Anyone successfully using snort on AC68U or similar ?

[develox]

I've spent some hours yesterday on this issue. I've installed Entware on a dedicated USB stick (I tried with Optware first as this was already installed, but the snort package there was too old and couldn't find appropriate rules). The installed package "as is" needs several tweaks to configuration to have it run, but integrating and adapting what I found here

http://tomatousb.org/forum/t-369388/step-by-step-procedure-for-installing-and-configuring-snort

I succeeded to do it. However, after everything appeared properly set up, the app would crash right after startup because of low memory (couldn't allocate some memory pool). For this reason I configured a 0.5GB swap file on the USB stick and this everything went "apparently" fine.

Apparently because on-screen messages seems ok, log file seems ok, but I couldn't see any alert. I tried to configure a specific rule to alert on a ping to a specific machine in the network, but without success.

Anyone could shed some light on it ?

Thanks in advance
Peppe

 

[RMerlin]

I've spent some hours yesterday on this issue. I've installed Entware on a dedicated USB stick (I tried with Optware first as this was already installed, but the snort package there was too old and couldn't find appropriate rules). The installed package "as is" needs several tweaks to configuration to have it run, but integrating and adapting what I found here

http://tomatousb.org/forum/t-369388/step-by-step-procedure-for-installing-and-configuring-snort

I succeeded to do it. However, after everything appeared properly set up, the app would crash right after startup because of low memory (couldn't allocate some memory pool). For this reason I configured a 0.5GB swap file on the USB stick and this everything went "apparently" fine.

Apparently because on-screen messages seems ok, log file seems ok, but I couldn't see any alert. I tried to configure a specific rule to alert on a ping to a specific machine in the network, but without success.

Anyone could shed some light on it ?

Thanks in advance
Peppe

Disable NAT acceleration.

 

[develox]

Disable NAT acceleration.

Hi Eric,

thanks for posting. I've checked and now remember, NAT acceleration was already disabled before I started with this all.

Any other hint would be helpful.

Peppe

 

[Nullity]

Hi Eric,

thanks for posting. I've checked and now remember, NAT acceleration was already disabled before I started with this all.

Any other hint would be helpful.

Peppe

Have you double-checked to make sure it is not running?
I think you can confirm with the command "lsmod | grep ctf".

 

[develox]

Have you double-checked to make sure it is not running?
I think you can confirm with the command "lsmod | grep ctf".

Thank you as well. Checking as you suggest I get an empty result (i.e. the grep doesn't find what I asked for). I'm not knowledgeable enough (yet) to understand what the module you suggest to look for is. Having not found it, is that a problem indicator ? Any suggestion on how to overcome it ?

So far I had relied on messages I could get from log and screen. On this one, upon completion of the startup procedure, I can read as follows what I thought could be summarised (to my eyes) as "ok, everything's up and running":

--== Initialization Complete ==--

,,_ -*> Snort! <*-
o" )~ Version 2.9.7.0 GRE (Build 149)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.5.3
Using PCRE version: 8.36 2014-09-26
Using ZLIB version: 1.2.8

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 2.4 <Build 1>
Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Preprocessor Object: SF_SIP Version 1.1 <Build 1>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_POP Version 1.0 <Build 1>
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_GTP Version 1.1 <Build 1>
Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>

Commencing packet processing (pid=23521)​

Thanks !

 

[RMerlin]

Keep in mind that the four ports on the router are a switch. Any traffic going on your LAN between wired machines will not register in Snort, because that traffic will be switched, not routed.

 

[develox]

Keep in mind that the four ports on the router are a switch. Any traffic going on your LAN between wired machines will not register in Snort, because that traffic will be switched, not routed.

Right Eric, indeed I had configured the ICMP rule to log traffic between the router and the modem/router (this is not configured in bridge, so I can manipulate traffic from it to AC68U as coming from the WAN).

In the end logging came out, I had to correct the rule from a mistake and make it loose (tracing any any any any) to be sure.

Interestingly enough, I see my ping attempts from my modem/router to the AC68U, though the pings were unreplied since I disabled answering PIN from the WAN on the AC68U. That might turn useful: I can know who's pinging though they don't get replies.

But much more interestingly, it came out during the test a few minutes ago that a ping from the AC68U was going out to an address (217.165.xx.xx) which is located in UAE (it looks like a residential IP address in a local telco ISP over there) ... and I can't currently think of a single reason why this should happen, there's nothing I use located over there afaik. Comprehensibly the alert comes out in this form:

03/18-07:24:39.200840 [**] [1:477:3] ICMP Packet [**] [Priority: 0] {ICMP} 192.168.1.2 -> 217.165.xx.xx​

Where 192.168.1.2 is the AC68U's address in the modem/router's LAN. Because of the NAT on the AC68U, I can't actually see if the ping came out from the AC68U itself (why should it ?) or from the machine I'm using to SSH and operate it (more probably).

Any chance to work things out so to get more details ?

Thanks again
Peppe

 

[RMerlin]

What type of ICMP? ICMP packets aren't used just for pings, there are various types of ICMP packets.

 

[develox]

What type of ICMP? ICMP packets aren't used just for pings, there are various types of ICMP packets.

Correct, I had not distinguished the type. I've just configured rules to distinguish iTypes and restarted snort. I'll collect alerts today and see what happens in more detail. Thanks again.

Peppe

 

[develox]

Correct, I had not distinguished the type. I've just configured rules to distinguish iTypes and restarted snort. I'll collect alerts today and see what happens in more detail. Thanks again.

I've collected ICMP packets all day log. Indeed, the vast majority of them are of type Destination Unreachable, while the minority is made by pairs of Echo Request and Reply. However, amongst the roughly couple of thousands of alerts (all ICMP tests), just one alert was not a test and seems to deserve attention (though the origin, Canonical, at a first appears incompatible as a source of problem):

[**] [1:6700:19] FILE-IMAGE Microsoft Multiple Products malformed PNG detected tEXt overflow attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 91.189.92.174:80 -> 192.168.1.2:47529​

Now I have to learn to understand if something like this is serious or not. Yet, given I see only this, apart from understanding if it's dangerous, how can I learn which machine was it really directed to (192.168.1.2 is the router behind which I operate) ?

Thanks !
Peppe

 

[ugvenkat]

I was able to successfully install Snort on RT-AC87U Merlin build 378.55

I have documented the steps below for Entware.
http://www.snbforums.com/threads/step-by-step-snort-on-asusmerlin.27374/