Menu
What's new
By:
Filters Better Search

Search results

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

  1. M

    Suricata Suricata - IDS on AsusWRT Merlin

    . ....SIGH.... Understandable; No time = No time. But I hope you continue to monitor this thread anyway. There are some smart participants here who are making good progress; perhaps someone will soon come up with an IPS configuration that "simply works", and the user need only tweak internal...
  2. M

    Suricata Suricata - IDS on AsusWRT Merlin

    . Ahhh..... so the "drop" should be replaced with "REJECT"; good. Does the rule otherwise seem valid?
  3. M

    Suricata Suricata - IDS on AsusWRT Merlin

    . 1. I don't know what wDrop means; it appears that suricata changed the rule from drop to wdrop - irritating. Couldn't find it in the doc; maybe it has something to do with ICMP which could only be actually dropped in inline mode!? If you're handy with iptables, you might dump them and see...
  4. M

    Suricata Suricata - IDS on AsusWRT Merlin

    . 1. Ahhh.... I'm guessing a "code" block will not be reformated!? TU; I'll look into it. 2. Glad to see you're monitoring this thread!
  5. M

    Suricata Suricata - IDS on AsusWRT Merlin

    . Then deactivate the NextDNS block with a whitelist entry, or deactivate NextDNS entirely, or change the blocked destination within the rule to a different site acceptable to NextDNS. The purpose here is not to block http://wrs49.winshipway.com/ , but to get suricata "drops" to work.
  6. M

    Suricata Suricata - IDS on AsusWRT Merlin

    . . Has anyone actually tested the IPS mode? (Reading rose-colored logs doesn't count). ISTM that if you can get any one rule to work (actually drops a connection and reports a "drop"), then they all likely work. http://wrs49.winshipway.com/ (34.211.233.68 52.36.140.135 ) is blocked by...
  7. M

    Suricata Suricata - IDS on AsusWRT Merlin

    . . Yes!! And how did you test/confirm it? Presuming you had to create some custom rules, please share those rules (along with the config)
  8. M

    YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

    My situation exactly. I'm a newbie; have an AC68; have thoughts; but mostly questions: 1. I created two guest networks - one each for two IOT water sensors (they don't need to communicate with each other; if one gets infected I don't want it to get t'other - or anything else. Then tightened...
  9. M

    Suricata Suricata - IDS on AsusWRT Merlin

    . I don't know its current status; I could never get the earlier version to actually drop test connections/content. IMHO dropping mischief is essential - I don't want to look at a log the next morning and see that something untoward occured during the night.
  10. M

    Suricata Suricata - IDS on AsusWRT Merlin

    Yes! IIUC one could create suppress actions for noisy rules when they connect with appropriate addresses - and which would not be suppressed if some other contact occurs. A custom file of ongoing suppressions would be easier to maintain than moving modified rules about.
  11. M

    Suricata Suricata - IDS on AsusWRT Merlin

    Perhaps edit the rules so that suricata allows "good" communications. ISTM never ignore alert logging - especially if you're going to move to dropping malicious communications.
  12. M

    Suricata Suricata - IDS on AsusWRT Merlin

    One approach is to EXPECT these and other "info" rules to pop up - a necessary function of teaching suricata about your setup - and keep them but to edit it/them to allow the ICMP from known devices. That way you won't get the "alerts" from a known, trusted device but will get an alert if...
  13. M

    Suricata Suricata - IDS on AsusWRT Merlin

    Hard to know what the problem is here; Was this an application doing its own encrypted DNS that is suspicious - avoiding a protected corporate DNS server; something a Trojan might do? (heh......Firefox can optionally do encrypted DNS avoiding the LAN). IF this is the logic, then you could...
  14. M

    Suricata Suricata - IDS on AsusWRT Merlin

    Yes, which suggests that in IDS mode suricata is stacked inline after the firewall which is statefully and quietly blocking unrequested net noise; and with the assistance of Skynet and Diversion deliberately blocking known-bad sites. (IIRC in other computers Snort was independent of the FW...
  15. M

    Suricata Suricata - IDS on AsusWRT Merlin

    Try: suricata -c /opt/etc/suricata/suricata.yaml -T
  16. M

    Suricata Suricata - IDS on AsusWRT Merlin

    err....... nah! I'm old and over the hill. Something like this should be spearheaded by an energetic, young guy - preferably from Brazil - with a powerful, developer's computer. :-)
  17. M

    Suricata Suricata - IDS on AsusWRT Merlin

    So here are the alerts - outgoing and incoming...
  18. M

    Suricata Suricata - IDS on AsusWRT Merlin

    For Me, the answer is Yes. In order to get it to function as IPS, rgnldo suggested the following https://www.snbforums.com/threads/suricata-ids-ips-on-asuswrt-merlin.63280/page-12#post-585513 I applied those changes to my week-old yaml and found that the IDS performance was improved, but IPS...
  19. M

    Suricata Suricata - IDS on AsusWRT Merlin

    And for this we are VERY grateful!! Rgnldo, I have an observation and suggestion(s): There are a number of suggested tweaks to the yaml floating about - it is hard for us (and you) to know "which" yaml file is being discussed. May I STRONGLY suggest/request that you: 1. update your current...
  20. M

    Suricata Suricata - IDS on AsusWRT Merlin

    Were we talking about going from v4.1.7-1 to v4.1.8 that might make sense - of course coordinating with rgnldo. Going from v4.1.7-1 to v5.0.3 will quite likely include configuration changes, changed compilation dependencies, perhaps new rule formats, etc. (I even noted af-packet specification...
Top