What's new

Suricata Suricata - IDS on AsusWRT Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

tha
Step 2 - inside your suricata yaml file (/opt/etc/suricata/suricata.yaml)
Step 3 - refer to syslog-ng instructions. copy the respective suricata files from *.share for both logrotate and suricata to their respective /opt/etc/logrotate.d and syslog-ng.d. Make sure the perms are root R/W (0600). Reload Scribe (syslog-ng (which restarts logrotate)).
thanks @ttgapers I will try to get this working today
 
tha

thanks @ttgapers I will try to get this working today

suricata.JPG
 
Finally found time to experiment with Suricata.

Seems my test suggestion was wrong:


In that rule I see "GPL ATTACK_RESPONSE id check returned root"
How can I test instead?

I had taken the test as soon as I released this post.

Gravac-a-o-de-Tela-2020-04-08-a-s-16-07-21.gif
 
@rgnldo check my github...tried to Inbox you.
Nice! Very good. ;)

Well, It is necessary to reorganize the script.
The script must find the WAN interface and the router's IP CIDR insert in the file suricata.yaml

Only requirement: disable AiProtection
Remove the HND and QOS router requirement. Other users have tested it on other non-HND and QOS routers successfully.

There are situations where AiProtection is disabled in the GUI, not in NVRAM, preventing installation.
To resolve to apply this solution:
Code:
nvram set TM_EULA=0
nvram commit
service start_reboot
 
Can you please post instructions on how to do that, so that others can perform this test as well?
Get
Code:
curl -o /opt/var/lib/suricata/rules/test.rules https://raw.githubusercontent.com/rgnldo/knot-resolver-suricata/master/files/test.rules
Edit and insert on suricata.yaml file, on rules

On network lan, with terminal macOS, Linux or Windows, run ping on IP router.

check /opt/var/log/suricata/fast.log
 
Thank you for providing the rules and instructions!

Unfortunately my fast.log remains empty. Will check later what's wrong with my setup.
 
@ttgapers I copied your syslog setup, but I don't see any alerts appearing in either fast.log or suricata.log; where do you get those alerts?
 
@ttgapers I copied your syslog setup, but I don't see any alerts appearing in either fast.log or suricata.log; where do you get those alerts?
What's the output of:
Code:
suricata -T
 
Code:
> suricata -T
2/7/2020 -- 16:50:54 - <Info> - Running suricata under test mode
2/7/2020 -- 16:50:54 - <Info> - Configuration node 'defrag' redefined.
2/7/2020 -- 16:50:54 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Invalid syslog facility: "off", now using "local0" as syslog facility

That last line does not look good, does it?

Also surprised about the "defrag" one, which is from the default config.

Should I have done more than setting HOME_NET ("[192.168.0.0/16]"), interface (eth0), IP_DNS (192.168.1.1) in this file?
 
Last edited:
Code:
> suricata -T
2/7/2020 -- 16:50:54 - <Info> - Running suricata under test mode
2/7/2020 -- 16:50:54 - <Info> - Configuration node 'defrag' redefined.
2/7/2020 -- 16:50:54 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Invalid syslog facility: "off", now using "local0" as syslog facility

That last line does not look good, does it?

Also surprised about the "defrag" one, which is from the default config.

Should I have done more than setting HOME_NET ("[192.168.0.0/16]"), interface (eth0), IP_DNS (192.168.1.1) in this file?

Is that the whole output? It should look similar to this:
Code:
2/7/2020 -- 10:45:31 - <Info> - Running suricata under test mode
2/7/2020 -- 10:45:31 - <Info> - Configuration node 'defrag' redefined.
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
2/7/2020 -- 10:45:31 - <Notice> - This is Suricata version 4.1.8 RELEASE
2/7/2020 -- 10:45:31 - <Info> - CPUs/cores online: 4
2/7/2020 -- 10:45:31 - <Info> - fast output device (regular) initialized: fast.log
2/7/2020 -- 10:45:31 - <Info> - stats output device (regular) initialized: stats.log
2/7/2020 -- 10:45:31 - <Info> - 17 rule files processed. 2333 rules successfully loaded, 0 rules failed
2/7/2020 -- 10:45:31 - <Info> - Threshold config parsed: 0 rule(s) found
2/7/2020 -- 10:45:31 - <Info> - 2333 signatures processed. 205 are IP-only rules, 443 are inspecting packet payload, 1764 inspect application layer, 0 are decoder event only
2/7/2020 -- 10:45:33 - <Notice> - Configuration provided was successfully loaded. Exiting.
2/7/2020 -- 10:45:33 - <Info> - cleaning up signature grouping structure... complete

The warning is normal, just tells you that the output is on the console screen and not a file.
 
Those 3 lines were all for the -T option on the command line.

In the log for a process start I do see more:

Code:
Jul  2 21:26:10 ac86u S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Notice> - This is Suricata version 4.1.8 RELEASE
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Info> - CPUs/cores online: 2
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Info> - Found an MTU of 1500 for 'eth0'
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Info> - Found an MTU of 1500 for 'eth0'
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Info> - fast output device (regular) initialized: fast.log
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Info> - Syslog output initialized
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Warning> - [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Info> - 18 rule files processed. 2332 rules successfully loaded, 0 rules failed
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Info> - Threshold config parsed: 0 rule(s) found
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Info> - 2332 signatures processed. 206 are IP-only rules, 443 are inspecting packet payload, 1762 inspect application layer, 0 are decoder event only
Jul  2 21:26:12 ac86u suricata[10412]: 2/7/2020 -- 21:26:12 - <Info> - Going to use 2 thread(s)
Jul  2 21:26:12 ac86u suricata[10412]: 2/7/2020 -- 21:26:12 - <Notice> - all 2 packet processing threads, 2 management threads initialized, engine started.
Jul  2 21:26:13 ac86u suricata[10412]: 2/7/2020 -- 21:26:13 - <Info> - All AFP capture threads are running.

I don't understand the line about stats either, since that's set to "no" (twice) in my config.
 
Those 3 lines were all for the -T option on the command line.

In the log for a process start I do see more:

Code:
Jul  2 21:26:10 ac86u S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Notice> - This is Suricata version 4.1.8 RELEASE
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Info> - CPUs/cores online: 2
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Info> - Found an MTU of 1500 for 'eth0'
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Info> - Found an MTU of 1500 for 'eth0'
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Info> - fast output device (regular) initialized: fast.log
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Info> - Syslog output initialized
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Warning> - [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Info> - 18 rule files processed. 2332 rules successfully loaded, 0 rules failed
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Info> - Threshold config parsed: 0 rule(s) found
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Info> - 2332 signatures processed. 206 are IP-only rules, 443 are inspecting packet payload, 1762 inspect application layer, 0 are decoder event only
Jul  2 21:26:12 ac86u suricata[10412]: 2/7/2020 -- 21:26:12 - <Info> - Going to use 2 thread(s)
Jul  2 21:26:12 ac86u suricata[10412]: 2/7/2020 -- 21:26:12 - <Notice> - all 2 packet processing threads, 2 management threads initialized, engine started.
Jul  2 21:26:13 ac86u suricata[10412]: 2/7/2020 -- 21:26:13 - <Info> - All AFP capture threads are running.

I don't understand the line about stats either, since that's set to "no" (twice) in my config.

Looks like all is running. Regarding the log warrning see this post.
It will take a while but eventually you'll see some entries in the fast.log
 
But the test suggested by @rgnldo is a simple ping.
Yes. Corresponds to the rule alert
Code:
alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;)
alert tcp any any -> $HOME_NET 23 (msg:"TELNET connection attempt"; sid:1000003; rev:1;)
 
Last edited:
Working
Code:
suricata -T

2/7/2020 -- 19:00:54 - <Info> - Running suricata under test mode
2/7/2020 -- 19:00:54 - <Info> - Configuration node 'defrag' redefined.
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
2/7/2020 -- 19:00:54 - <Notice> - This is Suricata version 4.1.8 RELEASE
2/7/2020 -- 19:00:54 - <Info> - CPUs/cores online: 2
2/7/2020 -- 19:00:54 - <Info> - fast output device (regular) initialized: fast.log
2/7/2020 -- 19:00:54 - <Info> - http-log output device (regular) initialized: http.log
2/7/2020 -- 19:00:54 - <Info> - stats output device (regular) initialized: stats.log
2/7/2020 -- 19:00:54 - <Info> - eve-log output device (regular) initialized: eve.json
2/7/2020 -- 19:00:54 - <Info> - 17 rule files processed. 2330 rules successfully loaded, 0 rules failed
2/7/2020 -- 19:00:54 - <Info> - Threshold config parsed: 0 rule(s) found
2/7/2020 -- 19:00:54 - <Info> - 2330 signatures processed. 204 are IP-only rules, 443 are inspecting packet payload, 1762 inspect application layer, 0 are decoder event only
2/7/2020 -- 19:00:56 - <Notice> - Configuration provided was successfully loaded. Exiting.
2/7/2020 -- 19:00:56 - <Info> - cleaning up signature grouping structure... complete

The suricata -T command is used to check the output if there are any errors.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top