Suricata Suricata - IDS on AsusWRT Merlin

[mike37]

I

.......Trend Micro communicates a lot outside, it might be better to disable it forever.

Indeed - which makes Suricata so interesting. AiProtection seems to work, but to an unknown degree (rules).

 

[glehel]

https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/

.

but the current setting is not set based on these, so I guess it doesn't work properly.

 

[mike37]

but the current setting is not set based on these, so I guess it doesn't work properly.

Yep! ....... FWICT it doesn't work as an af_packet IPS with the current settings. And it was compiled without NFQ support so it can't use the traditional method were IpTables/Netfilter able to support it.

If I get the time I'll play with it this weekend: reconfigure yaml, and add an address - e.g. 72.217.11.36 (google.com) - to one of the IPS drop address rules (e.g. "drop.rules", "compromised.rules") and see if I can get it to work with http/s.

(p.s. 'til IPS becomes functional, might as well comment out drop/compromised rules)

 

[Smokey613]

I was looking at my crontab and see the following for the rules updating.

Is the #suricata_updte# a typo?
0 3 * * * /opt/var/lib/suricata/rules/upd_rules_suricata.sh #suricata_updte#

 

[joe scian]

I was looking at my crontab and see the following for the rules updating.

Is the #suricata_updte# a typo?
0 3 * * * /opt/var/lib/suricata/rules/upd_rules_suricata.sh #suricata_updte#

No as long as you have a script called upd_rules_suricata.sh in /opt/var/lib/suricata/rules

 

[Smokey613]

No as long as you have a script called upd_rules_suricata.sh in /opt/var/lib/suricata/rules

Yes, I do and it seems to run just fine.

 

[joe scian]

Yes, I do and it seems to run just fine.

#suricata_updte# is just the variable name in the original cron command

cru a suricata_updte "0 3 * * * /opt/var/lib/suricata/rules/updates_rules_suricata.sh"

 

[glehel]

Yep! ....... FWICT it doesn't work as an af_packet IPS with the current settings. And it was compiled without NFQ support so it can't use the traditional method were IpTables/Netfilter able to support it.

If I get the time I'll play with it this weekend: reconfigure yaml, and add an address - e.g. 72.217.11.36 (google.com) - to one of the IPS drop address rules (e.g. "drop.rules", "compromised.rules") and see if I can get it to work with http/s.

(p.s. 'til IPS becomes functional, might as well comment out drop/compromised rules)

the interface is modified to br0 so that requests from vpn clients can be seen. many people use IPS lan. i set the ip address and it was successfully logged by suricata. but google.com remained available.
interesting and I haven't realized yet that you don't see wired computer traffic ?? wireless only. and they are in the same lan range br0.

 

[ugandy]

maybe a bit off topic, but since we talk about interfaces here, maybe someone can offer some insight.
when i do ifconfig, i see my wan on eth0, and my wifi nets on eth6 and eth7. is this normal (eth6,eth7)? did i misread? i thought ethx was for wired only
thanks

 

[mike37]

Got a chance to play with IPS today and didn't get very far.

The af-packet configuration, which is crucial for IPS, has evolved significantly since our version of suricata (4.7) was upgraded to 4.8 and now to 5.03. I considered upgrading to either 4.8 or 5.03 and starting there (sigh.... compiling it for Asus!? I Gotta say I appreciate suricata - it is straight foward to work with; has useful diagnostics; etc.).

But IIRC rgnldo earlier posted that he had started working on the next version of suricata (I presume 5.x) so because of a new need for IPS my plan now is to return to AiProtection (sigh..... recently I've begun to occasionally run a small Windows* laptop on the LAN/WAN, so now I very much want IPS) and hope that rgnldo gets back soon!!

 

[mike37]

maybe a bit off topic, but since we talk about interfaces here, maybe someone can offer some insight.
when i do ifconfig, i see my wan on eth0, and my wifi nets on eth6 and eth7. is this normal (eth6,eth7)? did i misread? i thought ethx was for wired only
thanks

Different apps can add and define different interfaces; for e.g. I don't have ethx, eth6 or eth7 on my up-to-date RT-AC68U which is used with both wired and wireless clients. I also don't have QOS, cloud functions, VPN servers or clients, etc.

You might list your router model, firmware version, applications, and a listing of your ifconfig and see if someone has something similar. Also, I'm guessing you have QOS - try deactivating that and see what your ifconfig looks like.

 

[ugandy]

Got a chance to play with IPS today and didn't get very far.

The af-packet configuration, which is crucial for IPS, has evolved significantly since our version of suricata (4.7) was upgraded to 4.8 and now to 5.03. I considered upgrading to either 4.8 or 5.03 and starting there (sigh.... compiling it for Asus!? I Gotta say I appreciate suricata - it is straight foward to work with; has useful diagnostics; etc.).

But IIRC rgnldo earlier posted that he had started working on the next version of suricata (I presume 5.x) so because of a new need for IPS my plan now is to return to AiProtection (sigh..... recently I've begun to occasionally run a small Windows* laptop on the LAN/WAN, so now I very much want IPS) and hope that rgnldo gets back soon!!

it would be nice to have suricata included in the amtm offerings

 

[SuperDuke]

Got a chance to play with IPS today and didn't get very far.

The af-packet configuration, which is crucial for IPS, has evolved significantly since our version of suricata (4.7) was upgraded to 4.8 and now to 5.03. I considered upgrading to either 4.8 or 5.03 and starting there (sigh.... compiling it for Asus!? I Gotta say I appreciate suricata - it is straight foward to work with; has useful diagnostics; etc.).

But IIRC rgnldo earlier posted that he had started working on the next version of suricata (I presume 5.x) so because of a new need for IPS my plan now is to return to AiProtection (sigh..... recently I've begun to occasionally run a small Windows* laptop on the LAN/WAN, so now I very much want IPS) and hope that rgnldo gets back soon!!

As I read it, the install instructions really only pull the current Entware package, so it may be worthwhile to simply ask whether a v5 suricate package is in the works for the next Entware update......from there, it appears the process to configure is pretty straightforward......compiling it for the router is certainly beyond my skillset...haha (maybe my laptop, but not the router....)

 

[dave14305]

Opkg indicates it (suricata_4.1.7-1armv7..) is the only package available; no later v4 or v5 beta listed.

Package maintainer is not indicated.

============================
Package: suricata
Version: 4.1.7-1
Depends: libc, libssp, librt, libpthread, libyaml, jansson, libpcap, libpcre, file, liblzma, liblz4
Status: install user installed
Section: net
Architecture: armv7-2.6
Size: 959778
Filename: suricata_4.1.7-1_armv7-2.6.ipk
Conffiles:
/opt/etc/suricata/suricata.yaml 2006954b031a64141e9dfd5af5ee9cb86851e7353b757e4d46a1cb079801678f
/opt/etc/suricata/classification.config c351636b386c13ee4cc5c59f2c95b2d05905376d17a4c8de58d02e5eb3c384f8
/opt/etc/suricata/reference.config 43117fc342eebf1dc4942541b19f2a3a37cf22a3c0e4d0b48e4dbc6d40b81610
/opt/etc/suricata/threshold.config fe73b9a81af710c22294f6b0dfa0a99d724e7193e4b944b60c645bb480e71183
Description: The Suricata engine is capable of real time intrusion detection (IDS), inline
intrusion prevention (IPS), network security monitoring (NSM) and offline pcap
processing. Suricata inspects the network traffic using a powerful and
extensive rules and signature language, and has powerful Lua scripting support
for detection of complex threats.
Installed-Time: 1588534742
============================

- I'm guessing it is rgnldo maintaining the Suricata package.
- Likely an earlier version of Suricata, along with an earlier version of suricata.yaml provided IPS - but a constantly-changing environment ended that.
- rgnldo earlier said "that is enough...." when referring to .yaml defaults. I'm guessing he wanted a reliable package that would work on the smallest processors - WHICH HE ACHIEVED..... for an IDS.
- v4.x can probably do IPS if one configures .yaml properly; but I'm guessing V5 is close and I don't have the time to research earlier documentation.

-SIGH ....Likely rgnldo is a "team" of 1, and is generously trying to support more than 2 routers. Given he indicated he was working on an upgrade, I am reluctant to ask about v5 at this time.

p.s. Heh... I suppose this could be compiled on a router..... GEEZE. But GCC can be run on your laptop configured to produce an armv7 executable..... Please let us know if you do that!!!

You could open an Issue on the Entware Github to request they (Entware team) update the Suricata version in their next big update.

They compile the software directly from the source, and have no dependencies on OpenWRT (like some other packages do).
https://github.com/Entware/rtndev/blob/master/suricata/Makefile

 

[mike37]

As I read it, the install instructions really only pull the current Entware package, so it may be worthwhile to simply ask whether a v5 suricate package is in the works for the next Entware update......from there, it appears the process to configure is pretty straightforward......compiling it for the router is certainly beyond my skillset...haha (maybe my laptop, but not the router....)

Opkg indicates it (suricata_4.1.7-1armv7..) is the only package available; no later v4 or v5 beta listed.

Package maintainer is not indicated.

============================
Package: suricata
Version: 4.1.7-1
Depends: libc, libssp, librt, libpthread, libyaml, jansson, libpcap, libpcre, file, liblzma, liblz4
Status: install user installed
Section: net
Architecture: armv7-2.6
Size: 959778
Filename: suricata_4.1.7-1_armv7-2.6.ipk
Conffiles:
/opt/etc/suricata/suricata.yaml 2006954b031a64141e9dfd5af5ee9cb86851e7353b757e4d46a1cb079801678f
/opt/etc/suricata/classification.config c351636b386c13ee4cc5c59f2c95b2d05905376d17a4c8de58d02e5eb3c384f8
/opt/etc/suricata/reference.config 43117fc342eebf1dc4942541b19f2a3a37cf22a3c0e4d0b48e4dbc6d40b81610
/opt/etc/suricata/threshold.config fe73b9a81af710c22294f6b0dfa0a99d724e7193e4b944b60c645bb480e71183
Description: The Suricata engine is capable of real time intrusion detection (IDS), inline
intrusion prevention (IPS), network security monitoring (NSM) and offline pcap
processing. Suricata inspects the network traffic using a powerful and
extensive rules and signature language, and has powerful Lua scripting support
for detection of complex threats.
Installed-Time: 1588534742
============================

- I'm guessing it is rgnldo maintaining the Suricata package.
- Likely an earlier version of Suricata, along with an earlier version of suricata.yaml provided IPS - but a constantly-changing environment ended that.
- rgnldo earlier said "that is enough...." when referring to .yaml defaults. I'm guessing he wanted a reliable package that would work on the smallest processors - WHICH HE ACHIEVED..... for an IDS.
- v4.x can probably do IPS if one configures .yaml properly; but I'm guessing V5 is close and I don't have the time to research earlier documentation.

-SIGH ....Likely rgnldo is a "team" of 1, and is generously trying to support more than 2 routers. Given he indicated he was working on an upgrade, I am reluctant to ask about v5 at this time.

p.s. Heh... I suppose this could be compiled on a router..... GEEZE. But GCC can be run on your laptop configured to produce an armv7 executable.....
Please let us know if you do that!!!

 

[mike37]

You could open an Issue on the Entware Github to request they (Entware team) update the Suricata version in their next big update.

They compile the software directly from the source, and have no dependencies on OpenWRT (like some other packages do).
https://github.com/Entware/rtndev/blob/master/suricata/Makefile

Were we talking about going from v4.1.7-1 to v4.1.8 that might make sense - of course coordinating with rgnldo.

Going from v4.1.7-1 to v5.0.3 will quite likely include configuration changes, changed compilation dependencies, perhaps new rule formats, etc. (I even noted af-packet specification format changes within v4.) So someone would have to research, update and test all of that! My guess is that rgnldo is working on that now, and pressuring anyone will come back to rgnldo

For me, the big concern in all of this is that we don't want to pressure rgnldo and cause him to regret trying to introduce suricata to asus-merlin.

The v4 IDS works; thank you rgnldo! And if you can comfortably get to it, an IPS would be wonderful!!

 

[glehel]

the af-packet creates a software bridge between 2 interfaces if you have it then the IPS works. This should be thought of as how to accomplish this in the Asus router.
I wanted to try nfq mode but it is not enabled in suricata. It must enable the compiler will work well if we can build the IP table.

 

[rgnldo]

And if you can comfortably get to it, an IPS would be wonderful!!

I thought you were on IPS

# IPS Mode Configuration
# PCAP
pcap:
  - interface: auto
    checksum-checks: auto
    promisc: yes

Try

# Runmode the engine should use.
runmode: workers

# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
# autofp-scheduler: active-packets

# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: router

# Linux high speed capture support
af-packet:
 - interface: XXX
copy-mode: ips
copy-iface: XXX
defrag: yes
use-mmap: yes

 

[rgnldo]

There are several limitations when deploying Suricata on an almost closed ARM router with Trend Micro code. From what I've noticed, the FW Merlin development team also has limitations.

Have you read Trend Micro's Terms of Use?

Suricata is an open source solution with a focus on privacy and protection.

The most suitable firmware would be FW Merlin LTS, but suffers from the lack of support for current routers.

 

[Martineau]

maybe a bit off topic, but since we talk about interfaces here, maybe someone can offer some insight.
when i do ifconfig, i see my wan on eth0, and my wifi nets on eth6 and eth7. is this normal (eth6,eth7)? did i misread? i thought ethx was for wired only

ASUS have always used 'ethX' for the two main WiFi instances.

 ./WiFiVPN.sh

(WiFiVPN.sh): 12922 v1.15 © 2016-2020 Martineau, WiFi status request.....[]

 WiFi Configuration Status for interfaces:
 wl0.1   USA_VPN_VLAN     2.4GHz Guest 1  (10.88.101.0/24) routed through tunnel VPN Client 1 (HMA New York) using VPN DNS (104.223.91.210) via Bridge: br1
 -----   (ASUS_Guest2)    2.4GHz Guest 2  ** Disabled **
 -----   (ASUS_Guest3)    2.4GHz Guest 3  ** Disabled **
 -----   (ASUS_5G_Guest1) 5GHz   Guest 1  ** Disabled **
 -----   (ASUS_5G_Guest2) 5GHz   Guest 2  ** Disabled **
 -----   (ASUS_5G_Guest3) 5GHz   Guest 3  ** Disabled **
 eth1    Herewego         2.4GHz Network
 eth2    AbitFaster       5GHz   Network

IIRC, 'eth6/eth7' are used by the two main WiFi interfaces on HND-Models e.g. RT-AC86U/RT-AX88U, (don't have access to my RT-AC86U at the moment) , and for RT-AX56U/RT-AX58U they use 'eth5/eth6'

./WiFiVPN.sh

(WiFiVPN.sh): 8373 v1.15 © 2016-2020 Martineau, WiFi status request.....[]

    WiFi Configuration Status for interfaces:
    wl0.1   GuestAX56_241    2.4GHz Guest 1
    -----   (ASUS_88_2G_Guest2) 2.4GHz Guest 2  ** Disabled **
    -----   (ASUS_88_2G_Guest3) 2.4GHz Guest 3  ** Disabled **
    -----   (ASUS_88_5G_Guest)  5GHz   Guest 1  ** Disabled **
    -----   (ASUS_88_5G_Guest2) 5GHz   Guest 2  ** Disabled **
    -----   (ASUS_88_5G_Guest3) 5GHz   Guest 3  ** Disabled **
    eth5    Getthis             2.4GHz Network  (192.168.101.0/24) via non-VPN bridge:br1
    eth6    OrThat              5GHz   Network