[Experimental] Snort3 IDS/IPS on AsusMerlin [AC86/AX88 routers ONLY]

[faux123]

Thank you to RT-AX88U users, I have enough system stats.. it definitely looks like RT-AX88U is a CUT ABOVE my RT-AC86U as I expected. CPU, memory usage all looked much less stressed than mine, awesome!

 

[TonyK132]

What is the advantage of Snort vs Suricata? Sounds like they both do the same thing.

We've been warned that Snort if very CPU intensive on a 86U. Is that also true for Suricata?

Also, for CPU utilization, how well does Snort play with Unbound and Skynet and Diversion?

 

[XIII]

What is the advantage of Snort vs Suricata?

Suricata can (probably) only be used as IDS on our routers; snort as IPS.

 

[heysoundude]

What is the advantage of Snort vs Suricata? Sounds like they both do the same thing.

We've been warned that Snort if very CPU intensive on a 86U. Is that also true for Suricata?

Also, for CPU utilization, how well does Snort play with Unbound and Skynet and Diversion?

network/data/user/hardware security is best handled in a multilayered fashion; you now have the tools to be able to choose what works best for you and those who use your network at several different levels.

In an ideal world -I'm not sure how SkyNet works- a page load request sent to a known malicious web source would be dropped before a response could be returned; Don't let bad actors near your network as a first line of defence is the best practice...but we can't always be sure who is a bad guy and who isn't.

Suricata was written to both defend from gross overt attacks as well as surveil what gets past the outer perimeters by checking what people might be carrying concealed in their pockets, so to speak. Snort (to the best of my understanding) simply does the latter. Snort looks through incoming packets for threats (IPS) vs Suricata's intrusion detection (IDS - as is most commonly deployed here. Notice the name- Intrusion Detection: something got missed or past the outer bubble, so the work now is to stop the breach from becoming wider; patching the security bubble before it bursts irreparably).

Snort is like one of those truffle hunting pigs; Suricata IDS is like the stone soldiers that protected Hogwart's in the last Harry Potter movies - to protect behind the magic bubble put up by the friendly wizards.
Unfortunately, the former process (IPS) can be so taxing to the processors and memory of our routers that they can't properly do what they're really designed for without hurting themselves in the process - it's a case of the spirit being willing but the body being rather unable.
(VPNs are another layer of security - protect the clean data that passes between protected points - but you have to trust (verify!) that the other point is as (or more!) secure than your network)

Unbound stores the directions to the good stuff that makes it past all of the above, so only new information needs to get checked with the above tools, and that speeds up page loads from outside your network. Diversion is specifically targeted at advertising, a common way of sneaking scripts that look at how you use the internet into your network, as another layer or method of protection. Unbound can do that as well, but I've not tried it

It seems the newer routers with quad core processors and 1GB of memory are much more suited to the tasks suricata (and snout) was designed for. The ones that are coming after these, WiFi6e versions, will hopefully rise to the challenge much more ably still.

I can see that suricata (IDS and IPS) and unbound fit together like puzzle pieces; together they're a strong team to protect your network, devices, users, data. Hopefully this helps you see that there are many ways to skin this particular cat.

 

[Mutzli]

Unfortunately, the former process (IPS) can be so taxing to the processors and memory of our routers that they can't properly do what they're really designed for without hurting themselves in the process - it's a case of the spirit being willing but the body being rather unable.
(VPNs are another layer of security - protect the clean data that passes between protected points - but you have to trust (verify!) that the other point is as (or more!) secure than your network)

This depends on the router. AC86U does have problems running Snort, it needs active cooling while the AX88U can easily handle the additional load from Snort without any major down sides. It does reduce the internet throughput slightly, but so does Suricata.

 

[Mutzli]

Tonight I checked on how Snort and the router was doing. Unfortunately Snort wasn't running any longer and the system log was overwritten at 17:00h and after that there was no error. So it must had happened before that. I'll keep monitoring more closely now. Anyone else having the same problem?

 

[faux123]

Tonight I checked on how Snort and the router was doing. Unfortunately Snort wasn't running any longer and the system log was overwritten at 17:00h and after that there was no error. So it must had happened before that. I'll keep monitoring more closely now. Anyone else having the same problem?

I have my snort3 running for days, I had to stop and restart last night to check my settings before posting.. I didn't have any issues with sudden stoppage. Since I don't have AX88U, I would monitor the memory usage to make sure it didn't "run out of memory".

Background:
Linux kernel has a strange way of managing memory, if the memory manager wanted a memory of certain size (let's say 2 Megabytes) and if the system memory is "fragmented" in a way where you had LOTS of 4K, 8K and 16K memory chunk but you didn't have a memory chunk to meet the 2 megabytes memory demand, it would declare itself "out of memory". With my custom fork, I backported newer memory management enhancements from Linux 4.4 all the way to Linux 5.8 to our older Linux 4.1 to address this funny out of memory situation (this happens even MORE often on an AC86U due to only having 512 MB of RAM) by "defrag" those holes and compact them together to make larger chunks available for other uses.

cat /proc/buddyinfo

gives a glimpse into these memory chunks, if you see lots of 0's in between it means for those chunk sizes aren't available and if an app ask for those chunk sizes, your system could be out of memory and may have unexpected behavior.

you can do

echo 1 > /proc/sys/vm/compact_memory

to alleviate this memory fragmentation but with stock Linux 4.1 kernel, that memory defrag can't compact as well as the newer releases (or my hybrid kernel).

 

[heysoundude]

This depends on the router. AC86U does have problems running Snort, it needs active cooling while the AX88U can easily handle the additional load from Snort without any major down sides. It does reduce the internet throughput slightly, but so does Suricata.

correct, and people should be aware of the tradeoff between security and speed. Thankfully in a properly implemented strategy with the correct tools, it is hardly noticeable - and the ones we're discussing here are some of them

 

[XIII]

On my AC86U snort immediately quit after starting, until I manually created /opt/var/log/snort.

The simple test suggested to me for Suricata also fails with snort (does not drop traffic):

• Add a rule: drop tcp $HOME_NET any -> <an IP address> any (msg:"test";)
  
  
• Try to access that page; for example: wget <same IP address> --no-check-certificate

Is this test wrong? How to correct it?

 

[faux123]

drop rules worked fine, just tested it, I added a rule to BLOCK facebook and when I tried to access facebook.com (and it didn't load) and I got this from the alert_fast.txt.

drop tcp any any -> any any ( msg:"Facebook trafic Seen"; appids:"Facebook";sid:10000001; )

Here's my local.rules:

drop tcp any any -> any any ( msg:"Facebook trafic Seen"; appids:"Facebook";sid:10000001; )

@XIII ^

 

[XIII]

Thanks. I might try again later.

 

[Milan]

I extracted a package with rules downloaded to the folder for rules. are they automatically reloaded or I need to restart snort?

 

[faux123]

I extracted a package with rules downloaded to the folder for rules. are they automatically reloaded or I need to restart snort?

The rules are loaded in RAM (or cached in RAM), so if you updated the rules, you need to restart snort. Also you need to make sure snort.lua knows where those rules are (if you haven't already pointed to them).

You could probably automate this using a shell script using cron, the only thing you need to watch out for are the LONG startup and shutdown time.

 

[XIII]

drop tcp any any -> any any ( msg:"Facebook trafic Seen"; appids:"Facebook";sid:10000001; )

Tried this rule, but several minutes after starting snort I can still access facebook.com

Also, before starting snort the AC86u's temperature was 79°C and it remains at that value (does not increase)

This is all I see from snort (except from some rule statistics before that):

afpacket DAQ configured to inline.
Commencing packet processing
++ [0] eth0:br0

/opt/var/log/snort/alert_fast.txt remains empty

Is it doing anything at all? (Core 1 and Core 2 fluctuate a lot, but the sum is always around 110%)

 

[XIII]

When I stopped it, it claimed it had dropped a lot?

daq
                 received: 19619
                 analyzed: 9075
                  dropped: 1526579
              outstanding: 10544
                    allow: 8230
                  replace: 845
                     idle: 1
                 rx_bytes: 6041544

 

[faux123]

Tried this rule, but several minutes after starting snort I can still access facebook.com

Also, before starting snort the AC86u's temperature was 79°C and it remains at that value (does not increase)

This is all I see from snort (except from some rule statistics before that):

afpacket DAQ configured to inline.
Commencing packet processing
++ [0] eth0:br0

/opt/var/log/snort/alert_fast.txt remains empty

Is it doing anything at all? (Core 1 and Core 2 fluctuate a lot, but the sum is always around 110%)

Did you load OpenAppID? My example rule was using OpenAppID to help filtering app specific traffic. Also check my 1st post where I posted my reference snort.lua file and see if you enabled OpenAppID correctly. Also use the Validation Cmdline to make sure all the rule sets are loaded properly.

 

[XIII]

Yes, I used OpenAppID and verified the config.

When I quit snort there were some OpenAppID statistics as well.

I accessed the Facebook website in Firefox/Safari. Should it mention Firefox/Safari or Facebook in that log?

But still I could access that site in both browsers, so like Suricata it does not work as an IPS on my AC86u. Wonder what’s wrong...

 

[Mutzli]

I have my snort3 running for days, I had to stop and restart last night to check my settings before posting.. I didn't have any issues with sudden stoppage. Since I don't have AX88U, I would monitor the memory usage to make sure it didn't "run out of memory".

Background:
Linux kernel has a strange way of managing memory, if the memory manager wanted a memory of certain size (let's say 2 Megabytes) and if the system memory is "fragmented" in a way where you had LOTS of 4K, 8K and 16K memory chunk but you didn't have a memory chunk to meet the 2 megabytes memory demand, it would declare itself "out of memory". With my custom fork, I backported newer memory management enhancements from Linux 4.4 all the way to Linux 5.8 to our older Linux 4.1 to address this funny out of memory situation (this happens even MORE often on an AC86U due to only having 512 MB of RAM) by "defrag" those holes and compact them together to make larger chunks available for other uses.

cat /proc/buddyinfo

gives a glimpse into these memory chunks, if you see lots of 0's in between it means for those chunk sizes aren't available and if an app ask for those chunk sizes, your system could be out of memory and may have unexpected behavior.

you can do

echo 1 > /proc/sys/vm/compact_memory

to alleviate this memory fragmentation but with stock Linux 4.1 kernel, that memory defrag can't compact as well as the newer releases (or my hybrid kernel).

Happy to report Snort is running now since Sunday without any issues. Now if I have some time I'll fiddle around with some of the rules and settings.

 

[TheUntouchable]

Wow @faux123, youre not only doing android kernel stuff but also stuff for AsusWRT? Nice

 

[faux123]

Wow @faux123, youre not only doing android kernel stuff but also stuff for AsusWRT? Nice

I'm sorta sem-retired from Android scene for a few years now (I check in every once in a while to see what new cool things are happening with Android), with just a bit of spare time remaining (work + family), I hack a few things I use on a daily basis (such as AsusWRT and some small open source projects).

Android was super fun and I really enjoyed the time I spent on it, now it seems with Project Treble (allowing users to run generic AOSP), android has matured quite a bit over the years and the need to tweak things have become less pressing.

My passion has always been with open source, it's lucky we have open source routers where I can apply some of my limited knowledge to. I do this mainly for myself and contribute whenever I can and Kernel hacking has always been a hobby for me, so I do this to learn and have a bit of fun at the same time.