Suricata Suricata - IDS on AsusWRT Merlin

[rgnldo]

Sounds interesting and like a severe security upgrade for the Asus routers. Speaking for myself: I think you need to communicate a little bit better, for the people to understand. Thanks for the work so far.

You're right. I don't usually post something that I can't support. There were requests to organize the posting. I count on the Linux knowledge of others.

 

[rgnldo]

.....do you disable AiProtect as well with this setup?

I used almost nothing from AiProtectiom. I soon met Suricata.

Skynet

who knows, maybe one day they will work together

Also, is there any Unbound interfaces?

you don't need to configure it on Unbound.

 

[mike37]

I recommend installing on a HND router.

the rules that I have enabled are enough to obtain a good functioning.

Yes, tested..

(Apologize in advance, rgnldo - I'm a newbie) -

1. I'm guessing an HND router is "Home Network Defender" <http://store.trendmicro.com/store/trendoem/en_US/pd/ThemeID.1268200/productID.109041900> !?

If this is true, ISTM asuswrt-merlin routers can provide the other components of HND except for a sophisticated anti-virus? And if you got it working on an Asus, you got 99% of the battle

So does your HND recommendation remain compelling???

(IIRC, Snort has optional virus/trojan signatures (likely not as good as a dedicated Trend AV/AT), which makes me wonder if suricata has them as well? I'm guessing suricata uses Snort signatures!?)

2. For testing and contrasting suricata with AiProtect, I was hoping that you or Milan had activated suricata and deactivated AiProtect; gone to https://nmap.online/ and/or https://nikto.online/ and launched an attack against himself, noting the response from Suricata.

Then repeat those attacks but with AiProtect active and suricata deactivated, noting the AiProtect response and comparing it with suricata.

Perhaps you have done this type of test on an Asus router??

(I'm guessing that AiProtect is a networked Snort processor.

Again, TIA

 

[rgnldo]

So does your HND recommendation remain compelling???

Router´s with good processing and current kernel. But I already installed it on the AC68U.

Snort

Yes. You can use Snort rules

For testing

The tests I did were those oriented to the Suricata community.

See: https://suricata-ids.org/features/

 

[vdemarco]

Right now i have suricata and Skynet. Seems redundant, should i just turn skynet off? I think i will and see what happens.

 

[rgnldo]

Right now i have suricata and Skynet. Seems redundant, should i just turn skynet off? I think i will and see what happens.

I use only the drop snort and suricata rules

 

[vdemarco]

I use only the drop snort and suricata rules

What are the drop snort rules? i followed your first post and set up all of suricata rules.

 

[rgnldo]

What are the drop snort rules? i followed your first post and set up all of suricata rules.

That's enough. But you can add snort rules. As you have an AX88U, it pays to add some of the snort. Get to know the Suricata first.

 

[rgnldo]

How about the router server with Slackware Linux in a mini box? My AC86U will only be wireless antennas.

 

[mike37]

Right now i have suricata and Skynet. Seems redundant, should i just turn skynet off? I think i will and see what happens.

IIUC:

1. Skynet blocks access to known evil addresses, and uses standard, built-in iptables tests to block bad inbound packets.
2. Suricata analyzes the internal structure of packets to a greater degree; looks for packet timing tricks; suspicious packet signatures; and other things I've long forgotten. These are "flagged" unless you're using a "drop" feature which will additionally drop the connection and optionally block connection to that address for a configurable period of time.

So they are not mutually exclusive (though Suricata may optionally have a set of rules that lists known evil sites, but likely not to the degree of Skynet.)

But please do run the test and let us know

 

[vdemarco]

IIUC:

1. Skynet blocks access to known evil addresses, and uses standard, built-in iptables tests to block bad inbound packets.
2. Suricata analyzes the internal structure of packets to a greater degree; looks for packet timing tricks; suspicious packet signatures; and other things I've long forgotten. These are "flagged" unless you're using a "drop" feature which will additionally drop the connection and optionally block connection to that address for a configurable period of time.

So they are not mutually exclusive (though Suricata may optionally have a set of rules that lists known evil sites, but likely not to the degree of Skynet.)

But please do run the test and let us know

I ran that test but didn't see anything in any of the logs. i am happy to test out anything. Those tests really check for open ports. the only ports i really have open are ssh.

 

[Wisiwyg]

IIUC:

1. Skynet blocks access to known evil addresses, and uses standard, built-in iptables tests to block bad inbound packets.
2. Suricata analyzes the internal structure of packets to a greater degree; looks for packet timing tricks; suspicious packet signatures; and other things I've long forgotten. These are "flagged" unless you're using a "drop" feature which will additionally drop the connection and optionally block connection to that address for a configurable period of time.

So they are not mutually exclusive (though Suricata may optionally have a set of rules that lists known evil sites, but likely not to the degree of Skynet.)

But please do run the test and let us know

Has your throughput suffered?

I currently run Skynet and Diversion and really, I mean really like what they're providing. I was running a custom mini ITX i7m with Suricata with really good success, but the family always had some special website they wanted to go to and couldn't get there. So I was constantly white-listing. I found the Skynet/Diversion combination to be a really good solution. Now that Suricata looks like it can run on Asus hardware, I'm going to take another look at it.

Thank you for your efferts on this, @rgnldo.

edit, I should have said really appreciate your efforts. I don't think I got enough 'really's' in there!

 

[mike37]

.... I found the Skynet/Diversion combination to be a really good solution. Now that Suricata looks like it can run on Asus hardware, I'm going to take another look at it....

Ditto here; I really like the Skynet/Diversion combination.

But IF I were to connect to a hostile site Suricata might well intervene. And given the Suricata manual seems very-well written, it's worth experimenting with.

 

[mike37]

... the only ports i really have open are ssh...

Not my business, but IMHO open ports are an invitation for mischief. Consider "Port Knocking" to keep them stealth 'til you want access, or alternatively have them disappear for an hour after three unsuccessful log in attempts.

These defenses would be in addition to Skynet/Suricata.

 

[vdemarco]

my ssh port is normally open, but now after doing a port scan, i can't ssh into the network. (I know its an invitation, i am okay with that)

so the question is does suricata block ssh by default?

 

[rgnldo]

invitation for mischief

I notice that you have good experience. Very good.

IMHO

in my language, I don't recognize that word.

 

[rgnldo]

IIUC:

1. Skynet blocks access to known evil addresses, and uses standard, built-in iptables tests to block bad inbound packets.
2. Suricata analyzes the internal structure of packets to a greater degree; looks for packet timing tricks; suspicious packet signatures; and other things I've long forgotten. These are "flagged" unless you're using a "drop" feature which will additionally drop the connection and optionally block connection to that address for a configurable period of time.

So they are not mutually exclusive (though Suricata may optionally have a set of rules that lists known evil sites, but likely not to the degree of Skynet.)

But please do run the test and let us know

Excellent description. Very technical

 

[rgnldo]

custom mini ITX i7m

This will be my future.

website they wanted to go to and couldn't get there

I generally trust Suricata.
Signed rules are unlikely to have a false positive. I usually segment my network in vlan.

 

[rgnldo]

Right now i have suricata and Skynet. Seems redundant, should i just turn skynet off? I think i will and see what happens.

Did you set up your wan?
on:
af-packet:
- interface: -> your interface wan

 

[vdemarco]

Did you set up your wan?
on:
af-packet:
- interface: -> your interface wan

I think i have it correct, here are some pieces of the yaml file


# Holds variables that would be used by the engine.
vars:

# Holds the address group vars that would be passed in a Signature.
address-groups:
HOME_NET: "[10.0.0.0/16]"
EXTERNAL_NET: "any"
DNS_SERVERS: "[10.0.0.1]"
SMTP_SERVERS: "$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
FTP_SERVERS: "$HOME_NET"
SSH_SERVERS: "[10.0.0.155]"

# Linux high speed capture support
af-packet:
- interface: eth0
defrag: yes
use-mmap: yes