Any progress? This would be a big plus.
Suricata Suricata - IDS on AsusWRT Merlin
- Thread starter rgnldo
- Start date
-
- Tags
- asuswrt merlin entware ids suricata
Any progress? This would be a big plus.
heysoundude
Part of the Furniture
Quick (probably ridiculous) question - do I need to reboot my router to make suricata run after install?
I'm brain dead. It's Friday...
I'm brain dead. It's Friday...
Mutzli
Very Senior Member
Not really, but I would reboot it anyway to make sure it's all running again once your router restarts.
If you want to stop and start Suricata you can use the following commands:
Code:
/opt/etc/init.d/S82suricata stop
/opt/etc/init.d/S82suricata start
XIII
Very Senior Member
I started from scratch (without the scribe changes):
This looks fine:
However, after adding these test.rules and ping-ing 192.168.1.1 I still get no alert...
This looks fine:
Code:
> suricata -c /opt/etc/suricata/suricata.yaml -T
3/7/2020 -- 21:43:47 - <Info> - Running suricata under test mode
3/7/2020 -- 21:43:47 - <Info> - Configuration node 'defrag' redefined.
Warning: Output_interface not supplied by user. Falling back on default_output_interface "Console"
3/7/2020 -- 21:43:47 - <Notice> - This is Suricata version 4.1.8 RELEASE
3/7/2020 -- 21:43:47 - <Info> - CPUs/cores online: 2
3/7/2020 -- 21:43:47 - <Info> - fast output device (regular) initialized: fast.log
3/7/2020 -- 21:43:47 - <Info> - stats output device (regular) initialized: stats.log
3/7/2020 -- 21:43:47 - <Info> - 18 rule files processed. 2335 rules successfully loaded, 0 rules failed
3/7/2020 -- 21:43:47 - <Info> - Threshold config parsed: 0 rule(s) found
3/7/2020 -- 21:43:47 - <Info> - 2335 signatures processed. 207 are IP-only rules, 443 are inspecting packet payload, 1764 inspect application layer, 0 are decoder event only
3/7/2020 -- 21:43:49 - <Notice> - Configuration provided was successfully loaded. Exiting.
3/7/2020 -- 21:43:49 - <Info> - cleaning up signature grouping structure... completeHowever, after adding these test.rules and ping-ing 192.168.1.1 I still get no alert...
Code:
alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;)
alert tcp any any -> $HOME_NET 23 (msg:"TELNET connection attempt"; sid:1000003; rev:1;)heysoundude
Part of the Furniture
Alrighty, thanks!
I've only had it running on my ac86 for a little while, so I've yet to see if there are any problems/issues I need to sort out between cake-qos and suricata and Diversion, but right now things seem smooth. I had to wrestle with SkyNet, but this install was effortless, simply by following the steps in post #1 here...except for this: it's services-start rather than services.start on my system, and /opt paths didn't seem to be recognized, so I had to cd /opt to find the correct path to use.
The real test will be this evening as streaming activities begin in earnest.
I have Skynet, diversion, Suricata and cake all working together on my system and it seems to be working well.
I had similar issues as you with the installation instructions but it seemed to work using services.start. Is this an issue? do I need to change my install to use services-start?
heysoundude
Part of the Furniture
You’re sure suricata is working? Until you’re 100% about that...
And don’t go by me/my experience: it could very well be me that’s wrong.
Sent from my iPhone using Tapatalk
Yep I'm quite sure it is all working. fast.log showing a few 'hits' but literally one every 2 days or so. I have scribe logging setup and see Suricata updating and restarting every day at 3am based on the cron job.
regarding oinkmaster i found this online:
suricata-update is the official and recommended way to update and manage rules and rulesets. See Rule Management with Suricata-Update
https://suricata.readthedocs.io/en/suricata-4.1.4/rule-management/oinkmaster.html
suricata-update is the official and recommended way to update and manage rules and rulesets. See Rule Management with Suricata-Update
https://suricata.readthedocs.io/en/suricata-4.1.4/rule-management/oinkmaster.html
Before i dip my toes in again with suricata, what kind of throughput are you guys getting? These routers are pretty limited in both cpu and memory. In my experience i had to run suricata on on i5/i7 with at least 16gb of ram to perform well. I even built a vm to route all my traffic through before i decided to just accept skynet and aiprotection.
Take a look at IP Reputation. You could also create a custom.rules file and indicates the IP range to pass using your own rule. Take a look at creating rule if you want to go this route.
https://suricata.readthedocs.io/en/suricata-5.0.2/reputation/index.html
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic
with HW acceleration enabled (default when not using qos), my top speed went from 550Mbps to 500Mbps, when i enabled suricata. this is on a ax88.
heysoundude
Part of the Furniture
For a moment I thought I found out why I don't get alerts (on eth0) when trying to ping my router...
View attachment 24536
But unfortunately still no change after changing this setting to "Yes"
(oh, this is part 2 of 2. another post before)
do you have DDNS active?
XIII
Very Senior Member
Yes, but I was directly ping-ing the IP.
anyone? other than the occasional NTP DDoS?
Lurkmaster
Occasional Visitor
Nothing at all after 5 days.
Similar threads
- Locked
Similar threads
Similar threads
-
amtm amtm 5.0 - the Asuswrt-Merlin Terminal Menu, November 17, 2024- Started by thelonelycoder
- Replies: 61
-
Entware Possible to install jdownloader on asuswrt-merlin router with entware??
- Started by JeyJ
- Replies: 9
-
Skynet SOLVED: Scrollbar Disappears on Skynet Tab on Asuswrt-Merlin 386.14
- Started by WRobertE
- Replies: 10
-
scMerlin scMerlin 2.5.8 - Service and script control menu for Asuswrt-Merlin, October 20, 2024
- Started by thelonelycoder
- Replies: 85
-
uKasa uKasa - A utility script that manages Kasa smart outlets and switches with Asuswrt-Merlin routers- Started by JGrana
- Replies: 29
-
Updated Hue Utility - huetil Control and manage your Hue system from Asuswrt-Merlin or Raspbian
- Started by JGrana
- Replies: 1