What does Suricata do? I've been trying to see if I can use it with diversion, skynet and unbound.
Also can I use this on the GT-AX11000 and how simple is it to install?
Suricata Suricata 6 is available for testing
- Thread starter ryzhov_al
- Start date
Also can I use this on the GT-AX11000 and how simple is it to install?
heysoundude
Part of the Furniture
Start here and follow the link on their page. It's probably not for everyone, but if you poke around for the original threads on here, you should find a good set of instructions.
I think your machine should be fine to run it if you decide to go that way. OP of this thread can probably offer further guidance - he's the person to ping
I think your machine should be fine to run it if you decide to go that way. OP of this thread can probably offer further guidance - he's the person to ping
slidermike
Regular Contributor
Its an IPS similar to Snort.
Thanks for the new version!
I installed suricata 6.0.4 currently in test mode af-packet copy back and forth between the br0-eth0 interface. I later saw that the extra version supports nfqueue mode, which creates a new opportunity to test and maybe activate the ips feature. Who can please help to compile a usable configuration, iptables rule, yaml optimization for AX88 router. The init.d file and the rule update script, and I took over the webui, from the old version 4, all work with a little modification.
So far it has found 2 dns incidents on your webui.
I think it's only IDS and not IPS mode.
the eve.json file size increases rapidly.
eve.json sample line
{"timestamp":"2022-03-28T07:10:44.582834+0200","flow_id":1226190670301487,"in_iface":"br0","event_type":"dns","src_ip":"192.168.1.111","src_port":16652,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","dns":{"version":2,"type":"answer","id":10382,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"www.youtube.com","rrtype":"A","rcode":"NOERROR","answers":[{"rrname":"www.youtube.com","rrtype":"CNAME","ttl":84600,"rdata":"youtube-ui.l.google.com"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.250.180.206"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.251.39.78"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"172.217.20.14"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"172.217.19.110"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.251.39.46"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.251.39.14"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.250.180.238"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.250.201.206"}],"grouped":{"A":["142.250.180.206","142.251.39.78","172.217.20.14","172.217.19.110","142.251.39.46","142.251.39.14","142.250.180.238","142.250.201.206"],"CNAME":["youtube-ui.l.google.com"]}}}
__________________________________________
27/3/2022 -- 21:47:59 - <Info> - Running in live mode, activating unix socket
27/3/2022 -- 21:47:59 - <Info> - Using unix socket file '/opt/var/run/suricata/suricata-command.socket'
27/3/2022 -- 21:47:59 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started.
27/3/2022 -- 21:47:59 - <Info> - All AFP capture threads are running.
I installed suricata 6.0.4 currently in test mode af-packet copy back and forth between the br0-eth0 interface. I later saw that the extra version supports nfqueue mode, which creates a new opportunity to test and maybe activate the ips feature. Who can please help to compile a usable configuration, iptables rule, yaml optimization for AX88 router. The init.d file and the rule update script, and I took over the webui, from the old version 4, all work with a little modification.
So far it has found 2 dns incidents on your webui.
I think it's only IDS and not IPS mode.
the eve.json file size increases rapidly.
eve.json sample line
{"timestamp":"2022-03-28T07:10:44.582834+0200","flow_id":1226190670301487,"in_iface":"br0","event_type":"dns","src_ip":"192.168.1.111","src_port":16652,"dest_ip":"192.168.1.1","dest_port":53,"proto":"UDP","dns":{"version":2,"type":"answer","id":10382,"flags":"8180","qr":true,"rd":true,"ra":true,"rrname":"www.youtube.com","rrtype":"A","rcode":"NOERROR","answers":[{"rrname":"www.youtube.com","rrtype":"CNAME","ttl":84600,"rdata":"youtube-ui.l.google.com"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.250.180.206"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.251.39.78"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"172.217.20.14"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"172.217.19.110"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.251.39.46"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.251.39.14"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.250.180.238"},{"rrname":"youtube-ui.l.google.com","rrtype":"A","ttl":3600,"rdata":"142.250.201.206"}],"grouped":{"A":["142.250.180.206","142.251.39.78","172.217.20.14","172.217.19.110","142.251.39.46","142.251.39.14","142.250.180.238","142.250.201.206"],"CNAME":["youtube-ui.l.google.com"]}}}
__________________________________________
27/3/2022 -- 21:47:59 - <Info> - Running in live mode, activating unix socket
27/3/2022 -- 21:47:59 - <Info> - Using unix socket file '/opt/var/run/suricata/suricata-command.socket'
27/3/2022 -- 21:47:59 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started.
27/3/2022 -- 21:47:59 - <Info> - All AFP capture threads are running.
BreakingDad
Very Senior Member
Would a pi 4 run this ? I'm looking for something to try on my spare one.
Don't worry, apparently it runs well on a rpi.
Well that's the weekend sorted, apart from the pizza.
Don't worry, apparently it runs well on a rpi.
Well that's the weekend sorted, apart from the pizza.
Clark Griswald
Very Senior Member
BreakingDad
Very Senior Member
and a spare pi3, only 1 running right now. (yeah i heard their is a shortage of them right now)
Last edited:
Looks like IPS mode works in NFQUEUE mode.
The test rule was used to block a download file that I uploaded to a web server.
fast.log:
04/02/2022: 12: 54.223803 [Drop] [**] [1: 1: 1] Alarm detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 8x.2.3 x.1x3: 80 -> 192.168.1.100:65108
04/02/2022-15: 13: 54.508244 [Drop] [**] [1: 1: 1] Alarm detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 8x.2.3 x.1x3: 80 -> 192.168.1.106:42572
My iptables:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
629K 630M NFQUEUE all - * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
0 0 ACCEPT all - eth0 * 0.0.0.0/0 224.0.0.0/4
1 40 ACCEPT all - * * 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED
0 0 other2wan all -! Br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all - br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all - * * 0.0.0.0/0 0.0.0.0/0 state INVALID
1 105 NSFW all - * * 0.0.0.0/0 0.0.0.0/0
1 105 ACCEPT all - br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all - * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 OVPN all - * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DNSFILTER_DOT tcp - br + * 0.0.0.0/0 0.0.0.0/0 tcp dpt: 853
0 0 logdrop all - * * 0.0.0.0/0 0.0.0.0/0
The test rule was used to block a download file that I uploaded to a web server.
| CPU Load Average (1, 5, 15 mins) | 3.93, 3.62, 3.53 |
|---|
fast.log:
04/02/2022: 12: 54.223803 [Drop] [**] [1: 1: 1] Alarm detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 8x.2.3 x.1x3: 80 -> 192.168.1.100:65108
04/02/2022-15: 13: 54.508244 [Drop] [**] [1: 1: 1] Alarm detected [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 8x.2.3 x.1x3: 80 -> 192.168.1.106:42572
My iptables:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
629K 630M NFQUEUE all - * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0
0 0 ACCEPT all - eth0 * 0.0.0.0/0 224.0.0.0/4
1 40 ACCEPT all - * * 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED
0 0 other2wan all -! Br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all - br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all - * * 0.0.0.0/0 0.0.0.0/0 state INVALID
1 105 NSFW all - * * 0.0.0.0/0 0.0.0.0/0
1 105 ACCEPT all - br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all - * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 OVPN all - * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DNSFILTER_DOT tcp - br + * 0.0.0.0/0 0.0.0.0/0 tcp dpt: 853
0 0 logdrop all - * * 0.0.0.0/0 0.0.0.0/0
Last edited:
Hi,
can you share what and how needs to be modified in v4 scripts to make it working, please?
there is no installation script, everything has to be installed one by one manually
suricata6-extra_6.0.4-1_aarch64-3.10.ipk
iptables -I FORWARD -j NFQUEUE
instead of this --runmode: workers-- You can try this --runmode: autofp--
Last edited:
heysoundude
Part of the Furniture
do you need one? I've a 1GB Pi4 w PS sitting next to me I could probably part with
Clark Griswald
Very Senior Member
@heysoundude
Thank You for the offer! I am on the wait list for several Pi 4 8GBs.
Thank You for the offer! I am on the wait list for several Pi 4 8GBs.
heysoundude
Part of the Furniture
If you're pressed for time and need one, I figured I'd offer. hopefully the wait isn't too long for you
XIII
Very Senior Member
Hardware requirements?
rgnldo
Very Senior Member
Nice! IPS NFQUEUE + selected rules + SSL fingerprint
XIII
Very Senior Member
Does anyone know what they are?
I was able to purchase a Raspberry 4 with 8 GB (for a different project) and now I wonder whether this tiny computer can run Suricata?
Similar threads
Similar threads
Similar threads
-
amtm amtm Incorrectly Reporting Firmware Update Available- Started by visortgw
- Replies: 14