Suricata Suricata 6 is available for testing

[heysoundude]

Does anyone know what they are?

I was able to purchase a Raspberry 4 with 8 GB (for a different project) and now I wonder whether this tiny computer can run Suricata?

The Pi is basically/superficially the same processor (4x1.8GHz cores) as an AX86 as far as I'm aware, but it has more RAM...either should run suricata fairly effortlessly. (depending on your network traffic levels, of course)

even at https://suricata.io/ there isn't much talk of hardware requirements (you could dig into their community to try to suss out the REAL story), but I'd expect if the machine you're choosing to use as a router runs some basic linux that's compatible with the current version of suricata, it'll work to some extent. more capable machines will have fewer restrictions, naturally

 

[XIII]

My AC86U was too slow; maybe I should indeed try the Pi someday.

 

[BreakingDad]

Reddit Guide

Wordpress Guide


Wow, I think my brain would have to be fully on for that one. Was ok up until step 3

 

[kstamand]

I have successfully installed the SURICATA-EXTRA package, based on glehel's post #31 in this thread and wanted to share my notes in case it helps / encourages others to try. I chose EXTRA so that I had NFQ capabilities

My signature shows the setup I have this running in ==> you need a router with sufficient RAM / CPU to be able to run the mode I have setup (please see the posts in this thread and the 2020 suricata v4 thread for guidance).

Please note I am in LEARNING mode with Asuswrt and Suricata - I'm sure there are other / better ways to accomplish what I did and I welcome any and all feedback to help me learn more and improve.

Special thanks to glehel and many others in the original Suricata thread back in 2020 (Suricata - IDS on AsusWRT Merlin) for the tips and guidance!!!

Steps
1. Make a temporary directory (e.g. /tmp/packages) to download the package files from here - https://bin.entware.net/aarch64-k3.10/test/suricata6/

2. Download the following packages to the temp directory
curl --progress-bar -o /tmp/packages/suricata6-extra_6.0.4-1_aarch64-3.10.ipk https://bin.entware.net/aarch64-k3.10/test/suricata6/suricata6-extra_6.0.4-1_aarch64-3.10.ipk
curl --progress-bar -o /tmp/packages/libnss_3.69-1_aarch64-3.10.ipk https://bin.entware.net/aarch64-k3.10/test/suricata6/libnss_3.69-1_aarch64-3.10.ipk
curl --progress-bar -o /tmp/packages/nspr_4.32-1_aarch64-3.10.ipk https://bin.entware.net/aarch64-k3.10/test/suricata6/nspr_4.32-1_aarch64-3.10.ipk
*** Note - the Suricata package is dependent on the libnss and nsrp packages; libnss is dependent on nspr

3. Install the packages in the following order, due to dependencies
opkg install /tmp/packages/nspr_4.32-1_aarch64-3.10.ipk
opkg install /tmp/packages/libnss_3.69-1_aarch64-3.10.ipk
opkg install /tmp/packages/suricata-extra_6.0.4-1_aarch64-3.10.ipk

4. Create / update the suricata.yaml file, which configures suricata the way you want. I used the one in glehel's #31 post, with minor updates to suit my preferences:
Changed stats to "enabled: no"
changed eve-log to "enabled: no"
changed syslog to "enabled: yes" and uncommented "level: Info"
under the "outputs:" section, changed the syslog seetings as follows:
- syslog:
enabled: yes
level: info
facility: local5
format: "[%i] <%d> -- "
# type: json

changed host-mode: router

5. Create the S82suricata init.d file, so that Suricata starts on router bootup. I used the one in glehel's #31 post as is. Only change depends on which mode you want run
Place the file in the /opt/etc/init.d directory and make the file executable (chmod +x)
Comment / uncomment the "ARGS=" line - only one should be uncommented at a time.
IDS mode ==> ARGS="-c /opt/etc/suricata/suricata.yaml --af-packet -D" <== suggest starting in this mode until you have everything working the way you want
IPS mode ==> ARGS="-c /opt/etc/suricata/suricata.yaml -q 0 -D"

6. Create the rules update file - suricata_update.sh. Again, I used the one in glehel's #31 post as is
Make a surricata addon directory ==> mkdir /jffs/addons/suricata
Place the file in the /jffs/addons/suricata directory
Make the file executable ==> chmod + x /jffs/addons/suricata/suricata_update.sh
Add the following line to the /jffs/scripts/services-start file, so the rules can be updated nightly
cru a Suricata_Update.sh "0 3 * * * /jffs/addons/suricata/suricata_update.sh"

7. If running in IPS mode, add the following to the bottom of the /jfffs/scripts/post-mount script. This is the IPTABLEs noted in glahel's post #31
/usr/sbin/iptables -I FORWARD -j NFQUEUE # Suricata when running in IPS mode

Reboot the router and happy experimenting and learning

 

[rgnldo]

3. Install the packages in the following order, due to dependencies
opkg install /tmp/packages/nspr_4.32-1_aarch64-3.10.ipk
opkg install /tmp/packages/libnss_3.69-1_aarch64-3.10.ipk
opkg install /tmp/packages/suricata-extra_6.0.4-1_aarch64-3.10.ipk

cru a Suricata_Update.sh "0 3 * * * /jffs/addons/suricata/suricata_update.sh"

unnecessary

The package suricata-update is needed
suricata6-update_6.0.4-1_aarch64-3.10.ipk

Run:

suricata-update enable-source et/open
suricata-update list-sources
suricata-update

Process:

rgnldo@id_lan:/tmp/home/root# suricata-update
2/2/2023 -- 12:09:26 - <Info> -- Using data-directory /opt/var/lib/suricata.
2/2/2023 -- 12:09:26 - <Info> -- Using Suricata configuration /opt/etc/suricata/suricata.yaml
2/2/2023 -- 12:09:26 - <Info> -- Using /opt/etc/suricata/rules for Suricata provided rules.
2/2/2023 -- 12:09:26 - <Info> -- Found Suricata version 6.0.4 at /opt/bin/suricata.
2/2/2023 -- 12:09:26 - <Info> -- Loading /opt/etc/suricata/suricata.yaml
2/2/2023 -- 12:09:26 - <Info> -- Disabling rules for protocol http2
2/2/2023 -- 12:09:26 - <Info> -- Disabling rules for protocol modbus
2/2/2023 -- 12:09:26 - <Info> -- Disabling rules for protocol dnp3
2/2/2023 -- 12:09:26 - <Info> -- Disabling rules for protocol enip
2/2/2023 -- 12:09:26 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-6.0.4/emerging.rules.tar.gz.
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/app-layer-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/decoder-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/dhcp-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/dnp3-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/dns-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/files.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/http-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/ipsec-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/kerberos-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/modbus-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/nfs-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/ntp-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/smb-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/smtp-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/stream-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/tls-events.rules
2/2/2023 -- 12:09:30 - <Info> -- Ignoring file rules/emerging-deleted.rules
2/2/2023 -- 12:09:45 - <Info> -- Loaded 40869 rules.
2/2/2023 -- 12:09:48 - <Info> -- Disabled 14 rules.
2/2/2023 -- 12:09:48 - <Info> -- Enabled 0 rules.
2/2/2023 -- 12:09:48 - <Info> -- Modified 0 rules.
2/2/2023 -- 12:09:48 - <Info> -- Dropped 0 rules.
2/2/2023 -- 12:09:50 - <Info> -- Enabled 131 rules for flowbit dependencies.
2/2/2023 -- 12:09:50 - <Info> -- Backing up current rules.
2/2/2023 -- 12:15:25 - <Info> -- Writing rules to /opt/var/lib/suricata/rules/suricata.rules: total: 40869; enabled: 33160; added: 0; removed 0; modified: 23707
2/2/2023 -- 12:16:11 - <Info> -- Writing /opt/var/lib/suricata/rules/classification.config
2/2/2023 -- 12:16:46 - <Info> -- Testing with suricata -T.
2/2/2023 -- 12:23:14 - <Info> -- Done.

Edit the configuration file suricata.yaml so that it listens only to the lan.
- eth0 -> br0
- I reduced all values of the allocated memory: memcap 32mb
- I have reduced the rules that are needed in an end-user environment and router limitations and with few occurrences of false-positives:

default-rule-path: /opt/etc/suricata/rules

rule-files:
   - botcc.rules
   - botcc.portgrouped.rules
   - compromised.rules
   - drop.rules
   - dshield.rules
   - emerging-malware.rules
   - emerging-mobile_malware.rules
   - emerging-worm.rules
   - ciarmy.rules
   - emerging-scan.rules
   - emerging-attack_response.rules

/jfffs/scripts/post-mount

/usr/sbin/iptables -I FORWARD -j NFQUEUE

It is appropriate to add S82suricata?

Warning: due to the IP blocklist contained in most of the Suricata rules, it is not recommended to install Skynet

 

[Viktor Jaep]

unnecessary

The package suricata-update is needed
suricata6-update_6.0.4-1_aarch64-3.10.ipk

Run:

suricata-update enable-source et/open
suricata-update list-sources
suricata-update

Process:

rgnldo@id_lan:/tmp/home/root# suricata-update
2/2/2023 -- 12:09:26 - <Info> -- Using data-directory /opt/var/lib/suricata.
2/2/2023 -- 12:09:26 - <Info> -- Using Suricata configuration /opt/etc/suricata/suricata.yaml
2/2/2023 -- 12:09:26 - <Info> -- Using /opt/etc/suricata/rules for Suricata provided rules.
2/2/2023 -- 12:09:26 - <Info> -- Found Suricata version 6.0.4 at /opt/bin/suricata.
2/2/2023 -- 12:09:26 - <Info> -- Loading /opt/etc/suricata/suricata.yaml
2/2/2023 -- 12:09:26 - <Info> -- Disabling rules for protocol http2
2/2/2023 -- 12:09:26 - <Info> -- Disabling rules for protocol modbus
2/2/2023 -- 12:09:26 - <Info> -- Disabling rules for protocol dnp3
2/2/2023 -- 12:09:26 - <Info> -- Disabling rules for protocol enip
2/2/2023 -- 12:09:26 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-6.0.4/emerging.rules.tar.gz.
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/app-layer-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/decoder-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/dhcp-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/dnp3-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/dns-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/files.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/http-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/ipsec-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/kerberos-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/modbus-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/nfs-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/ntp-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/smb-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/smtp-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/stream-events.rules
2/2/2023 -- 12:09:28 - <Info> -- Loading distribution rule file /opt/etc/suricata/rules/tls-events.rules
2/2/2023 -- 12:09:30 - <Info> -- Ignoring file rules/emerging-deleted.rules
2/2/2023 -- 12:09:45 - <Info> -- Loaded 40869 rules.
2/2/2023 -- 12:09:48 - <Info> -- Disabled 14 rules.
2/2/2023 -- 12:09:48 - <Info> -- Enabled 0 rules.
2/2/2023 -- 12:09:48 - <Info> -- Modified 0 rules.
2/2/2023 -- 12:09:48 - <Info> -- Dropped 0 rules.
2/2/2023 -- 12:09:50 - <Info> -- Enabled 131 rules for flowbit dependencies.
2/2/2023 -- 12:09:50 - <Info> -- Backing up current rules.
2/2/2023 -- 12:15:25 - <Info> -- Writing rules to /opt/var/lib/suricata/rules/suricata.rules: total: 40869; enabled: 33160; added: 0; removed 0; modified: 23707
2/2/2023 -- 12:16:11 - <Info> -- Writing /opt/var/lib/suricata/rules/classification.config
2/2/2023 -- 12:16:46 - <Info> -- Testing with suricata -T.
2/2/2023 -- 12:23:14 - <Info> -- Done.

Edit the configuration file suricata.yaml so that it listens only to the lan.
- eth0 -> br0
- I reduced all values of the allocated memory: memcap 32mb
- I have reduced the rules that are needed in an end-user environment and router limitations and with few occurrences of false-positives:

default-rule-path: /opt/etc/suricata/rules

rule-files:
   - botcc.rules
   - botcc.portgrouped.rules
   - compromised.rules
   - drop.rules
   - dshield.rules
   - emerging-malware.rules
   - emerging-mobile_malware.rules
   - emerging-worm.rules
   - ciarmy.rules
   - emerging-scan.rules
   - emerging-attack_response.rules

/usr/sbin/iptables -I FORWARD -j NFQUEUE
It is appropriate to add S82suricata?

Warning: due to the IP blocklist contained in most of the Suricata rules, it is not recommended to install Skynet

Thanks for this... My interest is piqued... What kind of interface does this have to see or respond to alerts? Any dashboards, or is everything pretty much just command-line based?

 

[rgnldo]

What kind of interface does this have to see or respond to alerts?

Yes. Project Suricata-Merlin on Github @juched

 

[kstamand]

@rgnldo - thanks for the feedback and some additional info based on that feedback

• suricata-update - after my initial post, I did install suricata-update, got it working, and did away with the manual update process
• rules - by default, suricata-update will combine all rules into a single file, but command line options allow overriding that and where they end up getting stored so that not many changes are needed in the referenced YAML
• iptables placement - either S82suricata or post-mount appear to work

@Viktor Jaep - I viewed the alerts via command, no dashboard. Depending on your preferences, you can control which logs get generated and where they live via the suricata.yaml file - I setup for only two files (suricata.log - suricata itself and fast.log - rule alerts). This way I can quickly filter / view what I’m interested in - for me, command line is much quicker / easier.

 

[Viktor Jaep]

@rgnldo - thanks for the feedback and some additional info based on that feedback

• suricata-update - after my initial post, I did install suricata-update, got it working, and did away with the manual update process
• rules - by default, suricata-update will combine all rules into a single file, but command line options allow overriding that and where they end up getting stored so that not many changes are needed in the referenced YAML
• iptables placement - either S82suricata or post-mount appear to work

@Viktor Jaep - I viewed the alerts via command, no dashboard. Depending on your preferences, you can control which logs get generated and where they live via the suricata.yaml file - I setup for only two files (suricata.log - suricata itself and fast.log - rule alerts). This way I can quickly filter / view what I’m interested in - for me, command line is much quicker / easier.

Just checking @kstamand ... are you running both skynet and suricata together? No conflicts there?

 

[kstamand]

@Viktor Jaep - yes, suricata and skynet running together with no issues / conflicts

 

[aru]

Is it possible to integrate Geo-Location guidance as below:

 

[kstamand]

Is it possible to integrate Geo-Location guidance as below:

Check out section 6.3.8 here and see if that helps answer

 

[aru]

Check out section 6.3.8 here and see if that helps answer

I may not have expressed myself clearly. I want to know if there are any simple steps to display a geographic map dashboard in combination with this Suricata package.

 

[kstamand]

I may not have expressed myself clearly. I want to know if there are any simple steps to display a geographic map dashboard in combination with this Suricata package.

Sorry, not that I’m aware of

 

[ccbrianf]

Does anyone know why this is still in test over a year later?

 

[Tech9]

Yes - me. Suricata requirements exceed hardware available in home routers.

If you want IDS/IPS with Suricata - run in on proper x86 hardware with 4GB RAM.

 

[Viktor Jaep]

Yes - me. Suricata requirements exceed hardware available in home routers.

View attachment 48207

If you want IDS/IPS with Suricata - run in on proper x86 hardware with 4GB RAM.

So this version of Suricata isn't more like a baby cow that you can stuff into the back of your car? Lol

 

[Tech9]

I have a baby cow and it wants 1.5GB RAM to moo happily. Also, this baby cow is more like a pet being fed with mostly encrypted hay.

 

[Viktor Jaep]

I have a baby cow and it wants 1.5GB RAM to moo happily. Also, this baby cow is more like a pet being fed with mostly encrypted hay.

Sounds more like a...

 

[Tech9]

You better focus on WXMON. Don't get fired twice in one week.

[RELEASE] WXMON v1.1.4 -Feb 7, 2024- Localized Weather Monitoring, extended forecasts, including aviation METARs and TAFs! (US/Global!)

Well shoot, on a whim I disabled SKYNET and reconfigured WXMON with Imperial and Airport and my Airport - and it worked, mostly... Yus!! Got this when asking for Aviation: [Downloading WX Feeds]...rm: can't remove '/jffs/addons/wxmon.d/wxmetar.txt': No such file or directory rm: can't remove...

www.snbforums.com