Suricata 4 on Asuswrt-Merlin

[M@rco]

I started playing around with Suricata today, but I'm running into some issues. There's only very little info on the forum and loads of info on the web, which mostly seem too complicated to get started. Hopefully there are more experienced users around to get me started. I'm currently running Asuswrt-Merlin 380.69_2 on a RT-AC68U.

For starters, when installing through opkg I noticed the last two lines say

Current Suricata ruleset can be found at
https://rules.emergingthreats.net/open/suricata-3.0/emerging.rules.tar.gz

However, it appears to be Suricata 4.0.3 which is installed using Entware:

marco@RT-AC68U:/tmp/mnt/DTSE9/entware/etc/suricata# suricata -V
This is Suricata version 4.0.3 RELEASE

Am I using the right rules? I've extracted them to the pre-made folder /opt/etc/suricata/rules.

Next: I haven't changed much to suricata.yaml yet, as I'm a bit overwhelmed by all the possibilities, so this will definitely take some more reading. I changed vars: address-groups: in

    HOME_NET: "[192.168.1.0/24]"

to narrow it down to my home network.

The default locations in suricata.yaml seem all correct, these folders are created during setup. As mentioned, I extracted the (v3?) rules into the right folder.

When starting suricata using

suricata -c /opt/etc/suricata/suricata.yaml -i eth0

it outputs to the terminal:

9/2/2018 -- 22:06:19 - <Notice> - This is Suricata version 4.0.3 RELEASE
9/2/2018 -- 22:06:54 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/etc/suricata/rules/http-events.rules
9/2/2018 -- 22:06:54 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/etc/suricata/rules/smtp-events.rules
9/2/2018 -- 22:06:54 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/etc/suricata/rules/dns-events.rules
9/2/2018 -- 22:06:54 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/etc/suricata/rules/tls-events.rules
9/2/2018 -- 22:07:52 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get feature via ioctl for 'eth0': Operation not supported (95)
9/2/2018 -- 22:07:52 - <Notice> - AFL mode starting
9/2/2018 -- 22:07:52 - <Notice> - all 1 packet processing threads, 0 management threads initialized, engine started.

However, the rule files it's mentioning are all in the /opt/etc/suricata/rules/ folder and contain rules, so I don't understand these warnings.

It doesn't quit, it keeps running as I can see in top. However, I don't have a clue as to what it's doing as it's apparently (?) having trouble monitoring eth0.

A lot of questions, and this just might be the beginning. Anyone care to lend me a hand? I'll get started on the 262 page manual first thing tomorrow...

 

[modemboy]

No experience with Suricata but I'd say to check that the permissions on the rules files is correct, if the Suricata process doesn't have permissions to read the files it would error like they aren't there.
Running 'chmod 755 /opt/etc/suricata/rules/http-events.rules' (same for the rest of the files) might do the trick if that's the issue.

 

[M@rco]

I checked, all the rules files are readable (644). The rules tarball has been locally extracted in the right folder and by default using Unix LF.

 

[M@rco]

I should probably have not started with Suricata yesterday evening, lol. After a good night's sleep, I just noticed that the default rules files that were mentioned as missing, aren't included in the daily updated emerging rules files. I downloaded them separately from Github, using

curl -L -k -s -O https://github.com/OISF/suricata/raw/master/rules/http-events.rules
curl -L -k -s -O https://github.com/OISF/suricata/raw/master/rules/dns-events.rules
curl -L -k -s -O https://github.com/OISF/suricata/raw/master/rules/smtp-events.rules
curl -L -k -s -O https://github.com/OISF/suricata/raw/master/rules/tls-events.rules

and changed permissions to be the same as the other rules.

I also downloaded the current rules, to make sure I'm using v4 rules from https://rules.emergingthreats.net/open/suricata/

Started Suricata again:

suricata -c /opt/etc/suricata/suricata.yaml -i eth0
10/2/2018 -- 06:14:32 - <Notice> - This is Suricata version 4.0.3 RELEASE
10/2/2018 -- 06:15:51 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get feature via ioctl for 'eth0': Operation not supported (95)
10/2/2018 -- 06:15:51 - <Notice> - AFL mode starting
10/2/2018 -- 06:15:51 - <Notice> - all 1 packet processing threads, 0 management threads initialized, engine started.

4 errors down, 1 to go...

Any suggestions?

 

[DonnyJohnny]

Haha... once you are done. Please show me the guide.

 

[M@rco]

I've been experimenting over the past few days and it seems that Suricata is running just fine and stable Despite the ioctl error as shown in one of the previous posts, which I haven't found a solution to due to a lack of knowledge (@RMerlin, maybe do you have any clues?).

It captures, it logs and I'm now learning Evebox and Elasticsearch with Kibana (running on my laptop) to get all data from suricata imported automatically into Elasticsearch, so everything is nicely accessible in a web-based solution for analysis. Heck, Evebox even does GeoIP before feeding data into Elasticsearch, so if all goes well I soon have every in and outgoing connection plotted to a world map too. Does it serve a purpose? Not really. But it is sure is fun And educational as well

Once I've figured it all out I can try to write a step by step guide if anyone else (beside @DonnyJohnny ) is interested. Does anyone know if anyone can contribute to the Wiki?

Added some screenshots:

Evebox, showing Inbox show Suricata alerts:

Screenshot of Kibana, showing connectivity on eth0 on a timeline:

 

[modemboy]

Any suggestions?

It's trying to turn off tcp offload settings there I believe. Throw -vvv in your suricata run line and you'll get additional error output. Looks like you can then see what it's attempting to turn off and try it manually, see here: https://redmine.openinfosecfoundation.org/issues/1976

 

[M@rco]

It's trying to turn off tcp offload settings there I believe. Throw -vvv in your suricata run line and you'll get additional error output. Looks like you can then see what it's attempting to turn off and try it manually, see here: https://redmine.openinfosecfoundation.org/issues/1976

Thanks, hadn't found that issue yet. Will give it a try.

 

[HRearden]

I would be interested in a guide to using Suricata on Merlin!
Please!

@DonnyJohnny[/USER] ) is interested. Does anyone know if anyone can contribute to the Wiki?

 

[HRearden]

Anyone played with this more? I was able to get Suricata working. It seems to need increasing amounts of memory. 1GB+ Has anyone tracked down the rule which is causing the large memory use or have some suggested settings in Merlin?

rearden

 

[develox]

Thanks, hadn't found that issue yet. Will give it a try.

Another one interested here.

About this issue, the good news is that running suricata with the suggested option in the incident above, it says that:

/tmp/mnt/TRANSCEND/entware/etc/suricata/rules# suricata -c /opt/etc/suricata/suricata.yaml -i eth0 --set capture.disable-offloading=false
22/3/2018 -- 19:37:46 - <Notice> - This is Suricata version 4.0.3 RELEASE
22/3/2018 -- 19:38:19 - <Warning> - [ERRCODE: SC_ERR_NIC_OFFLOADING(284)] - NIC offloading on eth0: SG: SET,  GRO: unset, LRO: unset, TSO: unset, GSO: unset. Run: ethtool -K eth0 sg off gro off lro off tso off gso off
22/3/2018 -- 19:38:19 - <Warning> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Using AF_PACKET with offloading activated leads to capture problems

As the part:

NIC offloading on eth0: SG: SET,  GRO: unset, LRO: unset, TSO: unset, GSO: unset

hints, installing ethanol it looks like the only one feature is not set as needed:

/tmp/mnt/TRANSCEND/entware/etc/suricata/rules# ethtool -k eth0
Features for eth0:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: off
udp-fragmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
ntuple-filters: off
receive-hashing: off

I thought I could try wrap suricata startup in a script where I'd first unset it and then set it back once suricata is stopped, but the bad news is that:

/tmp/mnt/TRANSCEND/entware/etc/suricata/rules# ethtool -K eth0 sg off
Cannot set device scatter-gather settings: Operation not supported

However, to be honest, I'm not sure whether unsetting this feature would cause any troubles or if leaving it set makes actually no tangible difference.

By the way, at the moment I've wrapped the executable into an init script:

/tmp/mnt/TRANSCEND/entware/etc/init.d# cat S70suricata
#!/bin/sh

ENABLED=yes
PROCS=suricata
ARGS="-c /opt/etc/suricata/suricata.yaml -i eth0 --set capture.disable-offloading=false"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

 

[agilani]

I started playing around with Suricata today, but I'm running into some issues. There's only very little info on the forum and loads of info on the web, which mostly seem too complicated to get started. Hopefully there are more experienced users around to get me started. I'm currently running Asuswrt-Merlin 380.69_2 on a RT-AC68U.

For starters, when installing through opkg I noticed the last two lines say

Current Suricata ruleset can be found at
https://rules.emergingthreats.net/open/suricata-3.0/emerging.rules.tar.gz

However, it appears to be Suricata 4.0.3 which is installed using Entware:

marco@RT-AC68U:/tmp/mnt/DTSE9/entware/etc/suricata# suricata -V
This is Suricata version 4.0.3 RELEASE

Am I using the right rules? I've extracted them to the pre-made folder /opt/etc/suricata/rules.

Next: I haven't changed much to suricata.yaml yet, as I'm a bit overwhelmed by all the possibilities, so this will definitely take some more reading. I changed vars: address-groups: in

    HOME_NET: "[192.168.1.0/24]"

to narrow it down to my home network.

The default locations in suricata.yaml seem all correct, these folders are created during setup. As mentioned, I extracted the (v3?) rules into the right folder.

When starting suricata using

suricata -c /opt/etc/suricata/suricata.yaml -i eth0

it outputs to the terminal:

9/2/2018 -- 22:06:19 - <Notice> - This is Suricata version 4.0.3 RELEASE
9/2/2018 -- 22:06:54 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/etc/suricata/rules/http-events.rules
9/2/2018 -- 22:06:54 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/etc/suricata/rules/smtp-events.rules
9/2/2018 -- 22:06:54 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/etc/suricata/rules/dns-events.rules
9/2/2018 -- 22:06:54 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /opt/etc/suricata/rules/tls-events.rules
9/2/2018 -- 22:07:52 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get feature via ioctl for 'eth0': Operation not supported (95)
9/2/2018 -- 22:07:52 - <Notice> - AFL mode starting
9/2/2018 -- 22:07:52 - <Notice> - all 1 packet processing threads, 0 management threads initialized, engine started.

However, the rule files it's mentioning are all in the /opt/etc/suricata/rules/ folder and contain rules, so I don't understand these warnings.

It doesn't quit, it keeps running as I can see in top. However, I don't have a clue as to what it's doing as it's apparently (?) having trouble monitoring eth0.

A lot of questions, and this just might be the beginning. Anyone care to lend me a hand? I'll get started on the 262 page manual first thing tomorrow...

I tried running suricata with pfsense. Just keep in mind that the throughput will be throttled considerably with the CPU. I think with an i5 with 8gigs of ram I was able to get up to 140 mb/s. I ended up using the snort rules for it. I also tried to run untangle on my ac3100. It was very slow and decided to stick with aiprotection...even though it doesn't give you access to any of the logs or whatnot. It was easier than trying to build a custom rig to handle the throughput.

 

[alexandro]

Any news about install guide?

 

[Fenix]

I'm also awaiting excellent guide for installation

 

[develox]

I tried running suricata with pfsense. Just keep in mind that the throughput will be throttled considerably with the CPU. I think with an i5 with 8gigs of ram I was able to get up to 140 mb/s. I ended up using the snort rules for it. I also tried to run untangle on my ac3100. It was very slow and decided to stick with aiprotection...even though it doesn't give you access to any of the logs or whatnot. It was easier than trying to build a custom rig to handle the throughput.

This might probably become a problem, the day I'll eventually get a decent WAN connection myself too At the moment I've to be happy with my recent update from 7mbps to 20mbps.
Now, looking at resources consumption, I've been able to observe that under heavy bandwidth usage (well, heavy ... ), I could still get the whole 20mbps of my ISP but load average raised and memory consumption did as well (you can clearly spot the time window, after 8pm, where the test occurred). However, the average stayed just slightly above 0.5, my ISP is too slow to hinder Suricata adoption if I wanted.

This of course changed when I performed a test by transferring 4 times a 5GB file from a Raspebbery pi3 which is on the WAN side w.r.t. RT-AC5300. In this case, I still got the full 100mpbs allowed by the pi3 inbound in the RT-AC5300, but this time the load average raised noticeably, though I guess still manageable (next time I should observe temps as well ...). The time windows of interest here is at about 21.30-22.15

But I guess this is to be expected. However, even under very low bandwidth consumption (just casual surfing), while the load average incurred almost no change, the memory consumption went all the way up nonetheless (here you can clearly spot at about midday when I started Suricata and when I stopped it at about 8pm).

 

[M@rco]

Any news about install guide?

I'm also awaiting excellent guide for installation

Dear @alexandro, @Fenix and possibly others, unfortunately due to some serious health issues I barely get to spent time on my laptop, let alone fiddle with Suricata. For what it's worth, I haven't even gotten around to install new firmware. Once I'm able to spend more time at home, which might some time unfortunately, I'll try my best to write a guide as promised.

Sorry for the delay, I appreciate your patience.

Best regards,
Marco

 

[develox]

Dear @alexandro, @Fenix and possibly others, unfortunately due to some serious health issues I barely get to spent time on my laptop, let alone fiddle with Suricata. For what it's worth, I haven't even gotten around to install new firmware. Once I'm able to spend more time at home, which might some time unfortunately, I'll try my best to write a guide as promised.

Sorry for the delay, I appreciate your patience.

Best regards,
Marco

Ehi Marco,
this goes without saying, but your heath comes thousands miles before all of this stuff which is, for the most of us, just fun. Anyone here can peacefully wait to let you recover first, and then anything else.

Besides this, what you've written so far is enough for those who have a very minimum experience with *nix boxes. To summarise, you've guided us (and I confirm following it):

• Install the package through the opkg utility once Entware has been previously installed
• As the installation script writes at the end of its execution, download additional missing ruleset via curl as you showed
• You can try anything is fine running Suricata directly from command line as you did
• At the end of this installation, we'll find:

executable: /opt/bin/suricata
config: /opt/etc/suricata/
logs: /opt/var/log/suricata/

It can be useful to wrap the executable in an LSB script to manage start/stop (and e.g. to have it started independently of the terminal used to launch it, and have it survive once the terminal is exited), see above.

Marco has gone a bit further in this. One of the outputs of Suricata is an eve.json file. This file can be fed into an app called EveBox which greatly simplifies the analysis of the detected events. Guidelines can be found here: https://github.com/jasonish/evebox
As explained in there:

Requirements

• Suricata - to generate alerts and events.

And one of...

• An existing ELK (version 5 or greater) setup already handling Suricata events.
• Just Elastic Search as an event store.
• Nothing - EveBox can use an embedded SQLite database suitable for lower load installations (note: not all features supported yet).
• A modern web browser.

For the possible interested ones, I've compiled it and successfully run on a Raspberry Pi3. It's not as simple as going through apt-get (no package available) but quite feasible paying attention to a few guides online that can help achieving the result, especially: https://github.com/TravisFSmith/SweetSecurity . It's important to update npm to v5.7.1 and node to v8.10.0 at least, or it won't compile. Also, get a recent Go installation (I went for https://dl.google.com/go/go1.9.4.linux-armv6l.tar.gz). Pi3 can also run Elasticsearch, that's easier to install (package from Elasticsearch itself. Hint: get v5.6.8, I've not succeeded in making successfully run newer ones).

For those who are new like me to this subject, ELK is just the triple Elasticsearch-Logstash-Kibana. Kibana is a visualiser/consumer of the data indexed and managed by Elasticsearch. To make a general use of the ELK framework, you need a log processor/provider as well. Logstash (the widespread main choice) is not an option, too heavy for the Pi3, the load average skyrocketed constantly once launched. I finally went for Filebeat (v5.6.8 as well). This was tougher but a couple of posts can help (most notably: https://www.elasticice.net/?p=92 and https://discuss.elastic.co/t/filebeat-on-raspberry-pi/113697 ). Filebeat is a much more simplified replacement for Logstash. However, once the ELK framework is up an running, it's easy to feed it with various log files, including Asuswrt itself by simply redirecting the syslog as provided in the web UI (System Log --> General Log). It's indeed helpful and advantageous to have a syslog server somewhere in your home network. I already had it in the Pi3, and the ELK framework elevates the ease to navigate and analyse them, something I previously was doing through scripts or bash aliases grepping the raw log files.

Your posts served well the purpose to represent hints to experiment on this all, thanks @M@arco.

 

[Fenix]

I wish you Marco to get back health to be condition like young guy

 

[HRearden]

Marco I hope you get feeling better!

Anyone have any suggestions on how to reduce the memory requirements? It is not uncommon to have over 1GB in swap allocated and that is a bit too much for my AC68. This should be able to be mitigated with some settings changes, but I have not been successful so far.

Anyone get Suricata to send an email after an alert?

rearden

 

[M@rco]

Anyone have any suggestions on how to reduce the memory requirements? It is not uncommon to have over 1GB in swap allocated and that is a bit too much for my AC68. This should be able to be mitigated with some settings changes, but I have not been successful so far.

I haven't got Suricata running currently, as I'm downgrading to 380.69_2 as we speak. Suricata needs quite of lot of resources indeed (as it does a lot within the limit capabilities of our routers, which makes it 'somewhat' resource hungry) and I haven't really gotten around to tweaking it before things went downhill rapidly, but keep in mind that it logs a lot. All USB activity is cached as RMerlin posted somewhere else (can't recall where, sorry), so that will surely use up a big portion of your swap. System load shouldn't go through the roof though. What I did was setting up a remote log server on my LAN to store Suricata logfiles elsewhere within my network and I was working on a log rotation script to minimize the logfile size at the routers thumb drive. I haven't had a lot of time to play around with it and now I'm starting blank. I have memory issues as well, so it might take some time to be able to reproduce it, but maybe that will give you some pointers in the right direction.

Thanks for the kind replies, much appreciated.