Search results

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

  1. faux123

    [Experimental] Snort3 IDS/IPS on AsusMerlin [AC86/AX88 routers ONLY]

    I'm sorta sem-retired from Android scene for a few years now (I check in every once in a while to see what new cool things are happening with Android), with just a bit of spare time remaining (work + family), I hack a few things I use on a daily basis (such as AsusWRT and some small open source...
  2. faux123

    [Experimental] Snort3 IDS/IPS on AsusMerlin [AC86/AX88 routers ONLY]

    Did you load OpenAppID? My example rule was using OpenAppID to help filtering app specific traffic. Also check my 1st post where I posted my reference snort.lua file and see if you enabled OpenAppID correctly. Also use the Validation Cmdline to make sure all the rule sets are loaded properly.
  3. faux123

    [Experimental] Snort3 IDS/IPS on AsusMerlin [AC86/AX88 routers ONLY]

    The rules are loaded in RAM (or cached in RAM), so if you updated the rules, you need to restart snort. Also you need to make sure snort.lua knows where those rules are (if you haven't already pointed to them). You could probably automate this using a shell script using cron, the only thing...
  4. faux123

    Suricata Suricata - IDS on AsusWRT Merlin

    The issues I had with IPV6 was related to the af_packet implementation of Suricata in IPS mode, I didn't look any further once I realized the bug in IPS mode. So I believe IDS mode is working fine esp with in pcap mode (which is the default if you followed the guided instructions).
  5. faux123

    is Possible to use a USB3 Hub on USB port?

    USB 3.0 devices will generate what they called "spread spectrum" noises from ranging from 1 GHz all the way up to 7.5 GHz but its peak, however, is near 2.4 GHz range which is right at the 2.4 GHz WiFi bands.. It's not just the hub, any 3.0 devices operating in 3.0 mode will "radiate" this...
  6. faux123

    [Experimental] Snort3 IDS/IPS on AsusMerlin [AC86/AX88 routers ONLY]

    drop rules worked fine, just tested it, I added a rule to BLOCK facebook and when I tried to access facebook.com (and it didn't load) and I got this from the alert_fast.txt. drop tcp any any -> any any ( msg:"Facebook trafic Seen"; appids:"Facebook";sid:10000001; ) Here's my local.rules: drop...
  7. faux123

    [Experimental] Snort3 IDS/IPS on AsusMerlin [AC86/AX88 routers ONLY]

    I have my snort3 running for days, I had to stop and restart last night to check my settings before posting.. I didn't have any issues with sudden stoppage. Since I don't have AX88U, I would monitor the memory usage to make sure it didn't "run out of memory". Background: Linux kernel has a...
  8. faux123

    [Experimental] Snort3 IDS/IPS on AsusMerlin [AC86/AX88 routers ONLY]

    Thank you to RT-AX88U users, I have enough system stats.. it definitely looks like RT-AX88U is a CUT ABOVE my RT-AC86U as I expected. CPU, memory usage all looked much less stressed than mine, awesome!
  9. faux123

    [Experimental] Snort3 IDS/IPS on AsusMerlin [AC86/AX88 routers ONLY]

    can people with RT-AX88U post your system stats for me to salivate over ;) cat /proc/meminfo cat /proc/buddyinfo uptime Thanks!
  10. faux123

    [Experimental] Snort3 IDS/IPS on AsusMerlin [AC86/AX88 routers ONLY]

    This is compatible with Skynet (almost everything is since Skynet is using iptables for blocking so does not interfere with snort3, though because of the preset blocking rules from skynet, it means snort3 won't be looking at all those malicious sites already blocked by skynet).
  11. faux123

    [Experimental] Snort3 IDS/IPS on AsusMerlin [AC86/AX88 routers ONLY]

    Just monitor your temperatures closely, as long as it's below 100 degrees C (before router decides to thermal protect itself) you should be fine.
  12. faux123

    [Experimental] Snort3 IDS/IPS on AsusMerlin [AC86/AX88 routers ONLY]

    Try this, add -- from line 32 to line 35 (basically taking out the incorrect lua path setup)
  13. faux123

    [Experimental] Snort3 IDS/IPS on AsusMerlin [AC86/AX88 routers ONLY]

    What is Snort? It is an open source intrusion prevention system (IPS) capable of real-time traffic analysis and packet logging. Snort is an open source project under Gnu Public License (GPL) 2.0, it is an open source alternative to some of the proprietary IDS/IPS such as TrendMicro's AiProtect...
  14. faux123

    Suricata Suricata - IDS on AsusWRT Merlin

    Another update to my forked firmware: https://github.com/faux123/asuswrt-merlin.ng/releases/tag/384.19.0-enh2 BTW, snort3 is working well as IPS, should I release it? Do people want another IPS tool (it will have high load so a fan or an ice box is required and will slow down internet speed...
  15. faux123

    Suricata Suricata - IDS on AsusWRT Merlin

    Maybe... Snort3 is a memory hog as well by default (pun intended), serious tweaks had to be made to get it to run on AC86U. With it running in multi-threaded mode (currently 2 threads total 1, thread per core), the system load is averaging around ~4.60 and sometimes as high as in the 9s...
  16. faux123

    Suricata Suricata - IDS on AsusWRT Merlin

    Another totally off-topic update: I've run Snort classic (2.x series) which is single threaded in IPS using af_packet no issues at all with random drops (TCP connection issues), then I managed to run Snort3 (multi-threaded) alpha version again in IPS mode using af_packet, no issues again with...
  17. faux123

    Suricata Suricata - IDS on AsusWRT Merlin

    completely off-topic: I got snort running in IPS mode using af_packet... testing right now... seems to be working okay so far without sudden drop in connections.. gonna let it brew for a while. The biggest drawback using snort is its single threaded (but from a packet inspection perspective...
  18. faux123

    Suricata Suricata - IDS on AsusWRT Merlin

    The problem is lack of enough real RAM on AC86U. Whenever you swap, even with SSD, it's NOT fast enough to do "inline" IPS where the packet is intercepted as it come in and inspected against various rule then "copy" back out. If the system needs to rely on "swapping", the effects of this...
  19. faux123

    scMerlin scMerlin - service and script control menu for AsusWRT-Merlin

    Thank you, the script worked great! Now I don't ever need to log on to the WebUI for checking simple temperature readings!
Top