Suricata 4 on Asuswrt-Merlin

[Xentrk]

Hope you get feeling better @M@rco.

I had Suricata installed on my pfSense box for a brief time. I had issues with tuning it over all of the interfaces I run. I recently changed to Snort as they have an updated method to configure. Rather than having individual rules, they have several categories you can choose from. What I like about pfSense is you have GUI menus for Suricata and Snort which makes things much easier.

Here are some videos on Suricata and Snort on pfSense. Still good to watch even though you are using different firmware. This video is one of the better ones I have seen on Suricata. This video discusses the Snort features I mentioned above. Right now, I only have Snort enabled on my WAN interface as I was having issues with streaming over the VPN tunnel. I have not had time to work on it recently.

 

[rgnldo]

I didn't know there was a topic about. Suricata works for me.

Spoiler: LOG's Suricata

17/2/2020 -- 21:14:43 - <Notice> -- This is Suricata version 4.1.4 RELEASE
17/2/2020 -- 21:14:43 - <Info> -- CPUs/cores online: 2
17/2/2020 -- 21:14:43 - <Info> -- HTTP memcap: 67108864
17/2/2020 -- 21:14:43 - <Notice> -- using flow hash instead of active packets
17/2/2020 -- 21:14:43 - <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Problem with config file
17/2/2020 -- 21:14:43 - <Info> -- fast output device (regular) initialized: fast.log
17/2/2020 -- 21:14:43 - <Info> -- http-log output device (regular) initialized: http.log
17/2/2020 -- 21:14:43 - <Info> -- Using log dir /opt/var/log/suricata
17/2/2020 -- 21:14:43 - <Info> -- Selected pcap-log compression method: (null)
17/2/2020 -- 21:14:43 - <Info> -- using normal logging
17/2/2020 -- 21:14:43 - <Info> -- stats output device (regular) initialized: stats.log
17/2/2020 -- 21:14:43 - <Info> -- 8 rule files processed. 824 rules successfully loaded, 0 rules failed
17/2/2020 -- 21:14:43 - <Info> -- Threshold config parsed: 0 rule(s) found
17/2/2020 -- 21:14:43 - <Info> -- 824 signatures processed. 209 are IP-only rules, 46 are inspecting packet payload, 570 inspect application layer, 0 ar>
17/2/2020 -- 21:14:44 - <Info> -- unable to find af-packet config for interface "eth0" or "default", using default values
17/2/2020 -- 21:14:44 - <Info> -- Going to use 2 ReceiveAFP receive thread(s)
17/2/2020 -- 21:14:44 - <Notice> -- AFL mode starting
17/2/2020 -- 21:14:44 - <Notice> -- AFL mode starting
17/2/2020 -- 21:14:44 - <Info> -- Initializing PCAP ring buffer for /opt/var/log/suricata/log.pcap.
17/2/2020 -- 21:14:44 - <Notice> -- Ring buffer initialized with 0 files.
17/2/2020 -- 21:14:44 - <Notice> -- all 4 packet processing threads, 0 management threads initialized, engine started.
17/2/2020 -- 21:14:44 - <Info> -- All AFP capture threads are running.
.

Spoiler: Suricata status

/opt/etc/init.d/S82suricata check
 Checking suricata...              alive.

 

[Deleted member 62525]

This is the first post I see about successful config. Would you mind @rgnldo sharing your experience installing and configuring Suricata?
Do you run alone or with Skynet?

 

[m3a1]

I didn't know there was a topic about. Suricata works for me.

Hey man is there a point at all to install suricata ?

 

[SomeWhereOverTheRainBow]

I didn't know there was a topic about. Suricata works for me.

Spoiler: LOG's Suricata

17/2/2020 -- 21:14:43 - <Notice> -- This is Suricata version 4.1.4 RELEASE
17/2/2020 -- 21:14:43 - <Info> -- CPUs/cores online: 2
17/2/2020 -- 21:14:43 - <Info> -- HTTP memcap: 67108864
17/2/2020 -- 21:14:43 - <Notice> -- using flow hash instead of active packets
17/2/2020 -- 21:14:43 - <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Problem with config file
17/2/2020 -- 21:14:43 - <Info> -- fast output device (regular) initialized: fast.log
17/2/2020 -- 21:14:43 - <Info> -- http-log output device (regular) initialized: http.log
17/2/2020 -- 21:14:43 - <Info> -- Using log dir /opt/var/log/suricata
17/2/2020 -- 21:14:43 - <Info> -- Selected pcap-log compression method: (null)
17/2/2020 -- 21:14:43 - <Info> -- using normal logging
17/2/2020 -- 21:14:43 - <Info> -- stats output device (regular) initialized: stats.log
17/2/2020 -- 21:14:43 - <Info> -- 8 rule files processed. 824 rules successfully loaded, 0 rules failed
17/2/2020 -- 21:14:43 - <Info> -- Threshold config parsed: 0 rule(s) found
17/2/2020 -- 21:14:43 - <Info> -- 824 signatures processed. 209 are IP-only rules, 46 are inspecting packet payload, 570 inspect application layer, 0 ar>
17/2/2020 -- 21:14:44 - <Info> -- unable to find af-packet config for interface "eth0" or "default", using default values
17/2/2020 -- 21:14:44 - <Info> -- Going to use 2 ReceiveAFP receive thread(s)
17/2/2020 -- 21:14:44 - <Notice> -- AFL mode starting
17/2/2020 -- 21:14:44 - <Notice> -- AFL mode starting
17/2/2020 -- 21:14:44 - <Info> -- Initializing PCAP ring buffer for /opt/var/log/suricata/log.pcap.
17/2/2020 -- 21:14:44 - <Notice> -- Ring buffer initialized with 0 files.
17/2/2020 -- 21:14:44 - <Notice> -- all 4 packet processing threads, 0 management threads initialized, engine started.
17/2/2020 -- 21:14:44 - <Info> -- All AFP capture threads are running.
.

Spoiler: Suricata status

/opt/etc/init.d/S82suricata check
 Checking suricata...              alive.

If you ever do get the time, your setup method would be valuable to many who want to try this out.

 

[Milan]

I didn't know there was a topic about. Suricata works for me.

Spoiler: LOG's Suricata

17/2/2020 -- 21:14:43 - <Notice> -- This is Suricata version 4.1.4 RELEASE
17/2/2020 -- 21:14:43 - <Info> -- CPUs/cores online: 2
17/2/2020 -- 21:14:43 - <Info> -- HTTP memcap: 67108864
17/2/2020 -- 21:14:43 - <Notice> -- using flow hash instead of active packets
17/2/2020 -- 21:14:43 - <Error> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Problem with config file
17/2/2020 -- 21:14:43 - <Info> -- fast output device (regular) initialized: fast.log
17/2/2020 -- 21:14:43 - <Info> -- http-log output device (regular) initialized: http.log
17/2/2020 -- 21:14:43 - <Info> -- Using log dir /opt/var/log/suricata
17/2/2020 -- 21:14:43 - <Info> -- Selected pcap-log compression method: (null)
17/2/2020 -- 21:14:43 - <Info> -- using normal logging
17/2/2020 -- 21:14:43 - <Info> -- stats output device (regular) initialized: stats.log
17/2/2020 -- 21:14:43 - <Info> -- 8 rule files processed. 824 rules successfully loaded, 0 rules failed
17/2/2020 -- 21:14:43 - <Info> -- Threshold config parsed: 0 rule(s) found
17/2/2020 -- 21:14:43 - <Info> -- 824 signatures processed. 209 are IP-only rules, 46 are inspecting packet payload, 570 inspect application layer, 0 ar>
17/2/2020 -- 21:14:44 - <Info> -- unable to find af-packet config for interface "eth0" or "default", using default values
17/2/2020 -- 21:14:44 - <Info> -- Going to use 2 ReceiveAFP receive thread(s)
17/2/2020 -- 21:14:44 - <Notice> -- AFL mode starting
17/2/2020 -- 21:14:44 - <Notice> -- AFL mode starting
17/2/2020 -- 21:14:44 - <Info> -- Initializing PCAP ring buffer for /opt/var/log/suricata/log.pcap.
17/2/2020 -- 21:14:44 - <Notice> -- Ring buffer initialized with 0 files.
17/2/2020 -- 21:14:44 - <Notice> -- all 4 packet processing threads, 0 management threads initialized, engine started.
17/2/2020 -- 21:14:44 - <Info> -- All AFP capture threads are running.
.

Spoiler: Suricata status

/opt/etc/init.d/S82suricata check
 Checking suricata...              alive.

i was able to install and execute it in background. i was able to setup a simple log for http too so i can see that it is doing smthing.
but iafter installation i dont have file for starting as service in init.d
stats.log is empty, even configured.

need to read a lot ..

 

[rgnldo]

If you ever do get the time, your setup method would be valuable to many who want to try this out.

Suricata for FW Merlin only on the HND's router. This time I had to organize suricata.yaml to stay very thin.

rgnldo@rgnldo-lan:/tmp/home/root# /opt/etc/init.d/S82suricata start
 Starting suricata...              done.
rgnldo@rgnldo-lan:/tmp/home/root# /opt/etc/init.d/S82suricata check
 Checking suricata...              alive.

I'll see a way to organize a post.

 

[rgnldo]

i was able to install and execute it in background. i was able to setup a simple log for http too so i can see that it is doing smthing.
but iafter installation i dont have file for starting as service in init.d
stats.log is empty, even configured.

need to read a lot ..

Spoiler: http.log

04/07/2020-21:06:43.802381 pixels.canarymail.io[**]/time/[**]Canary%20Mail/601 CFNetwork/1125.2 Darwin/19.4.0 (x86_64)[**]<no referer>[**]GET[**]HTTP/1.1[**]2>
04/07/2020-21:07:07.172178 connectivitycheck.gstatic.com[**]/generate_204[**]Mozilla/5.0 (Linux; Android 8.0; Build/OPR6.170623.013) AppleWebKit/537.36 (KHTML>
04/07/2020-21:07:30.656534 connectivitycheck.gstatic.com[**]/generate_204[**]Mozilla/5.0 (Linux; Android 8.0; Build/OPR6.170623.013) AppleWebKit/537.36 (KHTML>
04/07/2020-21:08:07.294953 connectivitycheck.gstatic.com[**]/generate_204[**]Mozilla/5.0 (Linux; Android 8.0; Build/OPR6.170623.013) AppleWebKit/537.36 (KHTML>
04/07/2020-21:08:31.052165 connectivitycheck.gstatic.com[**]/generate_204[**]Mozilla/5.0 (Linux; Android 8.0; Build/OPR6.170623.013) AppleWebKit/537.36 (KHTML>
04/07/2020-21:08:43.448654 pixels.canarymail.io[**]/time/[**]Canary%20Mail/601 CFNetwork/1125.2 Darwin/19.4.0 (x86_64)[**]<no referer>[**]GET[**]HTTP/1.1[**]2>
04/07/2020-21:09:07.386684 connectivitycheck.gstatic.com[**]/generate_204[**]Mozilla/5.0 (Linux; Android 8.0; Build/OPR6.170623.013) AppleWebKit/537.36 (KHTML>
04/07/2020-21:09:12.821815 ocsp.apple.com[**]/ocsp03-asi2ca02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDpjNYC91gD%2BzsNfJ0wP9wrPSi8lBBQSdXxHkv2D474u%2FFl%2FZ0OBNR>
04/07/2020-21:09:40.955368 ocsp.digicert.com[**]/MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFN%2BqEuMosQlBk%2BKfQoLOR0BClVijBBSxPsNpA%2Fi%2FRwHUmCYaCALvY2QrwwIQCBFAV>
04/07/2020-21:10:45.678402 pixels.canarymail.io[**]/time/[**]Canary%20Mail/601 CFNetwork/1125.2 Darwin/19.4.0 (x86_64)[**]<no referer>[**]GET[**]HTTP/1.1[**]2>
04/07/2020-21:12:23.219858 ocsp.apple.com[**]/ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8>
04/07/2020-21:12:24.376561 ocsp.apple.com[**]/ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8>
04/07/2020-21:12:25.184052 ocsp.apple.com[**]/ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8>
04/07/2020-21:12:26.267509 ocsp.apple.com[**]/ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8>
04/07/2020-21:12:27.074909 ocsp.apple.com[**]/ocsp04-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8>
04/07/2020-21:12:45.853944 pixels.canarymail.io[**]/time/[**]Canary%20Mail/601 CFNetwork/1125.2 Darwin/19.4.0 (x86_64)[**]<no referer>[**]GET[**]HTTP/1.1[**]2>
04/07/2020-21:13:11.735615 ocsp.apple.com[**]/ocsp-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uM>
04/07/2020-21:14:15.440876 clients3.google.com[**]/generate_204[**]Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 >
04/07/2020-21:14:18.485188 www.google.com[**]/gen_204[**]Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537>
04/07/2020-21:14:46.769635 pixels.canarymail.io[**]/time/[**]Canary%20Mail/601 CFNetwork/1125.2 Darwin/19.4.0 (x86_64)[**]<no referer>[**]GET[**]HTTP/1.1[**]2>
04/07/2020-21:16:01.839107 ocsp.int-x3.letsencrypt.org[**]/MFgwVqADAgEAME8wTTBLMAkGBSsOAwIaBQAEFH7maudymrP8%2BKIgZGwWoS1gcQhdBBSoSmpjBH3duubRObemRWXv86jsoQISA>
04/07/2020-21:16:03.757532 ocsp.int-x3.letsencrypt.org[**]/MFgwVqADAgEAME8wTTBLMAkGBSsOAwIaBQAEFH7maudymrP8%2BKIgZGwWoS1gcQhdBBSoSmpjBH3duubRObemRWXv86jsoQISA>
04/07/2020-21:16:38.959820 ocsp.int-x3.letsencrypt.org[**]/MFgwVqADAgEAME8wTTBLMAkGBSsOAwIaBQAEFH7maudymrP8%2BKIgZGwWoS1gcQhdBBSoSmpjBH3duubRObemRWXv86jsoQISA>
04/07/2020-21:16:48.430033 pixels.canarymail.io[**]/time/[**]Canary%20Mail/601 CFNetwork/1125.2 Darwin/19.4.0 (x86_64)[**]<no referer>[**]GET[**]HTTP/1.1[**]2>
04/07/2020-21:18:52.623345 pixels.canarymail.io[**]/time/[**]Canary%20Mail/601 CFNetwork/1125.2 Darwin/19.4.0 (x86_64)[**]<no referer>[**]GET[**]HTTP/1.1[**]2>
04/07/2020-21:20:54.067584 pixels.canarymail.io[**]/time/[**]Canary%20Mail/601 CFNetwork/1125.2 Darwin/19.4.0 (x86_64)[**]<no referer>[**]GET[**]HTTP/1.1[**]2>
04/07/2020-21:22:23.944813 ocsp.digicert.com[**]/MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFIJtHAq6KfPCSvNJygRFfhYkwW7uBBTPhfG8OBh4OlUz9FbKwGmtd267kwIQD7QLyjQpQ%2BV>
04/07/2020-21:22:59.998663 pixels.canarymail.io[**]/time/[**]Canary%20Mail/601 CFNetwork/1125.2 Darwin/19.4.0 (x86_64)[**]<no referer>[**]GET[**]HTTP/1.1[**]2>
04/07/2020-21:24:19.688595 www.google.com[**]/gen_204[**]Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537>
04/07/2020-21:25:00.222819 pixels.canarymail.io[**]/time/[**]Canary%20Mail/601 CFNetwork/1125.2 Darwin/19.4.0 (x86_64)[**]<no referer>[**]GET[**]HTTP/1.1[**]2>
04/07/2020-21:26:11.708672 ocsp.apple.com[**]/ocsp-devid01/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFDOB0e%2FbaLCFIU0u76%2BMSmlkPCpsBBRXF%2B2iz9x8mKEQ4Py%2Bhy0s8uM>
04/07/2020-21:26:41.082098 ocsp.int-x3.letsencrypt.org[**]/MFgwVqADAgEAME8wTTBLMAkGBSsOAwIaBQAEFH7maudymrP8%2BKIgZGwWoS1gcQhdBBSoSmpjBH3duubRObemRWXv86jsoQISB>
04/07/2020-21:27:00.499438 pixels.canarymail.io[**]/time/[**]Canary%20Mail/601 CFNetwork/1125.2 Darwin/19.4.0 (x86_64)[**]<no referer>[**]GET[**]HTTP/1.1[**]2>
04/07/2020-21:29:00.332601 ocsp.int-x3.letsencrypt.org[**]/MFgwVqADAgEAME8wTTBLMAkGBSsOAwIaBQAEFH7maudymrP8%2BKIgZGwWoS1gcQhdBBSoSmpjBH3duubRObemRWXv86jsoQISA>
04/07/2020-21:29:05.304227 pixels.canarymail.io[**]/time/[**]Canary%20Mail/601 CFNetwork/1125.2 Darwin/19.4.0 (x86_64)[**]<no referer>[**]GET[**]HTTP/1.1[**]2>
04/07/2020-21:31:14.564899 ocsp.apple.com[**]/ocsp03-appleserverauth12/MFYwVKADAgEAME0wSzBJMAkGBSsOAwIaBQAEFL3AjQU8oI9hlLDIxghJBJF41J0nBBQsxW1S3THvjOwIge3f3Mp>

 

[SomeWhereOverTheRainBow]

Suricata for FW Merlin only on the HND's router. This time I had to organize suricata.yaml to stay very thin.

rgnldo@rgnldo-lan:/tmp/home/root# /opt/etc/init.d/S82suricata start
 Starting suricata...              done.
rgnldo@rgnldo-lan:/tmp/home/root# /opt/etc/init.d/S82suricata check
 Checking suricata...              alive.

I'll see a way to organize a post.

yea i would only attempt running in on a hnd model due to its resource requirements.

 

[rgnldo]

yea i would only attempt running in on a hnd model due to its resource requirements.

newer kernel helps a lot.

 

[rgnldo]

stats.log is empty, even configured.
need to read a lot ..

7/4/2020 -- 21:37:02 - <Info> - CPUs/cores online: 2
7/4/2020 -- 21:37:02 - <Info> - HTTP memcap: 16108864
7/4/2020 -- 21:37:02 - <Error> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Problem with config file
7/4/2020 -- 21:37:02 - <Info> - http-log output device (regular) initialized: http.log
7/4/2020 -- 21:37:02 - <Info> - stats output device (regular) initialized: stats.log
7/4/2020 -- 21:37:02 - <Info> - Packets will start being processed before signatures are active.
7/4/2020 -- 21:37:02 - <Info> - unable to find af-packet config for interface "eth0" or "default", using default values
7/4/2020 -- 21:37:02 - <Info> - Going to use 2 thread(s)
7/4/2020 -- 21:37:02 - <Notice> - AFL mode starting
7/4/2020 -- 21:37:02 - <Notice> - AFL mode starting
7/4/2020 -- 21:37:02 - <Notice> - all 2 packet processing threads, 0 management threads initialized, engine started.
7/4/2020 -- 21:37:02 - <Notice> - rule reload starting
7/4/2020 -- 21:37:02 - <Info> - 8 rule files processed. 833 rules successfully loaded, 0 rules failed
7/4/2020 -- 21:37:02 - <Info> - Threshold config parsed: 0 rule(s) found
7/4/2020 -- 21:37:02 - <Info> - 833 signatures processed. 213 are IP-only rules, 34 are inspecting packet payload, 575 inspect application layer, 0 are decode>
7/4/2020 -- 21:37:02 - <Info> - All AFP capture threads are running.
7/4/2020 -- 21:37:02 - <Info> - cleaning up signature grouping structure... complete
7/4/2020 -- 21:37:02 - <Notice> - rule reload complete
7/4/2020 -- 21:37:02 - <Notice> - Signature(s) loaded, Detect thread(s) activated.

[ERRCODE: SC_ERR_INVALID_VALUE(130)] - Problem with config

I couldn't solve it. I noticed that it is a bug out of Suricata. But it is normal and does not disturb the operation.

 

[Milan]

newer kernel helps a lot.

I am using it on AX88U with the latest merlin and I installed entware for 64bit ...

 

[Milan]

Mine startup log looks like :

7/4/2020 -- 21:49:19 - <Notice> - This is Suricata version 4.1.4 RELEASE
7/4/2020 -- 21:49:20 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/etc/suricata/rules/http-events.rules
7/4/2020 -- 21:49:20 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/etc/suricata/rules/smtp-events.rules
7/4/2020 -- 21:49:20 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/etc/suricata/rules/dns-events.rules
7/4/2020 -- 21:49:20 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/etc/suricata/rules/tls-events.rules
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 4 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017246 and 1 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 3 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2016396 and 3 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019822 and 1 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 9 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017768 and 11 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 1 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
7/4/2020 -- 21:49:37 - <Notice> - AFL mode starting
7/4/2020 -- 21:49:37 - <Notice> - AFL mode starting
7/4/2020 -- 21:49:37 - <Notice> - AFL mode starting
7/4/2020 -- 21:49:37 - <Notice> - AFL mode starting
7/4/2020 -- 21:49:37 - <Notice> - all 4 packet processing threads, 0 management threads initialized, engine started.

I downloaded and used an emergency rules pack from web page mentioned in the official doc on Suricata pages.
HTTP log is growing ...

 

[rgnldo]

Mine startup log looks like :

7/4/2020 -- 21:49:19 - <Notice> - This is Suricata version 4.1.4 RELEASE
7/4/2020 -- 21:49:20 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/etc/suricata/rules/http-events.rules
7/4/2020 -- 21:49:20 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/etc/suricata/rules/smtp-events.rules
7/4/2020 -- 21:49:20 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/etc/suricata/rules/dns-events.rules
7/4/2020 -- 21:49:20 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/etc/suricata/rules/tls-events.rules
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 4 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017246 and 1 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 3 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2016396 and 3 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019822 and 1 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 9 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017768 and 11 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2019837 and 1 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
7/4/2020 -- 21:49:21 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
7/4/2020 -- 21:49:37 - <Notice> - AFL mode starting
7/4/2020 -- 21:49:37 - <Notice> - AFL mode starting
7/4/2020 -- 21:49:37 - <Notice> - AFL mode starting
7/4/2020 -- 21:49:37 - <Notice> - AFL mode starting
7/4/2020 -- 21:49:37 - <Notice> - all 4 packet processing threads, 0 management threads initialized, engine started.

I downloaded and used an emergency rules pack from web page mentioned in the official doc on Suricata pages.
HTTP log is growing ...

[ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern
This is a permission error in the rules files.

[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
Although not serious, an error is resolved in the configuration file.

I recommend not using Skynet.

I'll find a way to organize a topic. I'm thinking of organizing a topics with Aria2 and Suricata.
The format of the topics will be in the basic installation model and waiting for the other members to evolve the installation.

 

[rgnldo]

on Suricata pages.
HTTP log is growing ...

[ERRCODE: SC_ERR_INVALID_VALUE(130)] - Problem with config

I solved the error problem [130]. This is the engine mode and the listening interface. 100% work fine.

8/4/2020 -- 09:35:16 - <Notice> - This is Suricata version 4.1.4 RELEASE
8/4/2020 -- 09:35:16 - <Info> - CPUs/cores online: 2
8/4/2020 -- 09:35:16 - <Info> - HTTP memcap: 16108864
8/4/2020 -- 09:35:16 - <Info> - http-log output device (regular) initialized: http.log
8/4/2020 -- 09:35:16 - <Info> - stats output device (regular) initialized: stats.log
8/4/2020 -- 09:35:16 - <Info> - Packets will start being processed before signatures are active.
8/4/2020 -- 09:35:16 - <Info> - Using 1 live device(s).
8/4/2020 -- 09:35:17 - <Notice> - AFL mode starting
8/4/2020 -- 09:35:17 - <Notice> - AFL mode starting
8/4/2020 -- 09:35:17 - <Notice> - all 4 packet processing threads, 0 management threads initialized, engine started.
8/4/2020 -- 09:35:17 - <Notice> - rule reload starting
8/4/2020 -- 09:35:17 - <Info> - All AFP capture threads are running.
8/4/2020 -- 09:35:17 - <Info> - 8 rule files processed. 833 rules successfully loaded, 0 rules failed
8/4/2020 -- 09:35:17 - <Info> - Threshold config parsed: 0 rule(s) found
8/4/2020 -- 09:35:17 - <Info> - 833 signatures processed. 213 are IP-only rules, 34 are inspecting packet payload, 575 inspect application layer, 0 are decode>
8/4/2020 -- 09:35:17 - <Info> - cleaning up signature grouping structure... complete
8/4/2020 -- 09:35:17 - <Notice> - rule reload complete
8/4/2020 -- 09:35:17 - <Notice> - Signature(s) loaded, Detect thread(s) activated.

 

[rgnldo]

Test fast.log with a test.rules to check how Suricata works. Work fine.

 

[rgnldo]

i was able to install and execute it in background. i was able to setup a simple log for http too so i can see that it is doing smthing.
but iafter installation i dont have file for starting as service in init.d
stats.log is empty, even configured.

need to read a lot ..

https://www.snbforums.com/threads/suricata-ids-ips-on-asuswrt-merlin.63280/