Suricata Suricata - IDS on AsusWRT Merlin

[rgnldo]

Suricata is a free and open source, mature, fast and robust network threat detection engine.
The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.
Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.
Suricata’s fast paced community driven development focuses on security, usability and efficiency.

IDS vs IPS

Not compatible with AiProtection Trend Micro and QoS Adaptive

ABOUT: I would like to inform you that all members who help in this thread are volunteers. Therefore, some problems may take a day or more to be answered. Wait patiently.

Instalation step:
Create Swap file
We will need the Entware-NG repository.

Suricata script installer
This repo includes support files used by suricata_manager.sh maintained by @juched https://github.com/juched78/suricata-merlin

Includes scripts to support features like:

• Install and Uninstall Suricata
• Auto update rules nightly at 3AM
• Collect Logs
• Display stats on UI

Pre-requisites

1. Currently only supports Asus routers running Merlin firmware
2. Asus QoS and AiProtection Trend Micro DISABLED
3. Entware
4. USB Storage
5. JFFS Custom Scripts Enabled

Install/Update Example

1. Run the installer:

mkdir /jffs/addons 2>/dev/null;mkdir /jffs/addons/suricata 2>/dev/null; curl --retry 3 "https://raw.githubusercontent.com/juched78/suricata-merlin/master/suricata_manager.sh" -o "/jffs/addons/suricata/suricata_manager.sh" && chmod 755 "/jffs/addons/suricata/suricata_manager.sh" && /jffs/addons/suricata/suricata_manager.sh install

Usage
Usage: suricata_manager ['help'|'-h'] | [ 'debug' ] [ 'install' | 'uninstall' | 'check' | 'stop' | 'start' | 'logs' | 'config[x]' | 'test' ]

suricata_manager config: View the suricata.yml file

suricata_manager configx: Edit the suricata.yml file

suricata_manager check: Syntax check the suricata.yml file

suricata_manager test: Generate a spoof HTTPS attack (To see it you will need to enable the http.log) uid=0(root) gid=0(root) groups=0(root)

suricata_manager logs: View the logs for activity

/opt/var/log/suricata/fast.log

/opt/var/log/suricata/stats.log

Optional:
Credits: @faux123
Fork FW Merlin adapted for Suricata.
WARNING: this is a GPL only release, meaning if you use this release with AdaptiveQoS or AiProtect (AiMesh is okay which I'm using myself).

Because Zswap is enabled by default. Add the following line to your script located in /jffs/scripts/post-mount

echo 100 > /proc/sys/vm/swappiness

just before the swapon line. Zswap will use 25% of your RAM and using z3fold memory compression (about 2.6x compression ratio) to expand your RAM further. so 25% of 512MBytes, then 128Mbytes * 2.6 compression ratio = 332 MByte total compressed memory then add back to your remaining real RAM of 384 MBytes, you will have approximately 716 Mbytes of RAM to play with which helps the poor AC86U with just 512 MBytes of real RAM. This will help suricata a bit as suricata is a memory hog.

For Wireguard, please follow the wireguard post in the VPN forum, the only thing you need to change is to change the line in the wireguard shell scripts (located /opt/etc/wireguard/wg-up wg-policy wg-server) where you see:

#insmod /opt/lib/modules/wireguard
insmod /lib/modules/4.1.27/kernel/net/wireguard/wireguard

so it uses the built-in kernel module rather than kernel module from Entware.

For CakeQos make the following change to /jffs/addons/cake-qos/cake-qos script where

        #insmod /opt/lib/modules/sch_cake.ko 2>/dev/null
        insmod /lib/modules/4.1.27/kernel/net/sch_cake/sch_cake.ko 2>/dev/null

Get faux123_fork_fw_merlin
Download and use at your own risk.

Enjoy!

 

[TonyK132]

Maybe I'm brain dead today (always?), but please explain your statement:

I do not recommend installing with Skynet, as long as there is no firewall support.

 

[juched]

Ok, interesting. Will need to see where this goes, but I see a potential for something neat here. Asus routers do have IDS/IPS with AiProtect, but you cannot really see inside that. Here you can.

 

[rgnldo]

Maybe I'm brain dead today (always?), but please explain your statement:

You need firewall rules. If you managed to live with Skynet, that's fine.

 

[rgnldo]

Ok, interesting. Will need to see where this goes, but I see a potential for something neat here. Asus routers do have IDS/IPS with AiProtect, but you cannot really see inside that. Here you can.

Yes. This is the purpose.

 

[intr0]

I saw Suricata IDS and . Awesome.

 

[SomeWhereOverTheRainBow]

Suricata is a free and open source, mature, fast and robust network threat detection engine.
The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.
Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.
Suricata’s fast paced community driven development focuses on security, usability and efficiency.

The installation proposal is experimental. Installation is recommended for HND routers, with a 4.x kernel.
I do not recommend installing with Skynet, as long as there is no firewall support.

Instalation step:
Create Swap file
We will need the Entware-NG repository.

opkg update
opkg install suricata

Get suricata.yaml

curl -o /opt/etc/suricata/suricata.yaml https://raw.githubusercontent.com/rgnldo/knot-resolver-suricata/master/suricata.yaml

Edit on
address-groups:
HOME_NET:
and
DNS_SERVERS:

Get S82suricata

curl -o /opt/etc/init.d/S82suricata https://raw.githubusercontent.com/rgnldo/knot-resolver-suricata/master/S82suricata

chmod +x /opt/etc/init.d/S82suricata

Get rules and classification.config:

mkdir /opt/var/lib/suricata/rules

owner folder:

chown nobody /opt/var/lib/suricata/rules

curl -o /opt/etc/suricata/classification.config https://rules.emergingthreats.net/open/suricata-4.0/rules/classification.config

and

curl -SL https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz | tar -zxC /opt/var/lib/suricata/

run suricata:

/opt/etc/init.d/S82suricata start

Enjoy!

I appreciate that you got around to this.

 

[XIII]

You need firewall rules. If you managed to live with Skynet, that's fine.

I’m afraid I don’t understand this answer.

Can someone please explain to a newbie that wants to learn?

Does this replace SkyNet? Or is it (currently) incompatible?

(I might be confused by the “as long as” in the first post; to me that suggests something is currently missing and I should wait for that - but the confusion might also be caused by the fact that we both are not native speakers?)

 

[coxhaus]

I like this. You will have a bright future as router CPUs are getting faster and faster with more RAM.

 

[thelonelycoder]

I’m afraid I don’t understand this answer.

Can someone please explain to a newbie that wants to learn?

Does this replace SkyNet? Or is it (currently) incompatible?

(I might be confused by the “as long as” in the first post; to me that suggests something is currently missing and I should wait for that - but the confusion might also be caused by the fact that we both are not native speakers?)

The usual confusion.

 

[rgnldo]

I’m afraid I don’t understand this answer.

Can someone please explain to a newbie that wants to learn?

Does this replace SkyNet? Or is it (currently) incompatible?

(I might be confused by the “as long as” in the first post; to me that suggests something is currently missing and I should wait for that - but the confusion might also be caused by the fact that we both are not native speakers?)

There is no goal of replacing applications. For now, there is no support. Soon we will have support. But if you follow the rules of Suricata and the engine mode, you will see something ROBUST and completely compatible with IPV4/IPV6.

 

[rgnldo]

An application like trojans. Suricata acting.

04/26/2020-10:48:59.208024  [**] [1:2404303:5712] ET CNC Feodo Tracker Reported CnC Server group 4 [**] [Classification: A Network Trojan was Detected] [Prior>
04/26/2020-18:50:29.049005  [**] [1:2404303:5712] ET CNC Feodo Tracker Reported CnC Server group 4 [**] [Classification: A Network Trojan was Detected] [Prior>

 

[Milan]

thanks, working like a charm.

 

[rgnldo]

thanks, working like a charm.

get new suricata.yaml
edit on:
HOME_NET:
DNS_SERVERS:
and
af-packet:
- interface: -> your interface wan

 

[mike37]

thanks, working like a charm.

Good to know; thank you for posting, Milan!!

And thank you Rgnldo for the OP!!

Some questions, please:

1. Which router? Which firmware?

2. What else are you running? Any conflicts or performance degradation?

3. How did you test it? e.g. NMAP? Metasploit? Possibly a testing site on the web (I used to know of an NMAP site, but lost it)? And what tests?

4. How frequently are the signatures updated? Is this a manual operation; or perhaps automatically weekly?

5. Could/would you compare/contrast it with the AiProtect, please.

Thank you very much In Advance!!!

 

[Milan]

get new suricata.yaml
edit on:
HOME_NET:
DNS_SERVERS:
and
af-packet:
- interface: -> your interface wan

the interface is br0 I think?

Good to know; thank you for posting, Milan!!

And thank you Rgnldo for the OP!!

Some questions, please:

1. Which router? Which firmware?

2. What else are you running? Any conflicts or performance degradation?

3. How did you test it? e.g. NMAP? Metasploit? Possibly a testing site on the web (I used to know of an NMAP site, but lost it)? And what tests?

4. How frequently are the signatures updated? Is this a manual operation; or perhaps automatically weekly?

5. Could/would you compare/contrast it with the AiProtect, please.

Thank you very much In Advance!!!

1.ax88u with the latest merlin
2. all other scripts from here - haven't seen any perf degradation.
3. haven't tested
4. no clue, haven't checked till now.
5. no clue how to compare.

http log is showing info, but stats are empty...

 

[rgnldo]

the interface is br0 I think?

You need to verify your WAN, whether eth0 or ppp0
see

ifconfig

http log is showing info, but stats are empty...

In order not to overload, I only enabled logging with detection. If you wish, you can enable other logs.

 

[rgnldo]

1. Which router? Which firmware?

I recommend installing on a HND router.

2. What else are you running? Any conflicts or performance degradation?

the rules that I have enabled are enough to obtain a good functioning.

3. How did you test it? e.g. NMAP? Metasploit? Possibly a testing site on the web (I used to know of an NMAP site, but lost it)? And what tests?

Yes, tested.

5. Could/would you compare/contrast it with the AiProtect, please.

open source, engine detect ipv4/ipv6, strong development community.

4. How frequently are the signatures updated? Is this a manual operation; or perhaps automatically weekly?

via cron, I will organize in the post.

 

[SuperDuke]

@rgnldo .....do you disable AiProtect as well with this setup?

Suricata reads like a very good solution....I would be interested in understanding what the thoughts are comparing it to say Skynet.

Also, is there any Unbound interfaces?

 

[dffvb]

Sounds interesting and like a severe security upgrade for the Asus routers. Speaking for myself: I think you need to communicate a little bit better, for the people to understand. Thanks for the work so far.