Suricata Suricata - IDS on AsusWRT Merlin

[Smokey613]

It took some work to adapt for FW Merlin. I have been using Suricata for some time. I trust so much that I don’t even look at the logs.

A big thanks for all your hard work on this. I think many people are like myself. I want to verify the operation of a new program and once I am confident with it’s ability, I can just “let it do it’s job” like I do with Skynet and all the other scripts I run. I had to gain confidence in all of them before trusting them and just letting them run.

 

[mike37]

Sorry, I don't know those words.

ISTM = It Seems To Me
IMHO = In My Humble Opinion

Abbreviations intended to "soften" stated beliefs and opinions with which someone else may disagree; or simply dislike

https://www.dailywritingtips.com/internet-initialisms/

 

[mike37]

Pen testing sites

Anyone testing suricata with a free, public online pen tester: e.g. metasploit, nmap,? Am NOT looking for a port scanner to test for a "stealthed" firewall, but instead a site providing metasploit scripted attacks and exploits, or at least access to nmap so I can roll my own. (In the "old days" you could find these pen testing sites all over the place.)

 

[mike37]

"Realtime" suricata monitor

Well, not actually real time - up to 5 second delay - but FWIW I'm having good luck with tail -f -s 5 /tmp/mnt/sda1/entware/var/log/suricata/fast.log (or eve.json if you'd prefer).

While I don't want to see suricata or firewall popups alerting me to the always-present random internet "noise", I do want to know right away if something/someone is making a targeted attack on me - succeeding or not.

(Heh.... guess I also want to quickly know if I've visited an innocent site that's been hacked, and have picked up a Trojan, or browser mischief, or etc. (e.g. it got in encrypted/https, and became active decrypted in memory); or if some guest, or client of the IOT is behaving badly on my LAN (the kind of activity that suricata "emerging-trojan.rules", "emerging-worm.rules", etc. are looking for)).

 

[coxhaus]

That sounds reasonable. I remember back when I was running Untangle behind my Cisco router some relatives came over to spend the night and their laptop had malware on it spewing out stuff which Untangle caught. They complained their laptop was not working. I had to disinfect it for it to pass Untangle.

 

[rgnldo]

That sounds reasonable. I remember back when I was running Untangle behind my Cisco router some relatives came over to spend the night and their laptop had malware on it spewing out stuff which Untangle caught. They complained their laptop was not working. I had to disinfect it for it to pass Untangle.

Situations that happen

 

[SuperDuke]

"Realtime" suricata monitor

Well, not actually real time - up to 5 second delay - but FWIW I'm having good luck with tail -f -s 5 /tmp/mnt/sda1/entware/var/log/suricata/fast.log (or eve.json if you'd prefer).

While I don't want to see suricata or firewall popups alerting me to the always-present random internet "noise", I do want to know right away if something/someone is making a targeted attack on me - succeeding or not.

(Heh.... guess I also want to quickly know if I've visited an innocent site that's been hacked, and have picked up a Trojan, or browser mischief, or etc. (e.g. it got in encrypted/https, and became active decrypted in memory); or if some guest, or client of the IOT is behaving badly on my LAN (the kind of activity that suricata "emerging-trojan.rules", "emerging-worm.rules", etc. are looking for)).

So if I may ask....how would you go about purging the logs if they start achieving bloat status? In doing some reading, it does also appear possible in the .yaml file to disable all of the logging across all of those files....not recommended I expect but I also wonder what to do if it gets excessive as you suggest.

Can I ask how the setup is working (for everyone)....this sounds like a very good project.

 

[penguin22]

Having read through this full thread, this project seems like it would be a great addition to become available in amtm. Is there a good baseline configuration yet and stability that someone with the right skill set might be able to create an install wrapper to expand this to the broader community? It would appear that there are several checks required for an install and it has similarities to what @Martineau has coded in unbound_manager for unbound installations; perhaps a comparable approach could be taken here?

e.g. Checks for:

• Trend Micro disabled
• Advanced QOS disabled
• Scribe available for log separation
• verbosity config for initial check, then reduce logging
• etc...

 

[ugandy]

Having read through this full thread, this project seems like it would be a great addition to become available in amtm. Is there a good baseline configuration yet and stability that someone with the right skill set might be able to create an install wrapper to expand this to the broader community? It would appear that there are several checks required for an install and it has similarities to what @Martineau has coded in unbound_manager for unbound installations; perhaps a comparable approach could be taken here?

e.g. Checks for:

• Trend Micro disabled
• Advanced QOS disabled
• Scribe available for log separation
• verbosity config for initial check, then reduce logging
• etc...

that would be icing on the cake

 

[Martineau]

Having read through this full thread, this project seems like it would be a great addition to become available in amtm. Is there a good baseline configuration yet and stability that someone with the right skill set might be able to create an install wrapper to expand this to the broader community? It would appear that there are several checks required for an install and it has similarities to what @Martineau has coded in unbound_manager for unbound installations; perhaps a comparable approach could be taken here?

e.g. Checks for:

• Trend Micro disabled
• Advanced QOS disabled
• Scribe available for log separation
• verbosity config for initial check, then reduce logging
• etc...

Well having been pinged.....

Use at your own risk...very basic

mkdir /jffs/addons 2>/dev/null;mkdir /jffs/addons/suricata 2>/dev/null; curl -kL https://pastebin.com/raw.php?i=XhNumLMU -o /jffs/addons/suricata/suricata_manager.sh  && chmod 755 "/jffs/addons/suricata/suricata_manager.sh" && dos2unix /jffs/addons/suricata/suricata_manager.sh;/jffs/addons/suricata/suricata_manager.sh

How to use

suricata_manager -h

#======================================================================================================= © 2020 Martineau, v1.01
#  Install 'suricata - Real-time Intrusion Detection System (IDS), Intrusion Prevention System (IPS) package from Entware on Asuswrt-Merlin firmware.
#
#  Pre-reqs:   4.x kernel e.g. HND-models RT-AC86U,RT-AX88U or RT-AX56U,RT-AX58U
#              QoS and AiProtection Trend Micro DISABLED
#              Skynet DISABLED
#
# Usage:    suricata_manager    ['help'|'-h'] | [ 'debug' ]
#                               [ 'install' | 'uninstall' | 'check' | 'stop' | 'start' | 'logs' | 'config[x]' | 'test' ]
#
#           suricata_manager    config
#                               View the suricata.yml file
#           suricata_manager    configx
#                               Edit the suricata.yml file
#           suricata_manager    check
#                               Syntax check the suricata.yml file
#           suricata_manager    test
#                               Generate a spoof HTTPS attack (To see it you will need to enable the http.log)
#
#                                       uid=0(root) gid=0(root) groups=0(root)
#           suricata_manager    logs
#                               View the default three logs for activity
#
#                                       ==> /opt/var/log/suricata/fast.log <==
#
#                                       ==> /opt/var/log/suricata/stats.log <==
#
#                                       ==> /opt/var/log/suricata/eve-2020-05-09-15:38.json <==

 

[ugandy]

Hi,

Are this number of threads, with the default suricata.yaml, expected?

cromo@RT-AX88U-8158:/tmp/home/root# ps T|grep suri
19668 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19675 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19676 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19677 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19678 cromo 733m S {Suricata-Main} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19679 cromo 733m S {W#01} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19680 cromo 733m S {W#02} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19681 cromo 733m S {W#03} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19682 cromo 733m S {W#04} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19683 cromo 733m S {W#05} suricata -c /opt/etc/suricata/suricata.yaml --af-packet
19684 cromo 733m S {W#06} suricata -c /opt/etc/suricata/suricata.yaml --af-packet

 

[ugandy]

Well having been pinged.....

Use at your own risk...very basic

How to use

suricata_manager -h

#======================================================================================================= © 2020 Martineau, v1.01
#  Install 'suricata - Real-time Intrusion Detection System (IDS), Intrusion Prevention System (IPS) package from Entware on Asuswrt-Merlin firmware.
#
#  Pre-reqs:   4.x kernel e.g. HND-models RT-AC86U,RT-AX88U or RT-AX56U,RT-AX58U
#              QoS and AiProtection Trend Micro DISABLED
#              Skynet DISABLED
#
<==

@Martineau
my understanding, is that skynet is not needed when using suricata, but that disabling skynet is *not* mandatory, am i wrong? i've been running them together...

 

[SuperDuke]

Well having been pinged.....

Use at your own risk...very basic

mkdir /jffs/addons 2>/dev/null;mkdir /jffs/addons/suricata 2>/dev/null; curl -kL https://pastebin.com/raw.php?i=XhNumLMU -o /jffs/addons/suricata/suricata_manager.sh  && chmod 755 "/jffs/addons/suricata/suricata_manager.sh" && dos2unix /jffs/addons/suricata/suricata_manager.sh;/jffs/addons/suricata/suricata_manager.sh

How to use

suricata_manager -h

#======================================================================================================= © 2020 Martineau, v1.01
#  Install 'suricata - Real-time Intrusion Detection System (IDS), Intrusion Prevention System (IPS) package from Entware on Asuswrt-Merlin firmware.
#
#  Pre-reqs:   4.x kernel e.g. HND-models RT-AC86U,RT-AX88U or RT-AX56U,RT-AX58U
#              QoS and AiProtection Trend Micro DISABLED
#              Skynet DISABLED
#
# Usage:    suricata_manager    ['help'|'-h'] | [ 'debug' ]
#                               [ 'install' | 'uninstall' | 'check' | 'stop' | 'start' | 'logs' | 'config[x]' | 'test' ]
#
#           suricata_manager    config
#                               View the suricata.yml file
#           suricata_manager    configx
#                               Edit the suricata.yml file
#           suricata_manager    check
#                               Syntax check the suricata.yml file
#           suricata_manager    test
#                               Generate a spoof HTTPS attack (To see it you will need to enable the http.log)
#
#                                       uid=0(root) gid=0(root) groups=0(root)
#           suricata_manager    logs
#                               View the default three logs for activity
#
#                                       ==> /opt/var/log/suricata/fast.log <==
#
#                                       ==> /opt/var/log/suricata/stats.log <==
#
#                                       ==> /opt/var/log/suricata/eve-2020-05-09-15:38.json <==

Sir (@Martineau ), you are a benefit to all here.....do you rest/sleep??

 

[mike37]

@Martineau
my understanding, is that skynet is not needed when using suricata, but that disabling skynet is *not* mandatory, am i wrong? i've been running them together...

IMHO Skynet keeps you away from MANY dangerous sites, and uses the very fast, very efficient iptables ipset commands.

Suricata has optional rule sets that also block dangerous sites, but FWICT not nearly as many as Skynet, and not as efficiently (system processing overhead).

There might be sites in Suricata that are not in Skynet, but probably very few if any.

The two are compatible; you can run them both.

IMHO run both Skynet, and Suricata without address-blocking rules.

 

[mike37]

So if I may ask....how would you go about purging the logs if they start achieving bloat status? In doing some reading, it does also appear possible in the .yaml file to disable all of the logging across all of those files....not recommended I expect but I also wonder what to do if it gets excessive as you suggest.

Can I ask how the setup is working (for everyone)....this sounds like a very good project.

I'm still trying to learn how to use Suricata which requires that I pay attention to the various logs - so I manually delete all log (and json) files after review and before each starting. One can configure yaml to automatically overwrite files at restart.

Unlike other Merlin apps, IMHO Suricata is both involved and not a set-and-forget process; you'll have to keep your hands dirty.

 

[Martineau]

@Martineau
my understanding, is that skynet is not needed when using suricata, but that disabling skynet is *not* mandatory, am i wrong? i've been running them together...

I've uploaded v1.03 and the install will now only issue a warning

suricata_manager install

v1.03 Suricata IDS/IPS Manager.....

    Router Configuration recommended pre-reqs status:

    [✖] Warning Router RT-AC68U isn't fully supported (Only HND-models RT-AC86U,RT-AX88U or RT-AX56U,RT-AX58U)
    [✔] TrendMicro DISABLED
    [✔] QoS DISABLED
    [✖] ***Warning Skynet installed

    Options:


    The router does not currently meet ALL of the recommended pre-reqs as shown above.
    However, whilst they are recommended, you may proceed with the suricata Install
    as the recommendations are NOT usually FATAL if they are NOT strictly followed.

    Press Y to continue suricata Install  or press [Enter] to ABORT

 

[penguin22]

I've uploaded v1.03 and the install will now only issue a warning

suricata_manager install

v1.03 Suricata IDS/IPS Manager.....

    Router Configuration recommended pre-reqs status:

    [✖] Warning Router RT-AC68U isn't fully supported (Only HND-models RT-AC86U,RT-AX88U or RT-AX56U,RT-AX58U)
    [✔] TrendMicro DISABLED
    [✔] QoS DISABLED
    [✖] ***Warning Skynet installed

    Options:


    The router does not currently meet ALL of the recommended pre-reqs as shown above.
    However, whilst they are recommended, you may proceed with the suricata Install
    as the recommendations are NOT usually FATAL if they are NOT strictly followed.

    Press Y to continue suricata Install  or press [Enter] to ABORT

Once my workday is over, I will test installing to provide feedback; I do have Traditional QoS enabled, though looking through this thread, believe that the limitation is Adaptive QoS... only one way to find out for sure .

Will also need to determine recovery/uninstall method should things go awry. I've become good at undo/revert with multiple joyous occurrences of breaking things to make them better.

 

[SuperDuke]

I'm still trying to learn how to use Suricata which requires that I pay attention to the various logs - so I manually delete all log (and json) files after review and before each starting. One can configure yaml to automatically overwrite files at restart.

Unlike other Merlin apps, IMHO Suricata is both involved and not a set-and-forget process; you'll have to keep your hands dirty.

So you restart the script often? Thanks....I appreciate that this is less a Skynet kind of thing....

 

[rgnldo]

Skynet

firewall

Suricata

IDS/IPS

These are applications for different purposes.

As I understand it, Suricata does not block websites, but the action of the website, application or any attempted intrusion.

Suricata is the default IDS in PFSense, OPNsense, IPfire and others

When I mention Skynet, I mean the need for firewall rules to work together.

 

[penguin22]

Once my workday is over, I will test installing to provide feedback; I do have Traditional QoS enabled, though looking through this thread, believe that the limitation is Adaptive QoS... only one way to find out for sure .

Will also need to determine recovery/uninstall method should things go awry. I've become good at undo/revert with multiple joyous occurrences of breaking things to make them better.

@Martineau, is it possible to also only warn about QoS if Traditional is in use and only block for Adaptive? I would like to see if the issue here was the Trend component required for Adaptive, where that is not in use when using Traditional.