I
.......Trend Micro communicates a lot outside, it might be better to disable it forever.
Indeed - which makes Suricata so interesting. AiProtection seems to work, but to an unknown degree (rules).
I
.......Trend Micro communicates a lot outside, it might be better to disable it forever.
but the current setting is not set based on these, so I guess it doesn't work properly.
but the current setting is not set based on these, so I guess it doesn't work properly.
I was looking at my crontab and see the following for the rules updating.
Is the #suricata_updte# a typo?
0 3 * * * /opt/var/lib/suricata/rules/upd_rules_suricata.sh #suricata_updte#
No as long as you have a script called upd_rules_suricata.sh in /opt/var/lib/suricata/rules
Yes, I do and it seems to run just fine.
the interface is modified to br0 so that requests from vpn clients can be seen. many people use IPS lan. i set the ip address and it was successfully logged by suricata. but google.com remained available.Yep! ....... FWICT it doesn't work as an af_packet IPS with the current settings. And it was compiled without NFQ support so it can't use the traditional method were IpTables/Netfilter able to support it.
If I get the time I'll play with it this weekend: reconfigure yaml, and add an address - e.g. 72.217.11.36 (google.com) - to one of the IPS drop address rules (e.g. "drop.rules", "compromised.rules") and see if I can get it to work with http/s.
(p.s. 'til IPS becomes functional, might as well comment out drop/compromised rules)
maybe a bit off topic, but since we talk about interfaces here, maybe someone can offer some insight.
when i do ifconfig, i see my wan on eth0, and my wifi nets on eth6 and eth7. is this normal (eth6,eth7)? did i misread? i thought ethx was for wired only
thanks
it would be nice to have suricata included in the amtm offeringsGot a chance to play with IPS today and didn't get very far.
The af-packet configuration, which is crucial for IPS, has evolved significantly since our version of suricata (4.7) was upgraded to 4.8 and now to 5.03. I considered upgrading to either 4.8 or 5.03 and starting there (sigh.... compiling it for Asus!? I Gotta say I appreciate suricata - it is straight foward to work with; has useful diagnostics; etc.).
But IIRC rgnldo earlier posted that he had started working on the next version of suricata (I presume 5.x) so because of a new need for IPS my plan now is to return to AiProtection (sigh..... recently I've begun to occasionally run a small Windows* laptop on the LAN/WAN, so now I very much want IPS) and hope that rgnldo gets back soon!!
Got a chance to play with IPS today and didn't get very far.
The af-packet configuration, which is crucial for IPS, has evolved significantly since our version of suricata (4.7) was upgraded to 4.8 and now to 5.03. I considered upgrading to either 4.8 or 5.03 and starting there (sigh.... compiling it for Asus!? I Gotta say I appreciate suricata - it is straight foward to work with; has useful diagnostics; etc.).
But IIRC rgnldo earlier posted that he had started working on the next version of suricata (I presume 5.x) so because of a new need for IPS my plan now is to return to AiProtection (sigh..... recently I've begun to occasionally run a small Windows* laptop on the LAN/WAN, so now I very much want IPS) and hope that rgnldo gets back soon!!
You could open an Issue on the Entware Github to request they (Entware team) update the Suricata version in their next big update.Opkg indicates it (suricata_4.1.7-1armv7..) is the only package available; no later v4 or v5 beta listed.
Package maintainer is not indicated.
============================
Package: suricata
Version: 4.1.7-1
Depends: libc, libssp, librt, libpthread, libyaml, jansson, libpcap, libpcre, file, liblzma, liblz4
Status: install user installed
Section: net
Architecture: armv7-2.6
Size: 959778
Filename: suricata_4.1.7-1_armv7-2.6.ipk
Conffiles:
/opt/etc/suricata/suricata.yaml 2006954b031a64141e9dfd5af5ee9cb86851e7353b757e4d46a1cb079801678f
/opt/etc/suricata/classification.config c351636b386c13ee4cc5c59f2c95b2d05905376d17a4c8de58d02e5eb3c384f8
/opt/etc/suricata/reference.config 43117fc342eebf1dc4942541b19f2a3a37cf22a3c0e4d0b48e4dbc6d40b81610
/opt/etc/suricata/threshold.config fe73b9a81af710c22294f6b0dfa0a99d724e7193e4b944b60c645bb480e71183
Description: The Suricata engine is capable of real time intrusion detection (IDS), inline
intrusion prevention (IPS), network security monitoring (NSM) and offline pcap
processing. Suricata inspects the network traffic using a powerful and
extensive rules and signature language, and has powerful Lua scripting support
for detection of complex threats.
Installed-Time: 1588534742
============================
- I'm guessing it is rgnldo maintaining the Suricata package.
- Likely an earlier version of Suricata, along with an earlier version of suricata.yaml provided IPS - but a constantly-changing environment ended that.
- rgnldo earlier said "that is enough...." when referring to .yaml defaults. I'm guessing he wanted a reliable package that would work on the smallest processors - WHICH HE ACHIEVED..... for an IDS.
- v4.x can probably do IPS if one configures .yaml properly; but I'm guessing V5 is close and I don't have the time to research earlier documentation.
-SIGH ....Likely rgnldo is a "team" of 1, and is generously trying to support more than 2 routers. Given he indicated he was working on an upgrade, I am reluctant to ask about v5 at this time.
p.s. Heh... I suppose this could be compiled on a router..... GEEZE. But GCC can be run on your laptop configured to produce an armv7 executable..... Please let us know if you do that!!!
As I read it, the install instructions really only pull the current Entware package, so it may be worthwhile to simply ask whether a v5 suricate package is in the works for the next Entware update......from there, it appears the process to configure is pretty straightforward......compiling it for the router is certainly beyond my skillset...haha (maybe my laptop, but not the router....)
You could open an Issue on the Entware Github to request they (Entware team) update the Suricata version in their next big update.
They compile the software directly from the source, and have no dependencies on OpenWRT (like some other packages do).
https://github.com/Entware/rtndev/blob/master/suricata/Makefile
I thought you were on IPSAnd if you can comfortably get to it, an IPS would be wonderful!!
# IPS Mode Configuration
# PCAP
pcap:
- interface: auto
checksum-checks: auto
promisc: yes
# Runmode the engine should use.
runmode: workers
# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
# autofp-scheduler: active-packets
# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: router
# Linux high speed capture support
af-packet:
- interface: XXX
copy-mode: ips
copy-iface: XXX
defrag: yes
use-mmap: yes
ASUS have always used 'ethX' for the two main WiFi instances.maybe a bit off topic, but since we talk about interfaces here, maybe someone can offer some insight.
when i do ifconfig, i see my wan on eth0, and my wifi nets on eth6 and eth7. is this normal (eth6,eth7)? did i misread? i thought ethx was for wired only
./WiFiVPN.sh
(WiFiVPN.sh): 12922 v1.15 © 2016-2020 Martineau, WiFi status request.....[]
WiFi Configuration Status for interfaces:
wl0.1 USA_VPN_VLAN 2.4GHz Guest 1 (10.88.101.0/24) routed through tunnel VPN Client 1 (HMA New York) using VPN DNS (104.223.91.210) via Bridge: br1
----- (ASUS_Guest2) 2.4GHz Guest 2 ** Disabled **
----- (ASUS_Guest3) 2.4GHz Guest 3 ** Disabled **
----- (ASUS_5G_Guest1) 5GHz Guest 1 ** Disabled **
----- (ASUS_5G_Guest2) 5GHz Guest 2 ** Disabled **
----- (ASUS_5G_Guest3) 5GHz Guest 3 ** Disabled **
eth1 Herewego 2.4GHz Network
eth2 AbitFaster 5GHz Network
./WiFiVPN.sh
(WiFiVPN.sh): 8373 v1.15 © 2016-2020 Martineau, WiFi status request.....[]
WiFi Configuration Status for interfaces:
wl0.1 GuestAX56_241 2.4GHz Guest 1
----- (ASUS_88_2G_Guest2) 2.4GHz Guest 2 ** Disabled **
----- (ASUS_88_2G_Guest3) 2.4GHz Guest 3 ** Disabled **
----- (ASUS_88_5G_Guest) 5GHz Guest 1 ** Disabled **
----- (ASUS_88_5G_Guest2) 5GHz Guest 2 ** Disabled **
----- (ASUS_88_5G_Guest3) 5GHz Guest 3 ** Disabled **
eth5 Getthis 2.4GHz Network (192.168.101.0/24) via non-VPN bridge:br1
eth6 OrThat 5GHz Network
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!