone can help clarify.

Suricata was doing its job with that response, if I read the instructions correctly. That would mean it's working correctly I think.

 

[heysoundude]

I too have multiple error codes relating to duplicate signatures. It seems there is an overlap in the rules being loaded.

looking at your sig, are Skynet and Suricata playing nicely together?

 

[rgnldo]

I now have many error codes in my log about invalid and duplicate signatures

Sorry. Fixed.

duplicade

- emerging-scan.rules

 

[rgnldo]

I too have multiple error codes relating to duplicate signatures. It seems there is an overlap in the rules being loaded.

Sorry. Fixed.

duplicade

- emerging-scan.rules