Suricata Suricata - IDS on AsusWRT Merlin

[ugandy]

ASUS have always used 'ethX' for the two main WiFi instances.

 ./WiFiVPN.sh

(WiFiVPN.sh): 12922 v1.15 © 2016-2020 Martineau, WiFi status request.....[]

 WiFi Configuration Status for interfaces:
 wl0.1   USA_VPN_VLAN     2.4GHz Guest 1  (10.88.101.0/24) routed through tunnel VPN Client 1 (HMA New York) using VPN DNS (104.223.91.210) via Bridge: br1
 -----   (ASUS_Guest2)    2.4GHz Guest 2  ** Disabled **
 -----   (ASUS_Guest3)    2.4GHz Guest 3  ** Disabled **
 -----   (ASUS_5G_Guest1) 5GHz   Guest 1  ** Disabled **
 -----   (ASUS_5G_Guest2) 5GHz   Guest 2  ** Disabled **
 -----   (ASUS_5G_Guest3) 5GHz   Guest 3  ** Disabled **
 eth1    Herewego         2.4GHz Network
 eth2    AbitFaster       5GHz   Network

IIRC, 'eth6/eth7' are used by the two main WiFi interfaces on HND-Models e.g. RT-AC86U/RT-AX88U, (don't have access to my RT-AC86U at the moment) , and for RT-AX56U/RT-AX58U they use 'eth5/eth6'

./WiFiVPN.sh

(WiFiVPN.sh): 8373 v1.15 © 2016-2020 Martineau, WiFi status request.....[]

    WiFi Configuration Status for interfaces:
    wl0.1   GuestAX56_241    2.4GHz Guest 1
    -----   (ASUS_88_2G_Guest2) 2.4GHz Guest 2  ** Disabled **
    -----   (ASUS_88_2G_Guest3) 2.4GHz Guest 3  ** Disabled **
    -----   (ASUS_88_5G_Guest)  5GHz   Guest 1  ** Disabled **
    -----   (ASUS_88_5G_Guest2) 5GHz   Guest 2  ** Disabled **
    -----   (ASUS_88_5G_Guest3) 5GHz   Guest 3  ** Disabled **
    eth5    Getthis             2.4GHz Network  (192.168.101.0/24) via non-VPN bridge:br1
    eth6    OrThat              5GHz   Network

thanks!

 

[glehel]

default setup and Suricata - IDS/IPS on AsusWRT Merlin setup same log.

18/5/2020 -- 20:26:05 - <Notice> - This is Suricata version 4.1.7 RELEASE
18/5/2020 -- 20:26:05 - <Info> - CPUs/cores online: 2
18/5/2020 -- 20:26:05 - <Info> - Found an MTU of 1500 for 'eth0'
18/5/2020 -- 20:26:05 - <Info> - Found an MTU of 1500 for 'eth0'
18/5/2020 -- 20:26:05 - <Info> - fast output device (regular) initialized: fast.log
18/5/2020 -- 20:26:05 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
18/5/2020 -- 20:26:05 - <Info> - http-log output device (regular) initialized: http.log
18/5/2020 -- 20:26:05 - <Info> - stats output device (regular) initialized: stats.log
18/5/2020 -- 20:26:05 - <Info> - Syslog output initialized
18/5/2020 -- 20:26:05 - <Info> - eve-log output device (regular) initialized: eve-%Y-%m-%d-%H:%M.json
18/5/2020 -- 20:26:05 - <Info> - 12 rule files processed. 2676 rules successfully loaded, 0 rules failed
18/5/2020 -- 20:26:05 - <Info> - Threshold config parsed: 0 rule(s) found
18/5/2020 -- 20:26:05 - <Info> - 2676 signatures processed. 113 are IP-only rules, 297 are inspecting packet payload, 2378 inspect application layer, 0 are decoder event only
18/5/2020 -- 20:26:06 - <Notice> - AFL mode starting
18/5/2020 -- 20:26:06 - <Notice> - AFL mode starting
18/5/2020 -- 20:26:06 - <Notice> - all 2 packet processing threads, 0 management threads initialized, engine started.
18/5/2020 -- 20:26:07 - <Info> - All AFP capture threads are running.

_____________________________________________________________________

with this setting, the vpn data transfer power is slightly reduced because the suricata is visibly working. I can't test yet if the IPS actually works, but it writes that in the log.


# Runmode the engine should use.
runmode: workers

# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
autofp-scheduler: active-packets

# If set to auto, the variable is internally switched to 'router' in IPS
# mode and 'sniffer-only' in IDS mode.
host-mode: router

# Linux high speed capture support
af-packet:
- interface: eth0
threads: auto
defrag: yes
cluster-type: cluster_flow
cluster-id: 98
copy-mode: ips
copy-iface: br0
buffer-size: 64535
use-mmap: yes
- interface: br0
threads: auto
cluster-id: 97
defrag: yes
cluster-type: cluster_flow
copy-mode: ips
copy-iface: eth0
buffer-size: 64535
use-mmap: yes


18/5/2020 -- 20:44:53 - <Notice> - This is Suricata version 4.1.7 RELEASE
18/5/2020 -- 20:44:53 - <Info> - CPUs/cores online: 2
18/5/2020 -- 20:44:53 - <Info> - Found an MTU of 1500 for 'eth0'
18/5/2020 -- 20:44:53 - <Info> - Found an MTU of 1500 for 'eth0'
18/5/2020 -- 20:44:53 - <Info> - Found an MTU of 1500 for 'br0'
18/5/2020 -- 20:44:53 - <Info> - Found an MTU of 1500 for 'br0'
18/5/2020 -- 20:44:53 - <Notice> - using flow hash instead of active packets
18/5/2020 -- 20:44:53 - <Info> - AF_PACKET: Setting IPS mode
18/5/2020 -- 20:44:53 - <Info> - fast output device (regular) initialized: fast.log
18/5/2020 -- 20:44:53 - <Info> - Unified2-alert initialized: filename unified2.alert, limit 32 MB
18/5/2020 -- 20:44:53 - <Info> - http-log output device (regular) initialized: http.log
18/5/2020 -- 20:44:53 - <Info> - stats output device (regular) initialized: stats.log
18/5/2020 -- 20:44:53 - <Info> - Syslog output initialized
18/5/2020 -- 20:44:53 - <Info> - eve-log output device (regular) initialized: eve-%Y-%m-%d-%H:%M.json
18/5/2020 -- 20:44:53 - <Info> - 12 rule files processed. 2676 rules successfully loaded, 0 rules failed
18/5/2020 -- 20:44:53 - <Info> - Threshold config parsed: 0 rule(s) found
18/5/2020 -- 20:44:53 - <Info> - 2676 signatures processed. 113 are IP-only rules, 297 are inspecting packet payload, 2378 inspect application layer, 0 are decoder event only
18/5/2020 -- 20:44:54 - <Info> - AF_PACKET IPS mode activated eth0->br0
18/5/2020 -- 20:44:54 - <Info> - Going to use 2 thread(s)
18/5/2020 -- 20:44:54 - <Notice> - AFL mode starting
18/5/2020 -- 20:44:54 - <Notice> - AFL mode starting
18/5/2020 -- 20:44:54 - <Info> - AF_PACKET IPS mode activated br0->eth0
18/5/2020 -- 20:44:55 - <Info> - Going to use 2 thread(s)
18/5/2020 -- 20:44:55 - <Notice> - AFL mode starting
18/5/2020 -- 20:44:55 - <Info> - Found an MTU of 1500 for 'br0'
18/5/2020 -- 20:44:55 - <Info> - Found an MTU of 1500 for 'eth0'
18/5/2020 -- 20:44:55 - <Notice> - AFL mode starting
18/5/2020 -- 20:44:55 - <Info> - Found an MTU of 1500 for 'br0'
18/5/2020 -- 20:44:55 - <Info> - Found an MTU of 1500 for 'eth0'
18/5/2020 -- 20:44:55 - <Notice> - all 4 packet processing threads, 0 management threads initialized, engine started.
18/5/2020 -- 20:44:55 - <Info> - All AFP capture threads are running.

 

[glehel]

i put the http.log and fast.log files in the syslog-ng conf file to check easily. For now, these two are in one but can be separated if needed. i configured the suricata config myself to delete the contents of http.log when it restarts because it already exists in another location. fast.log may remain as it has few events.

- http-log:
      enabled: yes
      filename: http.log
      custom: yes # enable the custom logging format (defined by custom format)
      customformat: "%{%Y-%m-%d-%H:%M:%S}t %h[**]%{X-Forwarded-For}i[**]%{User-agent}i[**]%H[**]%m[**]%u[**]%s[**]%B byte[**]%a:%p -> %A:%P"
      append: no
      extended: no
      filetype: regular

this changed the date format to suit me

syslog-ng.conf

source src {
    unix-dgram("/dev/log" so_rcvbuf(65536) flags(syslog-protocol));
    file("/proc/kmsg" program_override("kernel") flags(kernel));
    internal();file("/opt/var/log/suricata/http.log" follow-freq(60));
    file("/opt/var/log/suricata/fast.log" follow-freq(60));
};

syslog-ng.d

# put messages with 'Suricata IDS/IPS' into /opt/var/log/suricata.log

destination d_suricata {
    file("/opt/var/log/suricata.log");
};

filter f_suricata {
              message("->");
};

log {
    source(src);
    filter(f_suricata);
    destination(d_suricata);
    flags(final);
};

#eof

logrotate.d

/opt/var/log/suricata.log {
    postrotate
        /usr/bin/killall -HUP syslog-ng
    endscript
}

 

[rgnldo]

autofp-scheduler: active-packets

runmode is not like autofp.

 

[glehel]

runmode is not like autofp.

you may ignore it yourself if another runmode is set. just a tip.

 

[rgnldo]

Spoiler: Syslog-NG glehel

i put the http.log and fast.log files in the syslog-ng conf file to check easily. For now, these two are in one but can be separated if needed. i configured the suricata config myself to delete the contents of http.log when it restarts because it already exists in another location. fast.log may remain as it has few events.

- http-log:
      enabled: yes
      filename: http.log
      custom: yes # enable the custom logging format (defined by custom format)
      customformat: "%{%Y-%m-%d-%H:%M:%S}t %h[**]%{X-Forwarded-For}i[**]%{User-agent}i[**]%H[**]%m[**]%u[**]%s[**]%B byte[**]%a:%p -> %A:%P"
      append: no
      extended: no
      filetype: regular

this changed the date format to suit me

syslog-ng.conf

source src {
    unix-dgram("/dev/log" so_rcvbuf(65536) flags(syslog-protocol));
    file("/proc/kmsg" program_override("kernel") flags(kernel));
    internal();file("/opt/var/log/suricata/http.log" follow-freq(60));
    file("/opt/var/log/suricata/fast.log" follow-freq(60));
};

syslog-ng.d

# put messages with 'Suricata IDS/IPS' into /opt/var/log/suricata.log

destination d_suricata {
    file("/opt/var/log/suricata.log");
};

filter f_suricata {
              message("->");
};

log {
    source(src);
    filter(f_suricata);
    destination(d_suricata);
    flags(final);
};

#eof

logrotate.d

/opt/var/log/suricata.log {
    postrotate
        /usr/bin/killall -HUP syslog-ng
    endscript
}

Excellent contribution.

I am trying to port the Oinkmaster, rule Management for Suricata. I'm counting on you.

 

[tarassippo]

When choosing certain rules - eg emerging-trojan.rules and emerging-attack_response.rules I get the following warning messages
Is this anything to be concerned over?

7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 6 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient.vulnerable' is checked but not set. Checked in 2013036 and 2 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.javaclient' is checked but not set. Checked in 2017181 and 15 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.ELFDownload' is checked but not set. Checked in 2019896 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.RTF' is checked but not set. Checked in 2020700 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2022303 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 9 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.http.binary' is checked but not set. Checked in 2018103 and 6 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.smb.binary' is checked but not set. Checked in 2027402 and 4 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Socks5.OnionReq' is checked but not set. Checked in 2027704 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017772 and 1 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 1 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017246 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.http.PK' is checked but not set. Checked in 2017670 and 1 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'HTTP.UncompressedFlash' is checked but not set. Checked in 2018428 and 1 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019822 and 1 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in 2022653 and 0 other sigs
7/5/2020 -- 15:09:18 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.eduphish' is checked but not set. Checked in 2025114 and 0 other sigs

I do get the same errors and I had a read at https://suricata.readthedocs.io/en/latest/rules/flow-keywords.html but it's too technical for me...

Is it something to be concerned or I can just ignore it ? Does it mean those rules are not working ?

Tia.

 

[heysoundude]

it would be nice to have suricata included in the amtm offerings

while I don't disagree with you, my cursory attention to this thread indicates it's not yet "ready for prime time"...there seems to still be some heavy lifting happening in the background on the part of the people who are working on it for Merlin users. I just put unbound on and am still wrapping my head around that for the time being...if this works as wonderfully (I ran into problems with SkyNet), I'll be a convert.

 

[rgnldo]

I do get the same errors and I had a read at

It is not an error, it has to do with some rule of Suricata, not all, with the verification engine. Nothing serious.

while I don't disagree with you, my cursory attention to this thread indicates it's not yet "ready for prime time"

I agree. Initiative came after requests from some members of this forum. I adapted what was possible for an ARM router. It took a while to reach this level.

 

[mike37]

.......It took a while to reach this level.

And for this we are VERY grateful!!

Rgnldo, I have an observation and suggestion(s):

There are a number of suggested tweaks to the yaml floating about - it is hard for us (and you) to know "which" yaml file is being discussed. May I STRONGLY suggest/request that you:

1. update your current yaml file and rename it in the repsitory with "IDS" and a version number as part of the naming convention.

2. upload a second yaml file with the name "IPS" and a version number as part of the naming convention.
Doing this will provide consistent configurations for discussion, and avoid user editing mistakes.

- Users commenting on problems should provide the name of the yaml file (which includes "IPS" or "IDS" and ver. number)

- Get your Merlin box working to your satisfaction, and actually test it. For IPS testing, a "test rule" that blocks outgoing and incoming to/from an http address would be easy for you and users to confirm using both a browser and a ping. Use whatever Merlin configuration you have - though a "plain jane" (no vpns, qos, etc.) configuration would be best.

- Users could learn about suricata while getting the IDS configuration to work (it seems to work now), and then be more useful to you in getting the IPS to work.

- I'm guessing that network interfaces will be a topic of interest on the IPS configuration; perhaps you could include the interface configuration that worked for your plain jane box, along with your ifconfig, followed by a comment to the user to consider changing it.

TIA (Thanks in Advance)

 

[ugandy]

And for this we are VERY grateful!!


1. update your current yaml file and rename it in the repsitory with "IDS" and a version number as part of the naming convention.

2. upload a second yaml file with the name "IPS" and a version number as part of the naming convention.
Doing this will provide consistent configurations for discussion, and avoid user editing mistakes.



TIA (Thanks in Advance)

so the current yaml file on github is not set for IPS? only IDS?

 

[mike37]

so the current yaml file on github is not set for IPS? only IDS?

For Me, the answer is Yes.

In order to get it to function as IPS, rgnldo suggested the following https://www.snbforums.com/threads/suricata-ids-ips-on-asuswrt-merlin.63280/page-12#post-585513

I applied those changes to my week-old yaml and found that the IDS performance was improved, but IPS still didn't work for me. I downloaded a "fresh" copy of the yaml today, and this time the changes did not work.

FWICT IPS is a work in progress; too many moving parts, IMHO.

New edit. Well dang!..... tested again and while the IPS still doesn't work, the improved IDS did work. I'll post my json file.

 

[mike37]

......

New edit. Well dang!..... tested again and while the IPS still doesn't work, the improved IDS did work. I'll post my json file.

So here are the alerts - outgoing and incoming:

{"timestamp":"1969-12-31T19:00:00.939232-0500","flow_id":1025513636254944,"in_iface":"eth0","event_type":"alert","vlan":1,"src_ip":"192.168.1.66","src_port":50437,"dest_ip":"192.0.78.25","dest_port":443,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2500000,"rev":5441,"signature":"ET COMPROMISED Known Compromised or Hostile Host Traffic group 1","category":"Misc Attack","severity":2,"metadata":{"updated_at":["2020_05_22"],"created_at":["2011_04_28"],"signature_severity":["Major"],"tag":["COMPROMISED"],"deployment":["Perimeter"],"attack_target":["Any"],"affected_product":["Any"]}},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":78,"bytes_toclient":0,"start":"1969-12-31T19:00:00.939232-0500"}}


{"timestamp":"2020-05-24T15:23:29.705370-0400","flow_id":1025513636254944,"in_iface":"eth0","event_type":"alert","vlan":1,"src_ip":"192.0.78.25","src_port":443,"dest_ip":"192.168.1.66","dest_port":50437,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2500000,"rev":5441,"signature":"ET COMPROMISED Known Compromised or Hostile Host Traffic group 1","category":"Misc Attack","severity":2,"metadata":{"updated_at":["2020_05_22"],"created_at":["2011_04_28"],"signature_severity":["Major"],"tag":["COMPROMISED"],"deployment":["Perimeter"],"attack_target":["Any"],"affected_product":["Any"]}},"flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":78,"bytes_toclient":70,"start":"1969-12-31T19:00:00.939232-0500"}}

And here is the rule that called for a drop, not an alert (it is on a single line; <> means drop outgoing and/or incoming):

drop ip [103.124.96.14,103.133.111.128,103.138.109.68,103.139.44.159,103.143.208.250,103.214.112.196,103.233.1.218,103.49.133.82,103.79.141.156,103.79.141.158,103.99.1.31,104.131.85.167,104.140.245.39,104.168.44.166,104.197.230.188,104.210.219.82,104.210.222.135,104.214.72.28,104.214.79.240,104.215.144.185,104.236.30.107,104.244.72.115,104.244.73.193,104.244.76.189,104.248.174.224,104.248.243.129,104.248.33.221,104.248.51.123,104.44.135.128,105.235.122.218,192.0.78.25] any <> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500000; rev:5441; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2020_05_22

192.0.78.25 is the address that I tested in the browser.

So in my case rgnldo's latest tweak improved the IDS......, but the "drop" was changed to "alert". (and these tweaks are not in the current yaml file.)

Important to test, IMHO.

 

[Slawek P]

Hi rgnldo

On starting suricata I do not have an /opt/var/log/suricata/suricata.log - I only have stats.log and fast.log -
is this normal - both of those files empty


Resolved - enabled log in suricata.yaml file -

29/4/2020 -- 13:15:44 - <Notice> - This is Suricata version 4.1.7 RELEASE
29/4/2020 -- 13:15:44 - <Info> - CPUs/cores online: 2
29/4/2020 -- 13:15:44 - <Info> - Found an MTU of 1464 for 'ppp0'
29/4/2020 -- 13:15:44 - <Info> - Found an MTU of 1464 for 'ppp0'
29/4/2020 -- 13:15:45 - <Info> - fast output device (regular) initialized: fast.log
29/4/2020 -- 13:15:45 - <Info> - stats output device (regular) initialized: stats.log
29/4/2020 -- 13:15:45 - <Info> - 8 rule files processed. 746 rules successfully loaded, 0 rules failed
29/4/2020 -- 13:15:45 - <Info> - Threshold config parsed: 0 rule(s) found
29/4/2020 -- 13:15:45 - <Info> - 746 signatures processed. 115 are IP-only rules, 36 are inspecting packet payload, 584 inspect application layer, 0 are decoder event only
29/4/2020 -- 13:15:45 - <Info> - Going to use 1 thread(s)
29/4/2020 -- 13:15:45 - <Notice> - AFL mode starting
29/4/2020 -- 13:15:45 - <Notice> - all 1 packet processing threads, 0 management threads initialized, engine started.
29/4/2020 -- 13:15:45 - <Info> - All AFP capture threads are running.

BTW is it worth enabling the other rules in .yaml file?

 # - ciarmy.rules
  # - teste.rules
  # - emerging-worm.rules
  # - tor.rules
  # - emerging-attack_response.rules
  # - emerging-shellcode.rules
  # - emerging-dns.rules
  # - emerging-dos.rules
  # - emerging-exploit.rules
  # - emerging-trojan.rules
  # - emerging-web_client.rules
  # - emerging-web_server.rules

Hi, followed the instruction, appears to be starting ok, but I have no /opt/var/log/suricata/suricata.log
Where to enable it in yaml please? Tried syslog: enabled, but that did not do trick.

 

[Slawek P]

It is not normal. I checked here. With one process. It's normal. Try rebooting.

It runs 4 processes on my machine too totalling 360M - a bit excessive. A stop resulted in core dump.
It is a charming start.

 

[rgnldo]

And for this we are VERY grateful!!

Rgnldo, I have an observation and suggestion(s):

There are a number of suggested tweaks to the yaml floating about - it is hard for us (and you) to know "which" yaml file is being discussed. May I STRONGLY suggest/request that you:

1. update your current yaml file and rename it in the repsitory with "IDS" and a version number as part of the naming convention.

2. upload a second yaml file with the name "IPS" and a version number as part of the naming convention.
Doing this will provide consistent configurations for discussion, and avoid user editing mistakes.

- Users commenting on problems should provide the name of the yaml file (which includes "IPS" or "IDS" and ver. number)

- Get your Merlin box working to your satisfaction, and actually test it. For IPS testing, a "test rule" that blocks outgoing and incoming to/from an http address would be easy for you and users to confirm using both a browser and a ping. Use whatever Merlin configuration you have - though a "plain jane" (no vpns, qos, etc.) configuration would be best.

- Users could learn about suricata while getting the IDS configuration to work (it seems to work now), and then be more useful to you in getting the IPS to work.

- I'm guessing that network interfaces will be a topic of interest on the IPS configuration; perhaps you could include the interface configuration that worked for your plain jane box, along with your ifconfig, followed by a comment to the user to consider changing it.

TIA (Thanks in Advance)

I can not. Lack of time. But if you want to fork on github, let me know that I publish with all the credits

 

[rgnldo]

/opt/var/log/suricata/suricata.log

edit for yes

  - file:
      enabled: no
      filename: /opt/var/log/suricata/suricata.log

when I want to test Suricata, I run

suricata -c /opt/etc/suricata/suricata.yaml --af-packet

 

[Wisiwyg]

Ran your Test sequence and got this:

<Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find type for iface "": No such device

ruh roh.. where does it pull the interface id? Or is this a variable I need to hardcode?

edit: yes, hardcode. found it, fixed it.

 

[rgnldo]

Ran your Test sequence and got this:

<Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find type for iface "": No such device

ruh roh.. where does it pull the interface id? Or is this a variable I need to hardcode?

edit: yes, hardcode. found it, fixed it.

Define the wan interface

 

[mike37]

,,,,,But if you want to fork on github........

err....... nah! I'm old and over the hill. Something like this should be spearheaded by an energetic, young guy - preferably from Brazil - with a powerful, developer's computer.