Suricata Suricata - IDS on AsusWRT Merlin

[Wisiwyg]

Excellent contribution.

I am trying to port the Oinkmaster, rule Management for Suricata. I'm counting on you.

Any progress? This would be a big plus.

 

[heysoundude]

Quick (probably ridiculous) question - do I need to reboot my router to make suricata run after install?
I'm brain dead. It's Friday...

 

[Mutzli]

Quick (probably ridiculous) question - do I need to reboot my router to make suricata run after install?
I'm brain dead. It's Friday...

Not really, but I would reboot it anyway to make sure it's all running again once your router restarts.
If you want to stop and start Suricata you can use the following commands:

/opt/etc/init.d/S82suricata stop

/opt/etc/init.d/S82suricata start

 

[XIII]

I started from scratch (without the scribe changes):

This looks fine:

> suricata -c /opt/etc/suricata/suricata.yaml -T
3/7/2020 -- 21:43:47 - <Info> - Running suricata under test mode
3/7/2020 -- 21:43:47 - <Info> - Configuration node 'defrag' redefined.
Warning: Output_interface not supplied by user.  Falling back on default_output_interface "Console"
3/7/2020 -- 21:43:47 - <Notice> - This is Suricata version 4.1.8 RELEASE
3/7/2020 -- 21:43:47 - <Info> - CPUs/cores online: 2
3/7/2020 -- 21:43:47 - <Info> - fast output device (regular) initialized: fast.log
3/7/2020 -- 21:43:47 - <Info> - stats output device (regular) initialized: stats.log
3/7/2020 -- 21:43:47 - <Info> - 18 rule files processed. 2335 rules successfully loaded, 0 rules failed
3/7/2020 -- 21:43:47 - <Info> - Threshold config parsed: 0 rule(s) found
3/7/2020 -- 21:43:47 - <Info> - 2335 signatures processed. 207 are IP-only rules, 443 are inspecting packet payload, 1764 inspect application layer, 0 are decoder event only
3/7/2020 -- 21:43:49 - <Notice> - Configuration provided was successfully loaded. Exiting.
3/7/2020 -- 21:43:49 - <Info> - cleaning up signature grouping structure... complete

However, after adding these test.rules and ping-ing 192.168.1.1 I still get no alert...

alert icmp any any -> $HOME_NET any (msg:"ICMP connection attempt"; sid:1000002; rev:1;)
alert tcp any any -> $HOME_NET 23 (msg:"TELNET connection attempt"; sid:1000003; rev:1;)

 

[heysoundude]

Not really, but I would reboot it anyway to make sure it's all running again once your router restarts.
If you want to stop and start Suricata you can use the following commands:

/opt/etc/init.d/S82suricata stop

/opt/etc/init.d/S82suricata start

Alrighty, thanks!
I've only had it running on my ac86 for a little while, so I've yet to see if there are any problems/issues I need to sort out between cake-qos and suricata and Diversion, but right now things seem smooth. I had to wrestle with SkyNet, but this install was effortless, simply by following the steps in post #1 here...except for this: it's services-start rather than services.start on my system, and /opt paths didn't seem to be recognized, so I had to cd /opt to find the correct path to use.
The real test will be this evening as streaming activities begin in earnest.

 

[jata]

Alrighty, thanks!
I've only had it running on my ac86 for a little while, so I've yet to see if there are any problems/issues I need to sort out between cake-qos and suricata and Diversion, but right now things seem smooth. I had to wrestle with SkyNet, but this install was effortless, simply by following the steps in post #1 here...except for this: it's services-start rather than services.start on my system, and /opt paths didn't seem to be recognized, so I had to cd /opt to find the correct path to use.
The real test will be this evening as streaming activities begin in earnest.

I have Skynet, diversion, Suricata and cake all working together on my system and it seems to be working well.

I had similar issues as you with the installation instructions but it seemed to work using services.start. Is this an issue? do I need to change my install to use services-start?

 

[heysoundude]

I had similar issues as you with the installation instructions but it seemed to work using services.start. Is this an issue? do I need to change my install to use services-start?

You’re sure suricata is working? Until you’re 100% about that...
And don’t go by me/my experience: it could very well be me that’s wrong.


Sent from my iPhone using Tapatalk

 

[jata]

You’re sure suricata is working? Until you’re 100% about that...
And don’t go by me/my experience: it could very well be me that’s wrong.


Sent from my iPhone using Tapatalk

Yep I'm quite sure it is all working. fast.log showing a few 'hits' but literally one every 2 days or so. I have scribe logging setup and see Suricata updating and restarting every day at 3am based on the cron job.

 

[rgnldo]

Any progress? This would be a big plus.

I'm dedicating myself to another project. Own system. Passing the ball to @ttgapers @ugandy

 

[ugandy]

regarding oinkmaster i found this online:

suricata-update is the official and recommended way to update and manage rules and rulesets. See Rule Management with Suricata-Update
https://suricata.readthedocs.io/en/suricata-4.1.4/rule-management/oinkmaster.html

 

[ugandy]

@ttgapers , @Martineau

is the available suricata_manager script, on github?

 

[agilani]

Before i dip my toes in again with suricata, what kind of throughput are you guys getting? These routers are pretty limited in both cpu and memory. In my experience i had to run suricata on on i5/i7 with at least 16gb of ram to perform well. I even built a vm to route all my traffic through before i decided to just accept skynet and aiprotection.

 

[quattr0]

What is the best way to whitelist sites?

Take a look at IP Reputation. You could also create a custom.rules file and indicates the IP range to pass using your own rule. Take a look at creating rule if you want to go this route.

https://suricata.readthedocs.io/en/suricata-5.0.2/reputation/index.html

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic

 

[ugandy]

Before i dip my toes in again with suricata, what kind of throughput are you guys getting? These routers are pretty limited in both cpu and memory. In my experience i had to run suricata on on i5/i7 with at least 16gb of ram to perform well. I even built a vm to route all my traffic through before i decided to just accept skynet and aiprotection.

with HW acceleration enabled (default when not using qos), my top speed went from 550Mbps to 500Mbps, when i enabled suricata. this is on a ax88.

 

[XIII]

If I change the af-packet interface to br0 in suricata.yaml (use that instead of eth0, which is the only one that shows my external IP address when I run ifconfig) I do get alerts when pinging my router from within my LAN...

Why's that? What can be wrong here?

 

[XIII]

For a moment I thought I found out why I don't get alerts (on eth0) when trying to ping my router...

But unfortunately still no change after changing this setting to "Yes"

 

[heysoundude]

For a moment I thought I found out why I don't get alerts (on eth0) when trying to ping my router...

View attachment 24536

But unfortunately still no change after changing this setting to "Yes"

(oh, this is part 2 of 2. another post before)

do you have DDNS active?

 

[XIII]

(oh, this is part 2 of 2. another post before)

do you have DDNS active?

Yes, but I was directly ping-ing the IP.

 

[ugandy]

for the folks running suricata, what entries have you found on fast.log, after running it for a while?
thanks

anyone? other than the occasional NTP DDoS?

 

[Lurkmaster]

anyone? other than the occasional NTP DDoS?

Nothing at all after 5 days.