Suricata Suricata - IDS on AsusWRT Merlin

[XIII]

Finally found time to experiment with Suricata.

Seems my test suggestion was wrong:

This page seems to describe a test:

https://suricata.readthedocs.io/en/latest/quickstart.html#installation

In that rule I see "GPL ATTACK_RESPONSE id check returned root", but we're not root on an ASUS router...

How can I test instead?

 

[jata]

tha

Step 2 - inside your suricata yaml file (/opt/etc/suricata/suricata.yaml)
Step 3 - refer to syslog-ng instructions. copy the respective suricata files from *.share for both logrotate and suricata to their respective /opt/etc/logrotate.d and syslog-ng.d. Make sure the perms are root R/W (0600). Reload Scribe (syslog-ng (which restarts logrotate)).

thanks @ttgapers I will try to get this working today

 

[jata]

tha

thanks @ttgapers I will try to get this working today

 

[rgnldo]

Finally found time to experiment with Suricata.

Seems my test suggestion was wrong:


In that rule I see "GPL ATTACK_RESPONSE id check returned root"
How can I test instead?

I had taken the test as soon as I released this post.

 

[ttgapers]

I had taken the test as soon as I released this post.

@rgnldo check my github...tried to Inbox you.

 

[XIII]

I had taken the test as soon as I released this post.

What’s the trigger in this example?

 

[rgnldo]

@rgnldo check my github...tried to Inbox you.

Nice! Very good.

Well, It is necessary to reorganize the script.
The script must find the WAN interface and the router's IP CIDR insert in the file suricata.yaml

Only requirement: disable AiProtection
Remove the HND and QOS router requirement. Other users have tested it on other non-HND and QOS routers successfully.

There are situations where AiProtection is disabled in the GUI, not in NVRAM, preventing installation.
To resolve to apply this solution:

nvram set TM_EULA=0
nvram commit
service start_reboot

 

[rgnldo]

What’s the trigger in this example?

I organized a rule that detects that simulates a ping attack

 

[XIII]

I organized a rule that detects that simulates a ping attack

Can you please post instructions on how to do that, so that others can perform this test as well?

 

[rgnldo]

Can you please post instructions on how to do that, so that others can perform this test as well?

Get

curl -o /opt/var/lib/suricata/rules/test.rules https://raw.githubusercontent.com/rgnldo/knot-resolver-suricata/master/files/test.rules

Edit and insert on suricata.yaml file, on rules

On network lan, with terminal macOS, Linux or Windows, run ping on IP router.

check /opt/var/log/suricata/fast.log

 

[XIII]

Thank you for providing the rules and instructions!

Unfortunately my fast.log remains empty. Will check later what's wrong with my setup.

 

[XIII]

@ttgapers I copied your syslog setup, but I don't see any alerts appearing in either fast.log or suricata.log; where do you get those alerts?

 

[Mutzli]

@ttgapers I copied your syslog setup, but I don't see any alerts appearing in either fast.log or suricata.log; where do you get those alerts?

What's the output of:

suricata -T

 

[XIII]

> suricata -T
2/7/2020 -- 16:50:54 - <Info> - Running suricata under test mode
2/7/2020 -- 16:50:54 - <Info> - Configuration node 'defrag' redefined.
2/7/2020 -- 16:50:54 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Invalid syslog facility: "off", now using "local0" as syslog facility

That last line does not look good, does it?

Also surprised about the "defrag" one, which is from the default config.

Should I have done more than setting HOME_NET ("[192.168.0.0/16]"), interface (eth0), IP_DNS (192.168.1.1) in this file?

 

[Mutzli]

> suricata -T
2/7/2020 -- 16:50:54 - <Info> - Running suricata under test mode
2/7/2020 -- 16:50:54 - <Info> - Configuration node 'defrag' redefined.
2/7/2020 -- 16:50:54 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Invalid syslog facility: "off", now using "local0" as syslog facility

That last line does not look good, does it?

Also surprised about the "defrag" one, which is from the default config.

Should I have done more than setting HOME_NET ("[192.168.0.0/16]"), interface (eth0), IP_DNS (192.168.1.1) in this file?

Is that the whole output? It should look similar to this:

2/7/2020 -- 10:45:31 - <Info> - Running suricata under test mode
2/7/2020 -- 10:45:31 - <Info> - Configuration node 'defrag' redefined.
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
2/7/2020 -- 10:45:31 - <Notice> - This is Suricata version 4.1.8 RELEASE
2/7/2020 -- 10:45:31 - <Info> - CPUs/cores online: 4
2/7/2020 -- 10:45:31 - <Info> - fast output device (regular) initialized: fast.log
2/7/2020 -- 10:45:31 - <Info> - stats output device (regular) initialized: stats.log
2/7/2020 -- 10:45:31 - <Info> - 17 rule files processed. 2333 rules successfully loaded, 0 rules failed
2/7/2020 -- 10:45:31 - <Info> - Threshold config parsed: 0 rule(s) found
2/7/2020 -- 10:45:31 - <Info> - 2333 signatures processed. 205 are IP-only rules, 443 are inspecting packet payload, 1764 inspect application layer, 0 are decoder event only
2/7/2020 -- 10:45:33 - <Notice> - Configuration provided was successfully loaded. Exiting.
2/7/2020 -- 10:45:33 - <Info> - cleaning up signature grouping structure... complete

The warning is normal, just tells you that the output is on the console screen and not a file.

 

[XIII]

Those 3 lines were all for the -T option on the command line.

In the log for a process start I do see more:

Jul  2 21:26:10 ac86u S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Notice> - This is Suricata version 4.1.8 RELEASE
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Info> - CPUs/cores online: 2
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Info> - Found an MTU of 1500 for 'eth0'
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Info> - Found an MTU of 1500 for 'eth0'
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Info> - fast output device (regular) initialized: fast.log
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Info> - Syslog output initialized
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Warning> - [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Info> - 18 rule files processed. 2332 rules successfully loaded, 0 rules failed
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Info> - Threshold config parsed: 0 rule(s) found
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Info> - 2332 signatures processed. 206 are IP-only rules, 443 are inspecting packet payload, 1762 inspect application layer, 0 are decoder event only
Jul  2 21:26:12 ac86u suricata[10412]: 2/7/2020 -- 21:26:12 - <Info> - Going to use 2 thread(s)
Jul  2 21:26:12 ac86u suricata[10412]: 2/7/2020 -- 21:26:12 - <Notice> - all 2 packet processing threads, 2 management threads initialized, engine started.
Jul  2 21:26:13 ac86u suricata[10412]: 2/7/2020 -- 21:26:13 - <Info> - All AFP capture threads are running.

I don't understand the line about stats either, since that's set to "no" (twice) in my config.

 

[Mutzli]

Those 3 lines were all for the -T option on the command line.

In the log for a process start I do see more:

Jul  2 21:26:10 ac86u S82suricata: Starting Suricata IDS/IPS /opt/etc/init.d/S82suricata
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Notice> - This is Suricata version 4.1.8 RELEASE
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Info> - CPUs/cores online: 2
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Info> - Found an MTU of 1500 for 'eth0'
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Info> - Found an MTU of 1500 for 'eth0'
Jul  2 21:26:10 ac86u suricata: 2/7/2020 -- 21:26:10 - <Info> - fast output device (regular) initialized: fast.log
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Info> - Syslog output initialized
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Warning> - [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Info> - 18 rule files processed. 2332 rules successfully loaded, 0 rules failed
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Info> - Threshold config parsed: 0 rule(s) found
Jul  2 21:26:10 ac86u suricata[10412]: 2/7/2020 -- 21:26:10 - <Info> - 2332 signatures processed. 206 are IP-only rules, 443 are inspecting packet payload, 1762 inspect application layer, 0 are decoder event only
Jul  2 21:26:12 ac86u suricata[10412]: 2/7/2020 -- 21:26:12 - <Info> - Going to use 2 thread(s)
Jul  2 21:26:12 ac86u suricata[10412]: 2/7/2020 -- 21:26:12 - <Notice> - all 2 packet processing threads, 2 management threads initialized, engine started.
Jul  2 21:26:13 ac86u suricata[10412]: 2/7/2020 -- 21:26:13 - <Info> - All AFP capture threads are running.

I don't understand the line about stats either, since that's set to "no" (twice) in my config.

Looks like all is running. Regarding the log warrning see this post.
It will take a while but eventually you'll see some entries in the fast.log

 

[XIII]

Looks like all is running. Regarding the log warrning see this post.
It will take a while but eventually you'll see some entries in the fast.log

But the test suggested by @rgnldo is a simple ping.

SkyNet does not block that?

 

[rgnldo]

But the test suggested by @rgnldo is a simple ping.

Yes. Corresponds to the rule alert

alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;)
alert tcp any any -> $HOME_NET 23 (msg:"TELNET connection attempt"; sid:1000003; rev:1;)

 

[rgnldo]

Working

suricata -T

2/7/2020 -- 19:00:54 - <Info> - Running suricata under test mode
2/7/2020 -- 19:00:54 - <Info> - Configuration node 'defrag' redefined.
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
2/7/2020 -- 19:00:54 - <Notice> - This is Suricata version 4.1.8 RELEASE
2/7/2020 -- 19:00:54 - <Info> - CPUs/cores online: 2
2/7/2020 -- 19:00:54 - <Info> - fast output device (regular) initialized: fast.log
2/7/2020 -- 19:00:54 - <Info> - http-log output device (regular) initialized: http.log
2/7/2020 -- 19:00:54 - <Info> - stats output device (regular) initialized: stats.log
2/7/2020 -- 19:00:54 - <Info> - eve-log output device (regular) initialized: eve.json
2/7/2020 -- 19:00:54 - <Info> - 17 rule files processed. 2330 rules successfully loaded, 0 rules failed
2/7/2020 -- 19:00:54 - <Info> - Threshold config parsed: 0 rule(s) found
2/7/2020 -- 19:00:54 - <Info> - 2330 signatures processed. 204 are IP-only rules, 443 are inspecting packet payload, 1762 inspect application layer, 0 are decoder event only
2/7/2020 -- 19:00:56 - <Notice> - Configuration provided was successfully loaded. Exiting.
2/7/2020 -- 19:00:56 - <Info> - cleaning up signature grouping structure... complete

The suricata -T command is used to check the output if there are any errors.